← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cloned, Loaded, and Stolen: How 109 Fake GitHub Repositories Delivered SmartLoader and StealC.
WHITE PetrP.73 2026-04-26 Modified: 2026-05-26
126
IOCs
HIGH VOLUME
A recent investigation revealed a malicious campaign leveraging fake GitHub repositories to distribute malware, specifically a LuaJIT-based loader known as SmartLoader, alongside a data-stealing payload called StealC. This campaign involved 109 malicious repositories across 103 accounts that impersonate popular open-source projects. Users are redirected to ZIP files containing the SmartLoader which is executed via a LuaJIT interpreter.
githubsmartloaderlua stagereadmelua scriptluajitzip filepolygon smartpostlua runtimestealcprometheuslookluasmartloader lua
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
StealC
Indicators of Compromise (2 / 126 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL
TYPEINDICATORDESCRIPTIONCREATED
URL http://144.31.57.65 2026-04-26
URL http://144.31.57.67 2026-04-26
References (1)
↗ https://hexastrike.com/resources/blog/threat-intelligence/cloned-loaded-and-stolen-how-109-fake-github-repositories-delivered-smartloader-and-stealc/