A threat actor known as Water Curse has exploited the inherent trust placed in open-source software by many developers. They have weaponized at least seventy-six different GitHub accounts to distribute various malicious repositories containing multi-stage malware campaigns. This particular campaign represents a very significant supply chain risk, primarily targeting cybersecurity professionals, various game developers, and also DevOps teams. These professionals regularly rely on GitHub-hosted tools and also various different utilities in their daily work environments, making them ideal targets. The malicious operation involves embedding hidden payloads within legitimate-appearing penetration testing tools, including an SMTP email bomber and Sakura-RAT. These are presented as authentic security utilities.
Trend Micro security analysts first identified the Water Curse threat actor in May 2025, though evidence suggests their activities date back. The group’s malicious activities may have started as early as March 2023, showing a long period of clandestine operation. The researchers have noted that the threat actor employs a financially motivated approach, with several observed behaviors indicating specific goals. These goals include widespread credential theft, session hijacking, and also the resale of illicit access credentials across multiple victim categories. The campaign’s global scope is characterized by English-language artifacts and widespread GitHub-based delivery mechanisms, targeting a generalized victim base spanning many geographies. Water Curse demonstrates high technical adaptability.
The Water Curse infection process begins when victims download ZIP archives through GitHub’s standard codeload.github.com domain for their projects.
Malicious payloads have been found embedded within various Visual Studio project configuration files, which is a very clever hiding spot. The embedded malicious code resides within a specific XML tag that triggers automatically during the normal process of code compilation. This action drops a VBScript component that is then used for subsequent execution stages in the attack chain on the victim’s machine. The initial VBScript component, which is executed via cscript.exe, then deploys a PowerShell-based second-stage script that performs decryption and loads payloads.
This obfuscated PowerShell script then queries multiple different domains including rlim.com, github.com, and also the site popcorn-soft.glitch.me.
It then downloads the 7-Zip utility to extract password-protected archives containing the final payload components for the malicious operation. Upon execution, the malware performs comprehensive system enumeration through commands to determine the system architecture and identify the installed graphics hardware. The malware’s persistence mechanism involves creating scheduled tasks that are masquerading as legitimate system processes, including one named “BitLocker Encrypt All Drives.” This ensures the attacker maintains sustained system control across any reboots and all subsequent user sessions, making removal extremely difficult for victims.
