🇨🇳 CN1 malware family

SmartLoader

Also known asSmartLoader

SmartLoader is a malware group described as known for spreading information stealers through fake installers. In the reported campaign, Straiker’s AI Research (STAR) Labs said the actor cloned a legitimate Oura MCP Server project and built a deceptive GitHub ecosystem with bogus forks, contributors, and likely AI-generated personas to make the project appear trustworthy. After establishing credibility, the actor published a separate trojanized repository and submitted the malicious package to public MCP registries so developers searching for Oura integrations would install it. The trojanized MCP server delivered the StealC information stealer and targeted developer credentials, browser passwords, cryptocurrency wallets, API keys, cloud credentials, and other user secrets. Reported tradecraft included use of LuaJIT, heavy VM-style obfuscation, and persistence via scheduled tasks disguised as Realtek drivers. The activity was characterized as a shift from targeting piracy users toward compromising developers through software supply-chain tactics focused on MCP ecosystems. Researchers stated the infrastructure and techniques matched known SmartLoader patterns and noted indicators suggesting China-based operations. No additional aliases or sub-groups were directly provided in the content beyond SmartLoader.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Software & Services

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

7 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics10 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1195

Supply Chain Compromise

T1195.002×2

Compromise Software Supply Chain

TA0002

Execution

1 technique

T1053

Scheduled Task/Job

TA0003

Persistence

1 technique

T1053

Scheduled Task/Job

TA0004

Privilege Escalation

1 technique

T1053

Scheduled Task/Job

TA0005

Stealth

2 techniques

T1027

Obfuscated Files or Information

T1036

Masquerading

TA0006

Credential Access

1 technique

T1555

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

T1555.004

Windows Credential Manager

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

StealCHackers used a fake Oura MCP server to trick users into downloading malware that installs the StealC info-stealer... The trojanized version of the Oura MCP server delivers the StealC infostealer, targeting developer credentials, browser passwords, and cryptocurrency wallets.1Mar 8, 2026

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

security affairsNews

Feb 17, 2026

SmartLoader hackers clone Oura MCP project to spread StealC malware

Cloned a legitimate Oura MCP Server project and built a fake GitHub ecosystem (fake forks/contributors) to socially engineer developers into installing a trojanized MCP server, which then deployed the StealC infostealer to steal developer and cloud credentials, browser passwords, API keys, and cryptocurrency wallet data. The campaign also involved publishing the malicious package to public MCP registries to drive downloads (supply-chain style distribution).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping7

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.