Living-off-Trusted-Sites (LOTS) – APT Hackers Abusing GitHub To Deliver Malware Payload

Hackers use GitHub to access and manipulate source code repositories. GitHub hosts open-source projects, and unauthorized access allows hackers to inject malicious code, steal sensitive information, and exploit vulnerabilities in software development pipelines.

Cybersecurity researchers at Recorded Future recently discovered that APT hackers actively exploit the GitHub platform to deliver malware payloads.


Over 94 million people use GitHub for coding collaboration as it helps store, manage, and track code changes, supporting collaborative development with tools for hosting, version control, issue tracking, and code review.

Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Living-off-Trusted-Sites (LOTS)

In recent times, it’s been noted that threat actors are now actively exploiting this platform for several illicit purposes by taking advantage of its freely accessible API to evade detection and gain other advantages in network traffic.

Threat actors exploit LIS like GitHub across four main categories “Payload delivery,” “DDR,” “Full C2,” “Exfiltration.” All these schemes blend features rather than exploiting GitHub vulnerabilities. 

Payload delivery has dominated and been observed for years by the following cybercriminals and state-sponsored groups:-

  • TeamTNT
  • Gaza Cybergang
  • APT37

Netskope notes GitHub’s 7.6% share in cloud-based malware downloads in 2022, and the abuse scenarios involve staging and infection-focused methods.

By using repository poisoning or creating fake repositories and methods, threat actors take advantage of the GitHub platform.

According to the report, GitHub is also exploited for DDR, like other data access platforms. Users share URLs, domains, or IP addresses, even in encrypted files that pose minimal immediate risk due to the platform’s challenge in determining the malicious intent without context.

Full C2 using GitHub involves an “abstraction layer,” but it’s less common due to functional constraints and concerns about exposure. GitHub can serve as an exfiltration proxy, but this is less frequent than other schemes.

Meanwhile, the Pages on GitHub are also abused for phishing or traffic redirection by threat actors, which provides longer operational periods for phishing pages.

Suspected phishing page hosted on (Source - Recorded Future)
Suspected phishing page hosted on (Source – Recorded Future)

With 77% of developers using it, GitHub is one of the most popular platforms, surpassing GitLab (40%) and BitBucket (25%).


Here below, we have mentioned all the recommendations provided by the cybersecurity researchers:-

  • Enhance visibility
  • Maintain an up-to-date and comprehensive asset inventory
  • Tailor the implementation of the discussed detection strategies
  • Establish adaptive security policies
  • Protect your GitHub accounts
  • Integrate scenarios of LIS abuse into routine attack simulations
  • Engage with GitHub to counter known malicious activities
  • Perform proactive threat-hunting

Versatile services, seamless integration in corporate settings, and cost efficiency are the key features of GitHub. The abuse of GitHub is completely common in code repositories but lacks industry reporting for trend analysis. Despite challenges, the specific features remain attractive to threat actors.

Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – 

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.