Pulse Detail — Threat Intelligence

PULSE NAME

Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC.

WHITE PetrP.73 2026-04-26 Modified: 2026-05-26

126

IOCs

HIGH VOLUME

A recent investigation revealed a malicious campaign leveraging fake GitHub repositories to distribute malware, specifically a LuaJIT-based loader known as SmartLoader, alongside a data-stealing payload called StealC. This campaign involved 109 malicious repositories across 103 accounts that impersonate popular open-source projects. Users are redirected to ZIP files containing the SmartLoader which is executed via a LuaJIT interpreter.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1113 T1566 T1218 T1102 T1560 T1053 T1055 T1059 T1095 T1036 T1140

MALWARE FAMILIES

StealC

Indicators of Compromise (25 / 126 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	28982b102618847a69e409e0ec85e927	MD5 of d56213d08fb10c880f17e1a262bf1176cf234d1fc591188171e7be9cd856eb12	2026-04-26
FileHash-MD5	34404a7567143a679f4bc2991b84990c	MD5 of 2273702dfbcfd96a6ed7bdb42ba130291b653869256ec1325bc7fe30e8d9b70a	2026-04-26
FileHash-MD5	3ab846820646dd3629450e47d65f4d47	MD5 of 9de5dc4192a9dea43d9ff6289bb276bb3f2c244c15821b6d31fab90258b23149	2026-04-26
FileHash-MD5	44e1424e454a83dc395281d23977a795	MD5 of e69873a3ef03b289aba8a0ec7130247dc5f2a3ce8c3b647b44518a899f39f789	2026-04-26
FileHash-MD5	46219a367444e32eabfd6f2ced0b248c	MD5 of bff0904456e3151221d29ed1d7c88fc31587efbdfb28817cdcb7ec7f20cade21	2026-04-26
FileHash-MD5	4ac8308d10c067f320d93b15644a8f09	MD5 of 3595a6b226ce4daa0a28edea152b3a887c01f6323db1d082f6568c995cdefb55	2026-04-26
FileHash-MD5	5ec6ab89dd62ba41e2a491ad40e60133	MD5 of 8b42ca9d05badf0e7327d816a56e5516431ae34627da68e12ae9347f365b2668	2026-04-26
FileHash-MD5	62df6eaa029f9e57424f7f24de73102e	MD5 of 09e0f7616dfd2f7eb2876f6ef7331d6dbc78775acd594a94b0397a56717d1fcc	2026-04-26
FileHash-MD5	671797900c080bfe367fe7aadc47af16	MD5 of d1557bc3f5d8542f9b7f8e80b02283397d2e437386a6662251c4fc7342167cda	2026-04-26
FileHash-MD5	68db393c2ef71ccf64e5e1316fc9eab6	MD5 of 3989cdf958d258244f3a72bac594214112ffe1008d4d81233a5911482dd302ca	2026-04-26
FileHash-MD5	835e54a9b180e40f8137182a7a88987c	MD5 of 592ec6f529721acbe07100c5386c58ca20fddfee7ac90280943fc2a61661e2be	2026-04-26
FileHash-MD5	94facfec7cf5da39a23375cc9ac60c27	MD5 of 0a4bce0f0461335585550598ff33c40a389465f7d0094212bee40b7f525de123	2026-04-26
FileHash-MD5	aae2b25db42573f9004af139d7dec051	MD5 of e1e6e28bc665b242fd4b496caf2542042d5720e87ea74551735664c202c486c7	2026-04-26
FileHash-MD5	b09254ee683d91d04d52d08731dba8db	MD5 of 167b166e26dd44f580a00f2c879089c5362eff5120ac88e0701b11b1eb320ca9	2026-04-26
FileHash-MD5	b29ca06594eef6945f1d82065a63ed79	MD5 of c3b56d68c80c4a6a9879c45a7761a538e3546644623af1ee469d3b70130fa0cd	2026-04-26
FileHash-MD5	bd00c9347f0b3e5c5d7066888bf8148c	MD5 of 54bbd79ed1ee26d3e7aa079963ba26c36aa683c01cc8b05b6d255da8634df006	2026-04-26
FileHash-MD5	bff3a81de5ffacbeddd5de793cede666	MD5 of f3e34c9e36f3be065d80d456281d31dd1cc85eb4980db7fa8c1b0eb6f29c25d8	2026-04-26
FileHash-MD5	ca9a5f85ee1449c731b6d30aa958c982	MD5 of 440ceb0dc5911faca54ed9a4dd186dad3d006ae4f52d0bb7d1e4b4edd8c3693a	2026-04-26
FileHash-MD5	cabf147518b9751e928426cf30136872	MD5 of a91b3308a7e9aa9fa660c72d27f226d8f50bfac2629f79a828fbecff323c0fe0	2026-04-26
FileHash-MD5	d48980338f7493f839dd5f636d0ff045	MD5 of cd4d2b6dc9c764c3f2b2b003bce035053a8ce81420c7ea886c76611219cae4ae	2026-04-26
FileHash-MD5	d56c0fe75c39022348c381b524a8fa75	MD5 of bbd438d3d7a59152f1dd5e45bb8d22ee1c07f95cfe42cebbe756aaf4feadc875	2026-04-26
FileHash-MD5	e482d9f2f0cdcd1b388e10c105f66502	MD5 of f9436ccb986760ca379d6cd2f00726e032a1d9c250a9bd261d40d98b914e7ef9	2026-04-26
FileHash-MD5	efaf7d26f15af0d930ec9f5809d781e7	MD5 of fad3d429172932b72e50f52af169a80439464e3538d97810509090e2e6cdf32a	2026-04-26
FileHash-MD5	fc3979a7ae6f3b0d64986c93b7911991	MD5 of ce1e33483d353200a266b3bc383ccf500e5a760c6dcd8218747260f5bbe39509	2026-04-26
FileHash-MD5	fe67c54a6387db6bf31f73ea6d695c12	MD5 of 8cede35b80b1deaf732c2b178d908f91b3e7a0c114d06dfae9075b8a9bf78b8f	2026-04-26

References (1)

↗ https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/