This campaign involves a sophisticated LuaJIT-based infostealer malware distributed through numerous GitHub packages using AI-generated lure names to attract specific user groups such as developers and gamers. The malware consists of two parts: a renamed LuaJIT runtime and an encrypted Lua payload, designed to evade detection by sandbox environments through anti-analysis techniques and extended sleep delays. Upon execution, it disables proxy detection mechanisms, captures desktop screenshots, collects geolocation data, and exfiltrates stolen information to C2 servers located in Frankfurt. The campaign infrastructure is scalable, utilizing multiple IP addresses to deliver identical encrypted commands and maintaining multiple concurrent campaigns targeting gaming cheats, developer tools, phone trackers, and VPN crackers.

The malware enables credential theft and information exfiltration from targeted users, potentially compromising sensitive data of developers, gamers, and crypto users. It can evade sandbox detection and proxy defenses, increasing the likelihood of successful infection and data theft. The use of AI-generated lure names and a large number of delivery packages increases the attack surface and potential victim pool. However, there are no known exploits in the wild reported at this time.

No official patch or remediation is available as this is a malware campaign rather than a software vulnerability. Defenders should be aware of the threat and monitor for suspicious LuaJIT-based packages on GitHub, especially those with unusual or AI-generated names. Users should avoid downloading or executing untrusted packages from GitHub and employ endpoint protection solutions capable of detecting LuaJIT-based infostealers. Network monitoring for unusual outbound connections to Frankfurt-based IPs may help identify infections. Since this is not a cloud service, remediation relies on user and organizational vigilance and endpoint security controls.