GitHub Abused to Spread Malware Disguised as Free VPN
INTRODUCTION
GitHub remains a popular platform for malware distribution, particularly for luring users into downloading and executing seemingly harmless tools. In this case, a GitHub user github[.]com/SAMAIOEC hosted multiple malware samples under names like “free-vpn-for-pc” and “minecraft-skin”, accompanied by detailed instructions and password-protected ZIP files to evade browser-based security scanning.
The core payload in this campaign is a Base64-encoded, obfuscated DLL that is dynamically dropped and loaded at runtime. It uses common evasion techniques and ultimately injects the Lumma Stealer into memory, leveraging legitimate Windows processes such as MSBuild.exe and aspnet_regiis.exe to bypass security controls.
This report presents a comprehensive technical analysis of the malware, maps its behaviour to MITRE ATT&CK techniques, and outlines recommendations to detect and prevent such threats.