Beware, GitHub Users: The Threat of Keyzetsu Malware! Here is a complete look.

Beware, GitHub Users: The Threat of Keyzetsu Malware! Here is a complete look.

In the realm of cybersecurity, a new threat has emerged. Threat actors are exploiting GitHub’s automation features and Visual Studio projects to propagate a new variant of the “Keyzetsu” clipboard-hijacking malware. This malware variant is designed to steal cryptocurrency payments, posing a significant threat to the digital economy.

The Mechanism of Attack

The attackers create GitHub repositories with names that rank well in search results. They then use various methods to artificially boost their popularity and visibility on the platform. Users who download files from these repositories unknowingly infect their systems with malware hidden within Visual Studio project files. This malware is stealthily executed during the project build.

The Role of GitHub Actions

GitHub Actions, a feature designed for automating workflows, is being abused in this campaign. The attackers utilize GitHub Actions to automatically update these repositories at a very high frequency. They achieve this by modifying a log file with a minor random change. This tactic ensures that the repositories rank high on search results that sort by “most recently updated”.

The Deception of Popularity

Another deceptive tactic employed by the attackers is the creation of fake GitHub accounts. These accounts add bogus stars to these repositories, creating a false sense of popularity and trustworthiness around the project. A common giveaway is that these accounts were all created recently.

The Hidden Payload

The malware payload is usually concealed inside build events in malicious Visual Studio project files. For instance, the malicious project uses the PreBuildEvent to write malware to the disk and execute it before the project is compiled. The script that executes during the project build consists of a batch script and a base64-encoded PowerShell script. These scripts perform a series of actions, including wiping temporary files, retrieving the IP address, downloading encrypted files from a specified URL, and decrypting, extracting, and executing the downloaded files.

The Keyzetsu Malware

The final payload is a variant of the Keyzetsu clipboard clipper malware. This malware replaces the contents of the Windows clipboard with the attacker’s own data. It’s a sophisticated form of attack that can easily go unnoticed by the user until it’s too late.


This campaign highlights the evolving nature of cyber threats and the importance of maintaining robust cybersecurity practices. Users should be cautious when downloading files from GitHub repositories and should always verify the authenticity of the source. As the saying goes, “Better safe than sorry.”

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment