View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Hackers impersonate security analysts to advertise bogus zero day exploits laced with malware

The criminals are trying to dupe legitimate researchers into downloading their malware.

By Claudia Glover

Hackers have been impersonating security researchers to advertise bogus zero day exploits laced with malware and dupe real researchers into downloading malicious code targeting Linux and Windows from GitHub. The criminals pretend to represent fake security companies to promote their repositories on Twitter.

Fake zero days laced with malware are being advertised on GitHub. (Photo by Post Modern Studio/Shutterstock)

The campaign began in early May, advertising fake vulnerabilities in Google’s Chrome, chat app Discord and Microsoft Exchange email servers, according to researchers at security company VulnCheck. Zero day exploits are previously unknown vulnerabilities in software, which can prove particularly dangerous in the wrong hands and as such are of great interest to security analysts.

Bogus zero day exploits laced with malware to scam researchers

The cybercriminals behind the attacks used a fake security company called High Sierra as cover to post the fake zero days on GitHub. Each post contains a malicious repository claiming to be an exploit for a well-known product, but actually containing malware which can be activated on the Windows or Linux operating systems.

A list of fake accounts can be found here, and the attacker has six GitHub accounts and a handful of associated Twitter profiles, all claiming to be part of High Sierra. To add further confusion, the profile pictures for the fake accounts seem to have been stolen from researchers at real security vendors. “It appears the attacker is not only making efforts to make the profiles look legitimate, but also using headshots of actual security researchers,” the report warns.

“The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware,” says the VulnCheck report. “It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they will be successful.”

Regardless of the success of the scam, researchers should take this to be a warning that they may be increasingly in the firing line of cybercriminals. “Security researchers should understand they are useful targets for malicious actors and should be careful when downloading code from GitHub,” the report says. “Always review the code you are executing and don’t use anything you don’t understand.”

Security researchers on Twitter beware

This is not the first time researchers have fallen foul of targeted attacks like this. Last year, Tech Monitor uncovered a scam where researchers who were investigating online criminal gangs were being targeted through a Twitter loophole.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The ransomware gang REvil was using fraudulent emergency data requests on Twitter to demand private information of researchers investigating them, to threaten them and their families. 

“Threat actors are now turning this sort of low-tech tactic onto those who investigate and expose their illegal activities,” Louise Ferrett, researcher at Searchlight Security, explained at the time. “Twitter is an easy target because that’s where a lot of researchers gather.”

Read more: Manchester University hit by cyberattack

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.