GitHub Used as Covert Channel in Multi-Stage Malware Campaign

Thursday, April 2, 2026 at 01:00 PM UTC·Source: Infosecurity Magazine

Updated: Thursday, April 2, 2026 at 05:46 PM UTC

Executive Summary

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

Analysis

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

Source Attribution

Originally published by Infosecurity Magazine on Apr 2, 2026.

Related Threats

LOWMalware

Security lapse lets researchers view React2Shell hackers’ dashboard

An apparent security lapse has allowed researchers to peer into the work of a threat group currently exploiting unpatched servers open to the four-month-old React2Shell vulnerability to steal login credentials, keys, and tokens at scale. Researchers from Cisco Systems’ Talos threat intelligence team who made the discovery said Thursday that the data harvested by an unattributed group they call UAT

CVE-2025-55182

1d agoCSO Online

MEDIUMMalware

React2Shell Exploited in Large-Scale Credential Harvesting Campaign

Using automated scanning and the Nexus Listener collection framework, the hackers compromised over 750 systems. The post React2Shell Exploited in Large-Scale Credential Harvesting Campaign appeared first on SecurityWeek .

2d agoSecurityWeek

MEDIUMMalware

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while

2d agoThe Hacker News