SmartLoader

A large-scale malware distribution campaign has been uncovered involving 109 fake GitHub repositories that were used to trick users into downloading two dangerous malware tools named SmartLoader and StealC. The threat actor behind this campaign copied real GitHub projects, republished them under different accounts, and replaced the original documentation with download buttons pointing to malicious ZIP files.

Unsuspecting users are directed to these repositories through techniques like SEO poisoning.

Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader... The EQVita download uses the same method, repackaged to appeal to retro gaming fans.

Persistence is then established through two daily scheduled tasks, with names such as “AudioManager_ODM3” and “OfficeClickToRunTask_7d7757” to blend in with legitimate system activity.

luajit.exe is a real, harmless program that runs scripts... Despite the .txt name, that file isn’t text at all—it’s a hidden script, and LuaJIT runs it.

"...execution of an obfuscated Lua script..."

"Once launched via a ZIP archive, it results in the execution of an obfuscated Lua script..."

Attackers can disguise ordinary computer malware as homebrew software... The batch file simply tells it to open x64.txt. Despite the .txt name, that file isn’t text at all—it’s a hidden script, and LuaJIT runs it.

Persistence is then established through two daily scheduled tasks, with names such as “AudioManager_ODM3” and “OfficeClickToRunTask_7d7757” to blend in with legitimate system activity.

Persistence is then established through two daily scheduled tasks, with names such as “AudioManager_ODM3” and “OfficeClickToRunTask_7d7757” to blend in with legitimate system activity.

Then it quietly contacted a server on the internet and sent it data, using a web address scrambled into a meaningless-looking string.

The project, called EQVita, looks like a normal homebrew plugin... the harmless-looking text file among them is actually a hidden script... Calling it .txt is what makes it look harmless and easy to scroll past.

First, the script checked where in the world the computer was.

From the victim’s perspective, nothing visible happens on screen because the malware uses Windows API calls to hide its console window immediately after execution.

The same staging repository also hosted an encrypted StealC payload that SmartLoader was capable of decrypting and loading directly in memory without writing it to disk.

After resolving the active server, SmartLoader sends a multipart POST request containing host fingerprinting details and screenshots to a bare-IP command-and-control server.

First, the script checked where in the world the computer was.

After resolving the active server, SmartLoader sends a multipart POST request containing host fingerprinting details and screenshots to a bare-IP command-and-control server.

Then it quietly contacted a server on the internet and sent it data, using a web address scrambled into a meaningless-looking string. The server answered back.

To locate its active command-and-control server without hardcoding an address, SmartLoader queries a Polygon blockchain smart contract using a JSON-RPC call to polygon.drpc.org, retrieving the live server IP from an on-chain value. This method, known as a blockchain dead drop resolver, allows the operator to swap infrastructure by updating a single on-chain entry rather than rebuilding the malware or changing every staged sample.

This is how a malware “loader” behaves: it phones home to the attacker’s server to receive instructions and fetch its next piece of malware. In this campaign, that next piece is usually a stealer

Collected data from infected machines was quietly sent to command-and-control servers, and the malware also carried a follow-on information stealer named StealC, designed to harvest sensitive data from compromised systems.