Kaspersky exposes hidden malware on GitHub stealing personal data
93 comments
·February 28, 2025cookiengineer
rozab
This is dated February 24, which is before I noticed all these other investigations hitting Reddit and HN. Seems maybe they were just piggybacking off Kaspersky
yorwba
What makes you sure the malware described here is the same as the one you read about before? After all, GitHub isn't limited to one malware campaign at a time.
E.g. we also have https://news.ycombinator.com/item?id=43203158 from 3 days ago, which seems to be a different thing at first glance.
cookiengineer
The structure of the archive looked very similar to the sample I was analyzing.
The securelist article [1] also describes the same malware techniques and stealer behaviors, just in a way more undetailed manner than the original reddit post.
[1] https://securelist.com/gitvenom-campaign/115694/
edit: update my grandparent comment with the reddit links. It was on /r/netsec and /r/hacking and not on /r/cybersecurity where the author posted it first :D
pseudo0
> It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
Is it really that surprising? Using Python makes it easy to write their "business logic" and if they get caught, they just tweak the way they are obfuscating it. They aren't using any fancy exploits that they want to protect, this is the equivalent of a smash and grab robbery.
userbinator
The amount of developers I've met who will just download, compile, and run stuff from GitHub in the same way as if it was closed-source, i.e. paying no attention to the fact that the source is available for inspection, is surprisingly many.
mgolawala
I think it is worse than that.
I think being on GitHub (and seemingly open source) gives developers a false sense of security in that they assume the code is open and therefore community vetted and that the developer has nothing to hide.
I suspect people who would know not to download and run a random binary off the internet would download, compile and run projects from GitHub.
unclebucknasty
But, truly, what is the solution?
I mean, you can use static analysis or similar, but you generally can't check every line of code for every open source lib you pull in, let alone its dependencies.
Seems that, once you decide to use open source, you are actually making a choice to trust to some extent.
unnah
Commercial Linux distributions like Red Hat, Suse and Canonical stake their reputation on compiling a trustworthy collection of open source software, in exchange for money. Unfortunately they disclaim any legal responsibility, but at least they make reasonable efforts to analyze the security of the software they are distributing, in order to avoid PR disasters.
For some reason the same business model has not made many inroads for higher-level language ecosystems, although many companies are trying - for example the Python Conda distribution.
consumer451
> But, truly, what is the solution?
Let's use GitHub as an example. We have forks, and stars. Maybe we could also have some kind of build endorsement?
How one would verify that the endorser is worth your trust, I am not entirely sure.
Maybe endorsers could eventually be rated by CVEs found in their endorsements, and that would build trust?
codedokode
You can get rid of legacy OS like Windows or Linux that cannot run applications in the sandbox and switch to those which can. In this case the malware only gets a sandbox and not the whole system.
If you work for a commercial company then you should not download the code from random users on Github for free but from commercial, safe repositories where the code is inspected, tested and verified. Or from reputable large commercial companies that are unlikely to put backdoors. Microsoft or Apple won't risk their reputation by backdooring an open-source library.
dcreater
This is a solvable problem thanks to llms
gherard5555
Well it all comes down to trust eventually, you cannot inspect every single line of code of every programs you want on run on your computer. Nowadays even Github stars are not worth that much trust because malicious actors can just make fake accounts or buy them.
kazinator
The number of new GNU/Linux distros that have appeared since 1994 that just compile stuff into binary packages not even paying attention to the fact that the source can be inspected, is just staggering.
Aachen
I don't see any hint on how to recognise, or how not to recognise them. Did the projects have lots of stars? Fake issues and pull activity? What kind of software did they claim to be? Did they work, to avoid it being obvious after executing and the user reporting the repository to Github? How hard was it to spot the malware, underhand C contest level or obvious if you just open the right file (among hundreds, I guess) and see it do illegitimate things?
All it says is that the projects were written in different common languages...
rozab
You need to click through to the actual investigation
k_sze
I'm in Canada and I just get auto-redirected to the kaspersky.ca home page when I try to visit the link.
shakna
They link here [0] for more details, which might be less geo-intercepted.
null
null
KronisLV
Honestly, whenever some malware like this is revealed, that just makes me wish for more sandboxing and alerting in OSes. For example, each app getting its own writable directory structure and access to anything else needing to be explicitly granted by the user.
It would require work to make the UX not be horrible, but that's a solvable problem. The fact that we don't have that in mainstream OSes in $CURRENT_YEAR given the security situation of the software out there, is insane.
amelius
Agree. And code libraries should be similarly isolated.
shakna
Kaspersky is now banned for government use in multiple nations. Whilst there is some good work happening there, as above, for the most part, they should be considered a state actor for Russia.
That usually means that they're a threat, and these small good tokens are nothing more than PR efforts.
