A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors.

"In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories," Cofense researcher Jacob Malimban said.

"Using trusted repositories to deliver malware is relatively new compared to threat actors creating their own malicious GitHub repositories. These malicious GitHub links can be associated with any repository that allows comments."

Central to the attack chain is the abuse of GitHub infrastructure for staging the malicious payloads. One variation of the technique, first disclosed by OALABS Research in March 2024, involves threat actors opening a GitHub issue on well-known repositories and uploading to it a malicious payload, and then closing the issue without saving it.

In doing so, it has been found that the uploaded malware persists even though the issue is never saved, a vector that has become ripe for abuse as it allows attackers to upload any file of their choice and not leave any trace except for the link to the file itself.