APT Hackers are Exploiting GitHub to Deliver Malware Payloads Through Living-Off-Trusted Websites

Hackers utilize GitHub to access and alter source code repositories. Open-source projects are hosted on GitHub, where hackers can insert dangerous code, steal confidential data, and take advantage of holes in software development processes through unauthorized access.

Researchers studying cybersecurity at Recorded Future have found that APT hackers use the GitHub platform to distribute malware payloads regularly. With features for hosting, version control, issue tracking, and code review, GitHub supports collaborative development and is used by over 94 million developers to store, manage, and track code changes.

Living-off-Trusted-Sites (LOTS)

Threat actors have been observed to be actively using this platform for several illegal objectives in recent times. They do this by utilizing its publicly available API to avoid detection and obtain additional benefits related to network traffic.

Threat actors take advantage of LISs such as GitHub in four primary ways: "Payload delivery," "DDR," "Full C2," and "Exfiltration." Rather than taking advantage of GitHub's weaknesses, all of these techniques combine features. 

The following cybercriminals and state-sponsored organizations have been dominating and observing payload delivery for years:

  2. TeamTNT
  3. Gaza Cybergang
  4. APT37

According to Netskope, in 2022, GitHub will account for 7.6% of malware downloads from cloud-based sources. The abuse scenarios include tactics that focus on infection and staging. Threat actors utilize the GitHub platform by devising phony repositories and methods, or by employing repository poisoning.

As with other data access platforms, GitHub is reportedly also used for DDR. Because it is difficult for the platform to determine the criminal purpose without context, users exchange URLs, domains, or IP addresses, even when they are encrypted files that present little immediate risk.

Although full C2 with GitHub requires an “abstraction layer,” it's less popular because of exposure concerns and functional limitations. As a proxy for exfiltration, GitHub can be used, albeit this is less common than other approaches.

Threat actors also exploit the Pages on GitHub for phishing and traffic redirection, allowing phishing pages to remain operational for longer. GitHub is one of the most widely used platforms, with 77% of developers utilizing it, outpacing BitBucket (25%), GitLab (40%) and other platforms.


All of the suggestions made by the cybersecurity researchers are listed below:

  1. Boost Visibility
  2. Keep an accurate & thorough asset inventory.
  3. Customize the use of the mentioned detecting techniques
  4. Create flexible security guidelines.
  5. Safeguard your accounts on GitHub.
  6. Include LIS misuse scenarios in your regular attack simulations.
  7. People should use GitHub to combat known harmful activity.
  8. Investigate threats proactively

GitHub's salient qualities include its cost-effectiveness, cost integration, and versatile offerings. Though there is a dearth of industry reporting for trend research, GitHub misuse is a widespread occurrence in source projects. Threat actors continue to find the particular qualities appealing despite obstacles.