You can't avoid politics, when considering this company.
wongarsu
All cyber security companies should be considered state actors. Even if they currently aren't it's too easy for a state to coopt them.
If you build an antivirus software today, and tomorrow you get a secret court order to ignore certain malware for "national security" what are you going to do? What if it's a request to include a small binary payload in return for a lucrative government contract, with implied threats of what happens if you leak the request? You can decide not to do it and just shut down, but then the only ones left on the market are the ones that complied.
If you do cyber security for more than just compliance, evaluating the software providers against your threat model was always an important step. Whether that means avoiding American, Chinese or Russian software. In the threat model of a Western government agency, Russian software should have have been off limits since the 50s (even if Kaspersky tries to tell you they are not Russian at all).
That still doesn't mean their work is any less interesting or praiseworthy. Just like how you know NASA landed on the moon because Roscomos didn't dispute it, Kaspersky can do work and offer perspectives that might be more difficult for similarly sized western cyber security companies.
yaomtc
I'd heard of gag orders, but I hadn't heard of secret court orders like that. I searched and found this:
https://www.aclu.org/news/national-security/secret-court-opi...
Do you know of other examples?
shakna
Australia's Assistance and Access Orders (TAN, TCN, etc.) [0] basically allow the government to order mandatory backdoors into various software. They do have some oversight, but it isn't significant. They can order any employee, not just the company.
The wording is also... Squirelly. You can't introduce a weakness, but the definition of weakness excludes the entire concept of backdoors.
However, Technical Capability Notices can be ordered where:
> reasonable, proportionate, practicable and technically feasible
The employee/company can push back and argue one of those isn't met, but ultimately it is the office of the Governor General that decides.
So far, it has basically only be used against journalists [1], as far as we know, which is nice and horrific.
[0] https://www.homeaffairs.gov.au/about-us/our-portfolios/natio...
[1] https://www.abc.net.au/news/2019-07-15/abc-raids-australian-...
flakeoil
Maybe don't put too much into the word "court order", but instead interpret it as an order from the government to force the company to use the tool for the governments/country's benefit.
One could also assume that the owners and/or management of the company are in the same boat as the government/country so they do not mind using the tool for the country's benefit when needed.
jonathanstrange
That's why I choose my anitivirus software based on the jurisdiction, not on technical comparisons.
codedokode
It is not very fair singling out Kaspersky and assuming that other AV companies are not a threat to foreign countries. Foreign software and hardware is always a threat. And US was caught spying even on their allies.
shakna
The US, while hardly benign, have not orchestrated multiples of "largest attack in history", for multiple previous years in a row.
Russia and China, have.
The threat scale here, is not an even playing field.
close04
> The US, while hardly benign, have not orchestrated multiples of "largest attack in history"
You must be using a very personal interpretation of what "largest attack in history" is.
The US is literally the owner and operator of the largest surveillance and intelligence collecting apparatus in the history of mankind. I bundle in here all kinds of legal and illegal surveillance, interceptions, hacking, etc. directly state run, or leveraging other intelligence agencies, or leveraging the largest private data collectors in the world which are mostly US companies. It was already proven by the Snowden leaks, it's absolutely reasonable to assume this apparatus only grew stronger.
If that's not a never ending "largest attack" on everyone in the world I don't know what is.
0x1ceb00da
Russia attacked ukraine but what did china do?
aa-jv
You can't ignore this fact: The US and Australia partner on Pine Gap, which violates the human rights of literally billions of human beings every single second of the day.
Russia and China have a long way to go to catch up.
watwut
And Russian state is still bigger threat then the others (and current US leadership counts as almost Russian anyway)
pjmlp
Ironically, we are having similar discussions regarding US companies if the trend with the current administration is to continue.
The big difference is that as of today, we are currently stuck with available alternatives, but it won't surprise me if many goverments start looking back into the computing diversity infrastructure that we had during cold war days.
etc-hosts
The US is on a path to un-ban Russian state affiliated companies.
https://www.nytimes.com/2025/03/02/us/politics/hegseth-cyber...
rectang
That the Pentagon has announced it will cease defending Americans against Russian threats hardly means that Americans are not threatened.
somenameforme
Or it means that the original bans were primarily instituted because of myopic geopolitics and not because of any meaningful threats. In particular US ire towards Kaspersky grew rapidly after it was the only antivirus that picked up on NSA/'equation group' malware.
It's similar how the US banned all cooperation with China in space [1] because of some tropes about them being unable to do anything except steal American tech. That's why, to this day, there are no Chinese on the ISS. After that law China proceeded to develop, launch, and man their own space station, put a rover on Mars, and even carry out an unprecedented sample return mission from the dark side of the Moon, and just generally run circles around the US (except perhaps SpaceX) in space. Interestingly US researchers may not be able to access those Moon samples (which China shared with scientists worldwide) due to this stupid law.
