Telemetry data shows DNS queries to Gofile and Telegram infrastructure — both legitimate services commonly used for file sharing and messaging. In this context, they are likely being abused for data exfiltration:
- store-eu-par-2[.]gofile[.]io (45.112.123[.]224)
- api[.]telegram[.]org (149.154.167[.]220)
The following table summarizes the attack lifecycle, as mapped to the MITRE ATT&CK framework:
| Tactic | Technique ID & Name | Observed Behavior Description |
| Initial Access | T1195.002 – Supply Chain Compromise: Compromise Software Dependencies and Development Tools | The victim unknowingly downloaded a trojanized open-source tool from GitHub. Malicious code was embedded into the software dependency. |
| T1059.007 – Command and Scripting Interpreter: JavaScript | Attack begins by executing main.js to gather host data and connect to C&C server. | |
| Execution | T1129 – Shared Modules | Malicious code executed implicitly when compiling Visual Studio project with a trojanized .csproj file. |
| T1059.001 – PowerShell | Scripts (disabledefender.ps1, antiDebug.ps1) are executed to disable security features and evade detection. | |
| Persistence | T1053.005 – Scheduled Task/Job: Scheduled Task | SearchFilter.exe is dropped and configures a scheduled task to maintain persistence. |
| Privilege Escalation | T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control | UAC bypass is performed by hijacking the ms-settings protocol handler in Windows Registry to elevate privileges without prompts. |
| Defense Evasion | T1112 – Modify Registry | Registry keys were modified to disable security features and enable UAC bypass. |
| T1562.001 – Impair Defenses: Disable or Modify Tools | disabledefender.ps1 disables Windows Defender and configures extensive exclusions. | |
| T1562.004 – Impair Defenses: Disable or Modify System Features | Shadow copies are deleted and the Volume Shadow Copy service disabled to prevent System Restore. | |
| T1027 – Obfuscated Files or Information | Detection is bypassed via obfuscated or encoded PowerShell scripts. | |
| T1497.001 – Virtualization/Sandbox Evasion: System Checks | antiDebug.ps1 performs checks for analysis tools and virtual environments. | |
| T1089 – Disabling Security Tools | This directly disables Defender protections and telemetry. | |
| Discovery | T1057 – Process Discovery | This uses tasklist to identify running browser-related processes. |
| T1082 – System Information Discovery | This collects system architecture, CPU count, and OS version. | |
| T1016 – System Network Configuration Discovery | This uses net session to identify active network sessions. | |
| Collection | T1555.003 – Credentials from Web Browsers | Saved passwords, cookies, autofill data from Chrome, Edge, and Firefox are stolen. |
| T1213.002 – Data from Information Repositories: Browsing Data | Browsing history, bookmarks, and downloads are harvested. | |
| T1005 – Data from Local System | Sensitive files from local user directories are copied. | |
| T1119 – Automated Collection | Structured folders ( |
|
| T1113 – Screen Capture | This captures a screenshot as screenshot.png. | |
| T1557 – Adversary-in-the-Middle (Session Hijacking) | This steals session tokens/cookies from GitHub, ChatGPT, and Discord, among others. | |
| Command and Control | T1102.002 – Web Service: Telegram | This connects to a Telegram bot/channel for C&C communication and exfiltration. |
Attribution
The threat actor tracked as Water Curse is a newly identified, highly active group abusing GitHub as a delivery platform for weaponized repositories. Analysis has uncovered at least 76 GitHub accounts associated with the threat actor, indicating a broad and sustained campaign that spans multiple communities. The most critical risks stem from malicious implants embedded within red team and penetration testing tools, posing a clear supply chain threat to security professionals and enterprise environments.
Water Curse’s operations extend beyond cybersecurity. Their repositories include malware, evasion utilities, game cheats, aimbots, cryptocurrency wallet tools, OSINT scrapers, spamming bots, and credential stealers. This reflects a multivertical targeting strategy that blends cybercrime with opportunistic monetization.
