Skip to content
.ca
sign in
5 minhigh

The Growing Abuse of GitHub and GitLab in Phishing Campaigns

Threat actors are increasingly abusing legitimate Git repository platforms like GitHub and GitLab to host malware and credential phishing pages. By leveraging the inherent trust organizations place in these domains, attackers successfully bypass secure email gateways (SEGs) to deliver dual-threat campaigns involving remote access trojans (RATs), infostealers, and credential harvesting.

Conf:highAnalyzed:2026-04-08reports

Authors: Jacob Malimban

ActorsXWorm RATVenom RATGoTo RATConnectWise RATMuck StealerDcRATRemcos RATByakuganAsync RATATR 397723ATR 383659ATR 404564ATR 404322
PhishingGitLabGitHubDcRATRemcos RAT

Source:Cofense

IOCs · 5

Key Takeaways

  • 95% of malicious Git repository campaigns abuse GitHub, while 5% abuse GitLab.
  • github.com and gitlab.com are primarily used to host malware, whereas github.io and gitlab.io are predominantly used for credential phishing.
  • Threat actors are increasingly utilizing dual-threat attacks, delivering both malware and credential phishing in the same infection chain.
  • Remcos RAT is the most common malware delivered via GitHub, while DcRAT is the top malware delivered via GitLab.
  • Attackers frequently use password-protected archives (.zip, .7z) to bypass anti-malware scanning on these platforms.

Affected Systems

  • Windows
  • macOS
  • Android
  • Enterprise email systems

Attack Chain

Threat actors initiate the attack by sending phishing emails containing links to repositories hosted on GitHub or GitLab. When victims click the links, they are either directed to a static page (github.io/gitlab.io) for credential harvesting or trigger a download of a malicious payload, often via raw.githubusercontent.com. In advanced campaigns, user-agent checks determine the payload, serving RATs to Windows users and phishing pages to mobile or macOS users. Attackers also utilize dual-threat chains, where a malware infection is immediately followed by a credential phishing pop-up.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article focuses on threat intelligence and platform abuse trends; it does not provide specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions have high visibility into the post-download execution of payloads (.exe, .msi) and the subsequent behavioral patterns of RATs and infostealers. Network Visibility: Medium — Network visibility is hindered by the use of legitimate, encrypted channels (HTTPS to GitHub/GitLab), making it difficult to distinguish malicious downloads from legitimate developer activity without SSL inspection. Detection Difficulty: Hard — Blocking GitHub or GitLab outright is impossible for most organizations. Distinguishing between a developer downloading a legitimate repository and a user downloading malware from the same domain requires deep payload inspection or behavioral analysis post-download.

Required Log Sources

  • Proxy Logs
  • DNS Logs
  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
  • File Creation Logs (Sysmon Event ID 11)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for non-developer endpoints initiating downloads from raw.githubusercontent.com or gitlab.com, especially resulting in .exe, .msi, or password-protected archive creations.Proxy logs, EDR file creation eventsDeliveryMedium
Monitor for HTTP POST requests originating from github.io or gitlab.io subdomains, which may indicate credential exfiltration from a static phishing page.Web Proxy / Secure Web Gateway logsCredential AccessMedium

Control Gaps

  • Secure Email Gateways (SEGs) failing to block trusted domains like github.com and gitlab.com.
  • Lack of SSL inspection preventing payload analysis in transit from cloud collaboration platforms.

Key Behavioral Indicators

  • Downloads of .zip or .7z files from GitHub/GitLab followed by execution of binaries from user directories.
  • User-agent conditional redirects originating from gitlab.io or github.io.

False Positive Assessment

  • High

Recommendations

Immediate Mitigation

  • Extract and block the specific malicious URLs and subdomains identified in the report.
  • Search endpoint telemetry for the execution of 'Reader_PDF_2025.exe' or 'preview_details.msi'.

Infrastructure Hardening

  • Implement SSL inspection on web proxies to scan files downloaded from cloud collaboration platforms.
  • Restrict access to raw.githubusercontent.com for non-developer organizational units if feasible.

User Protection

  • Deploy EDR solutions configured to aggressively scan files extracted from password-protected archives.
  • Implement phishing-resistant MFA to mitigate the impact of credential harvesting via github.io/gitlab.io pages.

Security Awareness

  • Train users to scrutinize links to GitHub or GitLab, especially if they are not in a developer role.
  • Educate employees on the risks of dual-threat attacks where a document download is followed by a login prompt.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1583.006 - Acquire Infrastructure: Web Services
  • T1105 - Ingress Tool Transfer
  • T1056.001 - Input Capture: Keylogging
  • T1027.002 - Obfuscated Files or Information: Software Packing
  • T1071.001 - Application Layer Protocol: Web Protocols

Additional IOCs

  • Domains:
    • raw[.]githubusercontent[.]com - Legitimate GitHub domain frequently abused for silent malware downloads.
    • github[.]io - Legitimate GitHub Pages domain frequently abused for hosting static credential phishing sites.
    • gitlab[.]io - Legitimate GitLab Pages domain frequently abused for hosting static credential phishing sites.
  • File Paths:
    • Reader_PDF_2025.exe - Filename used to disguise a RAT as a PDF reader.
    • preview_details.msi - Filename used for an abused GoTo RAT installer.

Related