Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure? | WhoisXML API

Threat Reports

Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure?

While GitHub has built-in security measures1 to prevent users from using its infrastructure to host malware code, wily cyber attackers may be looking for ways to bypass them. We’ve seen that happen with a cryptocurrency miner2 and several malicious projects.3

WhoisXML API investigated one such threat using six domains and subdomains as jump-off points and found other possibly connected artifacts, including:

  • More than 90 active IP resolutions of the domains and subdomains identified as indicators of compromise (IoCs), four of which were dubbed “malicious” by various malware engines
  • More than 300 possibly connected domains, as they shared the IoCs’ IP addresses, 14 of which were believed to be malware hosts
  • Close to 20 additional domains that used the same strings as the IoCs with different top-level domain (TLD) extensions, one of which was deemed “malicious”

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.zdnet.com/article/github-heres-how-were-changing-our-rules-around-malware-and-software-vulnerability-research/
  • [2] https://blog.avast.com/greedy-cybercriminals-host-malware-on-github
  • [3] https://nakedsecurity.sophos.com/2022/08/04/github-blighted-by-researcher-who-created-thousands-of-malicious-projects/
Try our WhoisXML API for free
Get started