This diversification suggests that the actor is technically versatile, financially motivated, and possibly operating as part of a loosely organized or service-driven threat cluster. Their infrastructure and behavior indicate a focus on stealth, automation, and scalability, with active exfiltration via Telegram and public file-sharing services.
The projects found within the associated GitHub repositories can be classified into the following categories:
- Cybersecurity tools and exploits: Includes utilities for spoofing, evasion, malware generation, RATs, CVE exploitation, and other offensive security operations
- OSINT, scraping, and spam tools: Encompasses tools used for open-source intelligence gathering, data scraping, mass messaging or spamming activities
- Game cheats, hacks, and bots: Covers cheat engines, aimbots, ESPs, automation tools, and unlockers developed for popular games
- Crypto game bots and cheats: Focused on bots and automation tools targeting blockchain-based or cryptocurrency-related games
- Credential, wallet, and obfuscation utilities: Tools designed for managing, stealing, or hiding credentials, digital wallets, or payloads
- Bots and general automation tools: Includes generic automation scripts and bot frameworks for various tasks
- Development and miscellaneous projects: A collection of other development-related or uncategorized tools and utilities
From detection to defense: Lessons from the Water Curse campaign
The Water Curse campaign underscores how deception, exploitation of trust, and deep technical concealment intersect in modern cyber threats. Much like the Curse campaign, which lured victims under a social engineering facade of beauty, this threat group has hidden malicious intent behind legitimate-looking GitHub repositories. This highly active group has orchestrated a widespread operation, leveraging at least 76 GitHub accounts to distribute weaponized repositories.
While the campaign primarily targets cybersecurity professionals, its reach extends well beyond the security community. The group’s repositories include game cheats, crypto wallet tools, credential stealers, and more, revealing a diverse, financially motivated, and technically adept threat actor. Their use of stealth, automation, and public exfiltration channels such as Telegram suggests a scalable and persistent campaign, likely part of a broader service-based cybercrime model.
This analysis highlights the crucial role of managed detection and response (MDR) in modern cybersecurity operations. Through proactive threat hunting, correlation of telemetry across environments, and expert analysis, MDR capabilities helps organizations identify and attribute campaigns like those from the Water Curse group. This case also demonstrates how MDR can expose intrusion sets that traditional tools might overlook, making it indispensable in defending against advanced, persistent threats.
In addition, organizations should reinforce security awareness and hygiene among developers, DevOps teams, and penetration testers, who are often on the first line of exposure to threat vectors utilizing open-source platforms. Encourage validation of all third-party code and promote the use of internal code repositories where feasible. Improving verification practices, such as flagging unusual build scripts, unfamiliar file behavior, or excessive obfuscation, can significantly reduce risk from this and similar supply chain attacks..
Proactive Security With Trend Vision One™
Trend Vision One™ is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This comprehensive approach helps you predict and prevent threats, accelerating proactive security outcomes across your entire digital estate. Backed by decades of cybersecurity leadership and Trend Cybertron, the industry’s first proactive cybersecurity AI, it delivers proven results: a 92% reduction in ransomware risk and a 99% reduction in detection time. Security leaders can benchmark their posture and showcase continuous improvement to stakeholders. With Trend Vision One, you’re enabled to eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation.
Trend Micro™ Threat Intelligence
To stay ahead of evolving threats, Trend customers can access Trend Vision One™ Threat Insights, which provides the latest insights from Trend™ Research on emerging threats and threat actors.
Trend Vision One Threat Insights
Trend Vision One Intelligence Reports (IOC Sweeping)
Hunting Queries
Trend Vision One Search App
Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.
Hunting Query for DullRat Malware Detection Presence
malName:*Backdoor.JS.DULLRAT* AND eventName:MALWARE_DETECTION
More hunting queries are available for Trend Vision One customers with Threat Insights Entitlement enabled.
Indicators of Compromise
The indicators of compromise for this entry can be found here.