In this post, we describe our in-depth investigation into a threat actor to which we have assigned the identifier MUT-1244.
MUT-1224 uses two initial access vectors to compromise their victims, both leveraging the same second-stage payload: a *phishing campaign targeting thousands of academic researchers and a large number of trojanized GitHub repositories, such as proof-of-concept code for exploiting known CVEs.
Over 390,000 credentials, believed to be for WordPress accounts, have been exfiltrated to the threat actor through the malicious code in the trojanized "yawpp" GitHub project, masquerading as a WordPress credentials checker.
Hundreds of victims of MUT-1244 were and are still being compromised. Victims are believed to be offensive actors—including pentesters and security researchers, as well as malicious threat actors— and had sensitive data such as SSH private keys and AWS access keys exfiltrated.
We assess that MUT-1244 has overlap with a campaign tracked in previous research reported on the malicious npm package 0xengine/xmlrpc and the malicious GitHub repository hpc20235/yawpp.
