Over 300 Backdoored Applications Promoted on GitHub

Researchers from DFIR.it discovered 89 GitHub accounts promoting 73 repositories containing dangerous “clones” of legitimate applications and libraries for Windows, Mac, and Linux. These included popular projects such as MinGW, GCC, Ffmpeg, EasyModbus, and several Java games.

The investigation began almost by accident, when a malicious version of the JXplorer LDAP browser was found. It soon became clear that there were over 300 similar applications and libraries, all containing malicious code. This code allowed attackers to maintain persistent access to victims’ systems and later download additional malware.

According to analysts, the infected applications installed the Supreme NYC Blaze Bot (supremebot.exe) on victims’ machines, turning them into part of a botnet. The attackers actively promoted their malware and repositories in GitHub search results by starring them and adding them to watch lists using other accounts.

It was revealed that a single account registered under the name Andrew Dunkins hosted 305 ELF binaries with backdoors. The full list of all 89 malicious accounts can be found here. All the accounts and malicious copies of applications discovered by the researchers have now been removed from GitHub.