A malicious fork of the legitimate macOS application Triton has surfaced on GitHub, exploiting open-source repositories to distribute malware.
The fraudulent repository, created under the account “JaoAureliano,” appeared as a copy of the original Triton app developed by Otávio C. Instead of providing genuine software, the fork redirected users to download a ZIP file containing Windows-based malware.
The attack vector was blatant, with malicious download links embedded repeatedly throughout the repository’s README file.
The threat actor placed the malware package (Software_3.1.zip) inside an Xcode colorset directory.
Users who downloaded this 1.33 MB archive would receive executables designed to compromise Windows systems, despite Triton being a macOS-exclusive application.
Security researcher Brennan identified the malicious repository after discussions emerged in an IRC server about suspicious forking activity.
Analysis through VirusTotal showed a detection rate of 12 out of 66 vendors for the malware sample, with the file hash 39b29c38c03868854fb972e7b18f22c2c76520cfb6edf46ba5a5618f74943eac.
The GitHub account displayed several red flags. The commit history appeared sparse with only two repositories, yet the contribution graph had been artificially manipulated using automated scripts to backdate dummy commits.
Repository topics included unusual tags like “malware,” “deobfuscation,” and “symbolic-execution,” possibly attempting to masquerade as educational security content.
Despite multiple reports to GitHub, the platform had not removed the malicious account at discovery time. This incident represents a broader pattern of GitHub being exploited for malware distribution, with similar campaigns ongoing.
Infection Mechanism and Evasion Tactics
The malware employs a multi-stage execution chain beginning with archive extraction using 7za.exe with the password “infected.”
The payload leverages LuaJIT for scripting and implements evasion techniques including debug environment detection, extended sleep timers to bypass sandboxes, and virtualization detection.
Network communications establish command-and-control channels disguised as Microsoft Office traffic through domains like nexusrules.officeapps.live.com and svc.ha-teams.office.com, while conducting IP discovery via ip-api.com and blockchain communications to polygon-rpc.com.
The malware performs system reconnaissance by checking for development environments including Java, Python, and .NET installations, plus security software logs.
Registry keys are accessed to gather configuration data and establish persistence. File operations target system directories for privilege escalation.
Organizations should verify repository authenticity before downloading files from GitHub forks. Security teams are advised to monitor for the file hash and network indicators, while implementing endpoint detection solutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Malware in the Wild as Malicious Fork of Legitimate Triton App Surfaces on GitHub appeared first on Cyber Security News.
