Skip to content
Malware family

SmartLoader

SmartLoader is a malware loader distributed primarily through fake or cloned GitHub repositories that impersonate legitimate projects, including open-source software, game cheats, cracked software, cryptocurrency utilities, IT software projects, AI tools, and trojanized MCP/Oura-related repositories.

Profile source: Mallory opens in a new tab

SmartLoader

Family profile

SmartLoader is a malware loader distributed primarily through fake or cloned GitHub repositories that impersonate legitimate projects, including open-source software, game cheats, cracked software, cryptocurrency utilities, IT software projects, AI tools, and trojanized MCP/Oura-related repositories. Public reporting cited in the content indicates this delivery tactic has been in use since at least early 2025, and SmartLoader was first highlighted by OALABS Research in early 2024. Campaigns described in the content used polished or AI-generated repository descriptions, fake forks and contributor ecosystems, SEO terms, malicious README download links, and ZIP archives hidden in repository folder structures to increase trust and visibility.

In the observed infection chain, a downloaded ZIP archive contains a simple batch script that launches a legitimate LuaJIT interpreter to execute a heavily obfuscated Lua script constituting SmartLoader. Reported behavior includes hiding its console window via Windows API calls, anti-debugging shellcode executed from allocated memory, resolving active command-and-control infrastructure through a Polygon blockchain dead-drop mechanism using polygon.drpc.org, and sending host fingerprinting data and screenshots to a bare-IP C2 via multipart POST. The C2 returns encrypted instructions and tasks. SmartLoader establishes persistence through two scheduled tasks, including examples such as "AudioManager_ODM3" and "OfficeClickToRunTask_7d7757"; one task runs a cached local Lua stage while another re-downloads an encrypted stage from an attacker-controlled GitHub repository. In another reported campaign, persistence was disguised as Realtek driver-related scheduled tasks.

SmartLoader is used to retrieve and deploy follow-on payloads, including StealC, Lumma Stealer, and in other reporting as a dropper for Rhadamanthys. The Hexastrike reporting in the content states SmartLoader could decrypt and load StealC directly into memory without writing it to disk. Associated follow-on theft objectives described in the content include browser passwords, credentials, cookies, API keys, cloud credentials, cryptocurrency wallets, login codes, and other sensitive data. Reported targeting spans general GitHub users, retro gaming and PlayStation Vita modding users, offensive security professionals in the AIRedScam campaign, and developers using MCP-enabled AI tooling, who are considered high-value targets because their systems may contain production access and secrets.

High-confidence infrastructure and hunting details directly mentioned in the content include a SmartLoader URL pattern of a direct IP address with a /task/ folder and a 40-character filename with no extension; one campaign-associated C2 IP of 85.137.52.21; the associated domain voistace.github.io; and use of polygon.drpc.org for blockchain-based C2 resolution. Threat activity in the content is linked to fake GitHub repository ecosystems and, in one Straiker report, indicators suggesting China-based operations, though attribution is not definitive.

MITRE ATT&CK

SmartLoader in ATT&CK

20 distinct techniques

Reporting

Research mentioning SmartLoader

Jun 22
Cyber Security News

Hackers Compromised 10,000 Repositories on GitHub to Inject Malware

Public reports and earlier research indicate this tactic has been in use since at least early 2025, with similar campaigns distributing malware families such as SmartLoader and StealC.

Jun 18
Malware News

Retro gaming fans are the new target for fake GitHub malware - Malware News - Malware Analysis, News and Indicators

Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader, which then pulls in password and wallet-stealing malware such as Lumma Stealer.

Apr 28
The Hacker News

Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer Campaign

The disclosure comes as threat actors are increasingly abusing the trust associated with a platform like GitHub to host bogus repositories that act as lures for malware families like SmartLoader, StealC Stealer, and Vidar Stealer.

Apr 22
Cyber Security News

109 Fake GitHub Repositories Used to Deliver SmartLoader and StealC Malware - Cyber Security News

A large-scale malware distribution campaign has been uncovered involving 109 fake GitHub repositories that were used to trick users into downloading two dangerous malware tools named SmartLoader and StealC.

Feb 22
Security Affairs

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 85

SmartLoader Clones Oura Ring MCP to Deploy Supply Chain Attack

Feb 22
Security Affairs

Security Affairs newsletter Round 564 by Pierluigi Paganini - INTERNATIONAL EDITION

SmartLoader hackers clone Oura MCP project to spread StealC malware

Feb 17
Security Affairs

SmartLoader hackers clone Oura MCP project to spread StealC malware

Straiker’s AI Research (STAR) Labs team uncovered a SmartLoader campaign in which attackers cloned a legitimate MCP server linked to Oura Health to spread the StealC information stealer.

Feb 17
The Hacker News

SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer

"SmartLoader, first highlighted by OALABS Research in early 2024, is a malware loader that's known to be distributed via fake GitHub repositories..."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.