← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC.
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
126
IOCs
HIGH VOLUME
A recent investigation revealed a malicious campaign leveraging fake GitHub repositories to distribute malware, specifically a LuaJIT-based loader known as SmartLoader, alongside a data-stealing payload called StealC. This campaign involved 109 malicious repositories across 103 accounts that impersonate popular open-source projects. Users are redirected to ZIP files containing the SmartLoader which is executed via a LuaJIT interpreter.
githubsmartloaderlua stagereadmelua scriptluajitzip filepolygon smartpostlua runtimestealcprometheuslookluasmartloader lua
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
StealC
Indicators of Compromise (25 / 126 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 0d21ebbdcee0d6f12822991cf4915195304a9360 SHA1 of cd4d2b6dc9c764c3f2b2b003bce035053a8ce81420c7ea886c76611219cae4ae 2026-04-26
FileHash-SHA1 129b0ddcc245b47bfe4de26bc4829abf2d6f0ba8 SHA1 of bbd438d3d7a59152f1dd5e45bb8d22ee1c07f95cfe42cebbe756aaf4feadc875 2026-04-26
FileHash-SHA1 18ad76619b23777794576ced7311f1c6ebb8d6fa SHA1 of e69873a3ef03b289aba8a0ec7130247dc5f2a3ce8c3b647b44518a899f39f789 2026-04-26
FileHash-SHA1 34ff5741d5ab5bdef637a6c1429234cc9dd022cc SHA1 of d1557bc3f5d8542f9b7f8e80b02283397d2e437386a6662251c4fc7342167cda 2026-04-26
FileHash-SHA1 3b8d01703fabc6d4906c7902c051b03a3be346d3 SHA1 of 9de5dc4192a9dea43d9ff6289bb276bb3f2c244c15821b6d31fab90258b23149 2026-04-26
FileHash-SHA1 41bdc95bb949cd498718c0493cb0ed9c44369797 SHA1 of 54bbd79ed1ee26d3e7aa079963ba26c36aa683c01cc8b05b6d255da8634df006 2026-04-26
FileHash-SHA1 43f1ae9d502facb1c85b278cc29868abc394de95 SHA1 of 3595a6b226ce4daa0a28edea152b3a887c01f6323db1d082f6568c995cdefb55 2026-04-26
FileHash-SHA1 4ff9b0236342b50a708b1e014c778648a4705bb9 SHA1 of bff0904456e3151221d29ed1d7c88fc31587efbdfb28817cdcb7ec7f20cade21 2026-04-26
FileHash-SHA1 589f7ee45aa300878434093363ccca3ca156a2fe SHA1 of d56213d08fb10c880f17e1a262bf1176cf234d1fc591188171e7be9cd856eb12 2026-04-26
FileHash-SHA1 5b7f6e5802ffd5895185da01d8a24fa16eba186b SHA1 of f9436ccb986760ca379d6cd2f00726e032a1d9c250a9bd261d40d98b914e7ef9 2026-04-26
FileHash-SHA1 6cdd56c58144ab0a4f6c8e5afd95fc836331ebea SHA1 of c3b56d68c80c4a6a9879c45a7761a538e3546644623af1ee469d3b70130fa0cd 2026-04-26
FileHash-SHA1 6df8fd5180820af17f0afb78565eeffcecb3e284 SHA1 of 592ec6f529721acbe07100c5386c58ca20fddfee7ac90280943fc2a61661e2be 2026-04-26
FileHash-SHA1 721acedcebcdc53f5993172e39b5dd58a7b5103a SHA1 of 8b42ca9d05badf0e7327d816a56e5516431ae34627da68e12ae9347f365b2668 2026-04-26
FileHash-SHA1 97134dbb856b11be3b018508e980f58622bc5350 SHA1 of 8cede35b80b1deaf732c2b178d908f91b3e7a0c114d06dfae9075b8a9bf78b8f 2026-04-26
FileHash-SHA1 a38f23df038eda62031208959fb3dba1986f9fe3 SHA1 of 2273702dfbcfd96a6ed7bdb42ba130291b653869256ec1325bc7fe30e8d9b70a 2026-04-26
FileHash-SHA1 ab9685d1f483f40a5bd995173519a12473fa450f SHA1 of ce1e33483d353200a266b3bc383ccf500e5a760c6dcd8218747260f5bbe39509 2026-04-26
FileHash-SHA1 b4f561add9ad0e57f0a56b0e490f782df4a1a48d SHA1 of 440ceb0dc5911faca54ed9a4dd186dad3d006ae4f52d0bb7d1e4b4edd8c3693a 2026-04-26
FileHash-SHA1 b8189ceb605254eaef7f21b3b2d744be3fe17172 SHA1 of 09e0f7616dfd2f7eb2876f6ef7331d6dbc78775acd594a94b0397a56717d1fcc 2026-04-26
FileHash-SHA1 ba7b3181156d9dcd2634e077d2a81dc425282f90 SHA1 of fad3d429172932b72e50f52af169a80439464e3538d97810509090e2e6cdf32a 2026-04-26
FileHash-SHA1 c30fa21e251cd4eb29a8ba86c0e99f331f058f18 SHA1 of 0a4bce0f0461335585550598ff33c40a389465f7d0094212bee40b7f525de123 2026-04-26
FileHash-SHA1 d49590bfb8b160595382339433535c481ce425ac SHA1 of f3e34c9e36f3be065d80d456281d31dd1cc85eb4980db7fa8c1b0eb6f29c25d8 2026-04-26
FileHash-SHA1 d55d712837f4b5ab48faed80b8df47022231171e SHA1 of e1e6e28bc665b242fd4b496caf2542042d5720e87ea74551735664c202c486c7 2026-04-26
FileHash-SHA1 d92b1e743af660e5d6556c26cf7e84f9e9e87747 SHA1 of a91b3308a7e9aa9fa660c72d27f226d8f50bfac2629f79a828fbecff323c0fe0 2026-04-26
FileHash-SHA1 dc66a58a2ba83279ae1ec43c53e27eb5cb37f816 SHA1 of 3989cdf958d258244f3a72bac594214112ffe1008d4d81233a5911482dd302ca 2026-04-26
FileHash-SHA1 f0c5b4b2b1c2fb641af80181f55c711f56410418 SHA1 of 167b166e26dd44f580a00f2c879089c5362eff5120ac88e0701b11b1eb320ca9 2026-04-26
References (1)
↗ https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/