What happened
A malicious fork of the legitimate macOS application Triton was discovered on GitHub, where attackers used a fraudulent repository to distribute Windows malware disguised as software downloads. The repository, created under the account “JaoAureliano,” redirected users to a ZIP archive named Software_3.1.zip containing executable malware instead of the original application. Security researcher Brennan identified the malicious repository, which used deceptive README download links and manipulated commit histories to appear legitimate. The malware employed multi-stage execution using LuaJIT scripting, established command-and-control connections disguised as Microsoft Office traffic, performed system reconnaissance, and accessed registry keys to gather configuration data and maintain persistence.
Who is affected
Users and organizations downloading software from the malicious GitHub fork of Triton, particularly those executing the malicious ZIP archive on Windows systems, are affected, as the malware enables system compromise and persistent attacker access.
Why CISOs should care
The campaign demonstrates how attackers exploit trusted open-source platforms like GitHub by creating malicious forks of legitimate software to distribute malware and compromise enterprise systems.
3 practical actions
- Verify repository authenticity before downloading software. Confirm GitHub repositories belong to legitimate developers before executing files.
- Monitor systems for known malware indicators. Track file hashes and network activity linked to the malicious Triton fork.
- Deploy endpoint detection tools. Use security monitoring to detect persistence mechanisms, suspicious registry access, and command-and-control traffic.