- GitHub repositories host malware disguised as tools that gamers, and privacy-seekers are likely to download
- The fake VPN campaign drops malware straight into AppData and hides it from plain view
- Process injection through MSBuild.exe allows this malware to operate without triggering obvious alarms
Security experts have warned of an emerging new cyber threat involving fake VPN software hosted on GitHub.
A report from Cyfirma outlines how malware disguises itself as a “Free VPN for PC” and lures users into downloading what is, in fact, a sophisticated dropper for the Lumma Stealer.
The same malware also appeared under the name “Minecraft Skin Changer,” targeting gamers and casual users in search of free tools.
Sophisticated malware chain hides behind familiar software bait
Once executed, the dropper uses a multi-stage attack chain involving obfuscation, dynamic DLL loading, memory injection, and abuse of legitimate Windows tools like MSBuild.exe and aspnet_regiis.exe to maintain stealth and persistence.
The campaign’s success hinges on its use of GitHub for distribution. The repository github[.]com/SAMAIOEC hosted password-protected ZIP files and detailed usage instructions, giving the malware an appearance of legitimacy.
Inside, the payload is obfuscated with French text and encoded in Base64.
“What begins with a deceptive free VPN download ends with a memory-injected Lumma Stealer operating through trusted system processes,” Cyfirma reports.
Upon execution, Launch.exe performs a sophisticated extraction process, decoding and altering a Base64-encoded string to drop a DLL file, msvcp110.dll, in the user’s AppData folder.
This particular DLL remains concealed. It is loaded dynamically during runtime and calls a function, GetGameData(), to invoke the last stage of the payload.
Reverse engineering the software is challenging because of anti-debugging strategies like IsDebuggerPresent() checks and control flow obfuscation.
This attack uses MITRE ATT&CK strategies like DLL side-loading, sandbox evasion, and in-memory execution.
How to stay safe
To stay protected from attacks like this, users should avoid unofficial software, especially anything promoted as a free VPN or game mod.
The risks increase when running unknown programs from repositories, even if they appear on reputable platforms.
Files downloaded from GitHub or similar platforms should never be trusted by default, particularly if they come as password-protected ZIP archives or include obscure installation steps.
Users should never run executables from unverified sources, no matter how useful the tool may seem.
Ensure that you activate extra protection by disabling the ability for executables to run from folders like AppData, which attackers often use to hide their payloads.
In addition, DLL files found in roaming or temporary folders should be flagged for further investigation.
Watch out for strange file activity on your computer, and monitor for MSBuild.exe and other tasks in the task manager or system tools that behave out of the ordinary to prevent early infections.
On a technical level, use best antivirus that offer behavior-based detection instead of relying solely on traditional scans, along with tools which provide DDoS protection and endpoint protection to cover a broader range of threats, including memory injection, stealthy process creation, and API abuse.
