In a landscape increasingly dependent on open-source software, a new and insidious threat has emerged: a campaign orchestrated by a group identified as Water Curse, which has weaponized trust itself.
Discovered in May 2025, yet active since early 2023, Water Curse has strategically infiltrated GitHub, leveraging at least 76 fraudulent accounts to distribute trojanized repositories. These seemingly legitimate tools target a wide audience: cybersecurity professionals, red teamers, DevOps engineers, penetration testers, game developers, and beyond.
But this is no ordinary malware campaign. What makes Water Curse deeply concerning is its mastery of deception, automation, and adaptability. This group doesn’t just attack systems it embeds itself within the very workflow of its victims, slipping silently into their trusted development environments.
Anatomy of a Digital Phantom
The campaign often begins with an innocent-looking GitHub project. These repositories masquerade as useful penetration testing tools SMTP bombers, RATs, or debugging scripts. But buried within Visual Studio project configurations lies malicious code. Once compiled, a series of hidden VBS and PowerShell scripts is unleashed, triggering a multi-stage attack chain.
The payloads are encrypted and obscure, often Electron-based applications like SearchFilter.exe designed to avoid detection while executing reconnaissance and stealing session credentials. From GitHub tokens to ChatGPT access, Water Curse siphons off digital identities with surgical precision.
The malware disables Windows Defender, erases shadow copies, and establishes persistence through scheduled tasks and registry modifications. Even more chilling: it uses common services like Telegram and Gofile to communicate, hiding in plain sight.
A Glimpse into Their Arsenal
Water Curse’s operational footprint spans a wide array of technologies PowerShell, JavaScript, C#, and compiled binaries. This is no one-man operation. It reflects either a loosely coordinated syndicate or a cybercrime-as-a-service model. Their targets range from ethical hacking tools to game cheats and crypto wallets, blending red-team realism with criminal intent.
It’s a supply chain attack, but also an elaborate performance staged to lure, confuse, and then compromise. The line between legitimate and malicious tooling continues to blur.
Implications for Developers and Security Teams
This campaign redefines risk for organizations that rely heavily on open-source tools. The infection doesn’t come through firewalls, it walks through the front door, disguised as an update, a plugin, or a debugging utility.
Security professionals must now treat open-source code with the same scrutiny as any external vendor. Repository audits, build script validation, and historical review are no longer optional; they are essential defenses. As platforms like GitHub become battlegrounds, the real vulnerability is often human trust.
Solutions like Trend Micro Vision One and MDR services are proving critical in identifying and responding to such sophisticated threats, providing threat intelligence, telemetry, and active defense capabilities.
Conclusion
The Water Curse campaign serves as a chilling reminder of how deeply integrated, and therefore vulnerable, our digital ecosystems have become. By corrupting the tools we rely on daily, attackers can bypass traditional defenses and embed themselves at the heart of development operations.
This threat actor’s campaign isn’t just about credentials or tokens, it’s about eroding the boundaries between trusted code and malicious infiltration.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
In response to threats like Water Curse, we help industries:
- Audit and secure their open-source integrations
- Strengthen their SDLC against social engineering vectors
- Implement persistent threat detection systems
- Educate developers on secure coding and repository hygiene
- Detect and isolate supply chain risks before deployment
We also emphasize defense against social engineering, a rapidly growing threat vector that spreads through human behavior and lateral network access faster than ever before.
Follow COE Security on LinkedIn for ongoing insights into safe, compliant AI adoption and to stay ahead in the evolving threat landscape.