Water Curse Targets Devs and Red Teamers via Weaponized GitHub Repos

A newly identified threat actor, tracked as "Water Curse" by Trend Micro, has been conducting a widespread campaign leveraging GitHub repositories to deliver multi-stage malware. The threat actor mimics legitimate tools relevant to developers, gamers, and security professionals, particularly those involved in penetration testing and red teaming. Trend Micro first observed the campaign in May 2025, though review traced related GitHub account creation as far back as March 2023. The campaign’s infrastructure is extensive, with Trend Micro identifying "at least 76 GitHub accounts are linked to the campaign, with malicious payloads embedded in build scripts and project files." These payloads are buried in repositories impersonating tools such as an SMTP email bomber and the Sakura-RAT. Water Curse's operations appear globally dispersed, with limited attribution details. The artifacts leveraged by the threat actor are written in English and are assessed to be financially motivated, with "goals such as credential theft, session hijacking, resale of illicit access."

Initial execution begins when users download ZIP archives from GitHub containing Visual Studio projects. Compilation of these projects triggers "MSBuild.exe," which executes a command line pointing to a ".cmd" script in the "%TEMP%" directory. This script then invokes "cscript.exe" to run VBScript, which in turn launches a PowerShell script to retrieve the 7-Zip tool and a password-protected archive. Once retrieved, the archive is extracted using 7-Zip, staging an Electron-based app into "%TEMP%". From the extracted files, "SearchFilter.exe" and "app.asar" are of primary concern. The JavaScript within "app.asar" executes several post-compromise actions, including network session enumeration, system profiling (covering GPU and OS architecture), and UAC bypass via registry modification of the "ms-settings" protocol handler. Registry keys are modified to point to the malicious "SearchFilter.exe," enabling elevated execution without prompting the user.

Defense evasion techniques follow after, with PowerShell scripts like "disabledefender.ps1" utilizing the "Get-MpPreference" cmdlet to set several exclusions in Windows Defender, including "C:", "explorer.exe," and "regedit.exe". Shadow copies are deleted using "vssadmin," and system restore is disabled by altering registry paths under "SystemRestore." Scheduled tasks are created using "schtasks," such as a task named "BitLocker Encrypt All Drives," configured to run once but persist for over 9999 hours and repeat every five minutes. Other scheduled jobs, including "RegisterDeviceSecurityAlert" and "RegisterDeviceNetworkChange," run at regular intervals to sustain presence.

A decrypted PowerShell script, "68d9273e-3390-4ec3-b697-baa2ddf701ba.ps1," extracted from "config.json," drives the payload execution further. This script performs DLL loading, extracts multiple encrypted payloads (thread_f, boot_f, etc.), and injects them into "RegAsm.exe" to execute in-memory and persist. After completion, the script initiates self-deletion to eliminate its footprint. Following injection, the malware establishes C2 communication to an associated Remcos RAT server and prepares to exfiltrate data. During collection, "SearchFilter.exe" extracts another 7z archive staging itself as Windows Vault data and drops files such as "taskhostw.exe" and "NVIDIA Control Panel.exe." When launched, the fake NVIDIA binary conducts system fingerprinting, performs browser process discovery, and uses "curl.exe" to obtain the public IP. Key data such as browser credentials and saved sessions (including GitHub and ChatGPT tokens) are packaged using 7-Zip and stored for later exfiltration.

Data exfiltration methods include compression into "stealFiles.7z" with LZMA2 encoding, likely to avoid detection, and transfer via cloud-based platforms. Trend Micro observed telemetry linked to domains such as Gofile and Telegram, indicating use of legitimate services for staging and delivery. A JavaScript snippet in "main.js" interacts with the Telegram Bot API, facilitating covert command-and-control. Trend Micro’s analysis of Water Curse reveals a threat actor prioritizing stealth, persistence, and automation, embedding malicious logic deep within developer tooling and offensive security utilities. Their use of GitHub as a distribution channel enables widespread access and lowers barriers to infection, while their malware exhibits extensive capabilities from credential theft and privilege escalation to network surveillance and exfiltration. With a diversified toolset, adaptive infrastructure, and monetization strategy, Water Curse’s operations represent a supply chain risk, particularly to communities that rely on open-source repositories.