DeathArrow
By the same logic, Google, Apple, Amazon, Microsoft should be considered state actors.
AceJohnny2
Why, yes.
shakna
Please feel free to point out where the CIA successfully issued directives to those companies to target foreign nationals.
Baring in mind, that Snowden's revelations did in fact cause outcry, and national responses to US companies. And helped push through various data protections in Europe, including stipulating non-sharing of data with the US.
ThinkBeat
Hmm, so what is your opinion of what the NSA is doing these days?
torginus
Has this been proven? Or is this another 'they are in a foreign country so they could be compelled to spy on us?' - not that I have a particular desire to defend Russia at this moment in time.
ivanmontillam
This is a fair question.
I also get nitpickity about it.
Not because some organization or some person is Russian, then it must be under the control of Putin.
Pavel Durov is Russian, and I don't have reasons to believe he syphons my data to the Kremlin (other than getting randomly detained in France).
null
throwaway290
Why not judge on the merit. Unlike PRC's deepseek or tiktok which were shown and admitted to collect all sorts of data and specifically influence public opinion to favor a foreign interest this is literally just information, white hat infosec research
shakna
You cannot divorce the company from their other actions. They are engaged in cyber warfare with various nations. That means that all of their actions need to be weighed and judged.
They put it on their website, which makes it company PR, regardless of how it might be seen. Good things have been done by terrible actors, since the dawn of time. It is not information alone.
jajko
In that vein Europe should have 0% trust in any US software or hardware. We are not that much friends anymore, in fact US is currently actively helping our existential enemy and subverting us.
Remember of scandal with US spying directly all European top politicians? This was in quiet times compared to now.
To paraphrase you, terrible things have been done by good actors. You cannot divorce state from its other actions in same area neither. I don't think I need to bring up numerous fuckups of US 'defense' and secret services that literally killed tens of millions civilians in past 100 years across whole globe, with very little to show for and claim 'it was worth it because we achieved XYZ'.
2Gkashmiri
careful or you would have to divorce google because of their actions but the larger question is, will you?
archerx
Are you weighing and judging thAt USA has killed millions of innocent people because of American Military Industrial complex before buying American products? You can’t divorce a company from it’s countries politics as you say.
If you are not judging the USA at the same standards as you do other countries then that would be very hypocritical.
ajross
The whole point to reading an article like this is to get the considered opinions of an expert, though, not to "judge it on the merit". Only an elite handful of security folks here on HN (and this is one of the few forums where you can find them!) are capable of doing that.
So sure, when another security wonk comes along and says "Kaspersky is right about this", I think it's worth discussing. Until then, we need to assume that any communication from the company is compromised by unstated interests. Not all of it is, surely, but some probably is, and "judge it on the merit" isn't a good standard to detect the bullshit.
T3RMINATED
[dead]
This isn't kaspersky's research?
Around a̵ ̵w̵e̵e̵k̵ ̵a̵g̵o̵ ̵(̵?̵)̵ a couple days ago someone made a post on /̵r̵/̵c̵y̵b̵e̵r̵s̵e̵c̵u̵r̵i̵t̵y̵ /r/hacking where he made a scraper and analyzed all the malware he could find. The repo amount was in the ~1000s repos that he shared in a spreadsheet. Github as a domain is feasible as a malware dropper domain due to it being allow listed by Microsoft. The attackers seem to use bots to use the releases section of other repositories, the code is there, too, but incomplete.
They were also targeting many popular games like Fortnite, Valorant, CS2 and others with their cheats that contained the malware. It was kind of interesting to see because they used a lot of screenshots in the README files that seemingly were enough to convince gamers to install the malware.
The dropper/stealer samples that I took a look at were python obfuscated bundles targeting Win11 and lots of different browser cookie storages, password managers, and even replaced the MetaMask extension inside the browser profile with another one after stealing all the session cookies and passwords. As an exfil technique they used discord, and you could see lots of different ranks of the discord server, with the API tokens and paypal ids and other things that they automated their payments with.
It was super interesting to see that they switched to using python there, because it's an odd choice from a redteam perspective.
I still have the deobfuscated code somewhere, not sure if I can find the link to the original research article again. Couldn't find it with the shitty reddit search.
edit: Man, this weekend been way too long. Here's the links to the original article from only a couple days ago:
[1] https://old.reddit.com/r/netsec/comments/1izryuk/github_scam...
[2] https://timsh.org/github-scam-investigation-thousands-of-mod...
[3] The google spreadsheet (archive link because traffic limit has been reached I guess): https://archive.is/ijiWP
edit 2: The pubhtml file of the google spreadsheet I have also on my hard drive, but it's ~23MB. Maybe I can make a gist out of that later? The spreadsheet didn't show an export button or UI, that's why I used wget at the time.