SmartLoader & StealC Campaign: Blockchain C2 and Fraudulent GitHub Repositories
A sophisticated, highly automated malware campaign is currently weaponizing the inherent trust of the open-source community by deploying fraudulent GitHub repositories. This operation serves as a distribution funnel for SmartLoader—a highly obfuscated LuaJIT-based loader—and its primary payload, the StealC infostealer. Recent intelligence indicates a significant scale to this operation, with at least 109 malicious repositories identified across 103 distinct GitHub accounts, suggesting a structured, industrialized approach to malware delivery rather than isolated incidents.
The campaign’s technical sophistication lies in its multi-stage evasion strategy. By blending cloned legitimate source code, heavily obfuscated Lua scripts, and a blockchain-backed Command and Control (C2) resolution mechanism, the threat actors maintain extreme agility while minimizing the footprint of their traditional C2 infrastructure.
The operation was first identified through a trojanized clone of a legitimate security project. The attackers did not simply host malware; they meticulously rewired the delivery path of the original source tree to redirect users toward their own malicious assets.
The Social Engineering Funnel: GitHub as a Lure
The attackers exploit the “trend-chasing” behavior of developers and researchers. By cloning repositories with rising popularity and preserving the original file structures and names, the malicious clones appear authentic to the casual observer. The core of this deception is a highly modified README.md file. Instead of technical documentation, the README is stripped of its original utility and replaced with high-visibility, shields.io-style download badges and markdown buttons designed to drive traffic toward a single destination: an embedded ZIP archive.

To avoid detection by automated scanners looking for suspicious attachments, the malicious ZIP archives are buried deep within the repository tree, often using naming conventions that mimic standard build artifacts (e.g., project-name-v1.2.zip). These archives typically contain a lightweight execution chain:
- A single-line Batch launcher to initiate the process.
- A renamed LuaJIT 2.1.0-beta3 GUI executable.
- An optional
lua51.dll. - The actual payload: a heavily obfuscated Lua script disguised with a benign extension like
.txtor.log.
The execution model is designed for stealth; the Batch file utilizes the Windows start command to launch the LuaJIT binary in a GUI subsystem, ensuring no command prompt window flashes on the victim’s screen.

Inside SmartLoader: Obfuscation and In-Memory Execution
The Lua payload is a masterclass in anti-analysis. Measuring approximately 300 KB, the script employs Prometheus-style obfuscation, utilizing arithmetic-masked constants, randomized identifiers, and a custom virtual machine (VM)-style dispatcher. This architecture is specifically designed to break traditional static analysis and frustrate human researchers.
At runtime, SmartLoader leverages LuaJIT’s Foreign Function Interface (FFI) to interact directly with the Windows API. This allows the script to perform low-level operations such as:
- Implementing anti-debugging and anti-VM checks.
- Host fingerprinting and GDI-based screen capturing.
- Advanced PE (Portable Executable) parsing, which enables the loader to inject and execute subsequent payloads directly in memory, leaving a minimal forensic footprint on the physical disk.
Blockchain-Backed C2: The Polygon Dead Drop
Perhaps the most innovative aspect of this campaign is its Command and Control (C2) architecture. Rather than relying on static IP addresses or domains that can be easily blacklisted, SmartLoader utilizes the Polygon blockchain as a dead-drop resolver.
The malware performs a JSON-RPC eth_call to polygon.drpc.org, targeting a specific smart contract address. The contract returns an encoded string containing the current C2 URL. This allows the operators to rotate their entire C2 infrastructure by simply updating data on the blockchain, without ever needing to re-deploy or re-obfuscate their malware samples.

Once the C2 is resolved, communication proceeds via multipart/form-data POST requests. The malware exfiltrates system metadata and captured screenshots to the attacker’s server, receiving encrypted tasking instructions in return. Parallel to this, the loader fetches encrypted blobs from secondary GitHub repositories, which decrypt into the final StealC payload.

Defensive Posture and Detection Strategies
Persistence is achieved through scheduled tasks masquerading as legitimate system components (e.g., “Audio Manager” or “Office Update”) located in %LOCALAPPDATA%. To defend against this highly agile threat, security teams should pivot toward behavior-based detection.
High-Signal Indicators of Compromise (IoCs):
- Process Anomalies: Unsigned LuaJIT binaries being spawned by Batch files, especially those passing
.txtor.logfiles as arguments. - Suspicious Library Loads: The presence of
lua51.dllor Lua runtimes in user-writable directories like%TEMP%or%LOCALAPPDATA%. - Network Indicators: Unexpected JSON-RPC traffic to Polygon blockchain endpoints (e.g.,
polygon.drpc.org) from non-development workstations. - Persistence Monitoring: Unusual scheduled tasks that execute scripts or binaries from non-standard application paths.
Preventative Controls: Implement strict application control policies to block unsigned interpreters from running in user-writable directories and consider egress filtering to limit access to public blockchain RPC endpoints from sensitive production environments.