Threat Overview

The Security Operations Center (SOC) has identified a critical threat report published by AlienVault on June 19, 2025. The report, titled Threat actor Banana Squad exploits GitHub repos in new campaign, reveals a sophisticated campaign conducted by the Banana Squad threat actor group targeting GitHub repositories.

Banana Squad, first identified in 2023, has launched a new campaign that involves creating over 60 trojanized repositories. These repositories are designed to mimic legitimate hacking tools written in Python, making them appealing targets for developers and cybersecurity professionals. The malicious repositories contain hundreds of trojanized Python files that employ advanced encoding and encryption techniques to conceal backdoor code.

Campaign Details

The primary domain used in this campaign is dieserbenni.ru. However, a new domain, 1312services.ru, has been detected recently, indicating the group’s continuous efforts to evade detection and maintain their malicious activities.

One of the most insidious aspects of this campaign is the exploitation of GitHub’s user interface feature where long lines of code do not wrap. This allows attackers to hide malicious code off-screen, making visual detection extremely challenging. This technique underscores the increasing sophistication of supply chain attacks on open-source platforms and highlights the need for enhanced security measures.

Recommendations

To mitigate the risks associated with this campaign, the SOC recommends the following actions:

1. Enhanced Code Review Processes: Implement rigorous code review processes to ensure that all code, especially from public repositories, is thoroughly vetted before integration into production environments. Automated tools can be employed to scan for malicious code and anomalies.

2. Use of Reputation Services: Utilize reputation services that can flag suspicious domains and repositories. This can help in identifying potential threats before they are integrated into the development pipeline.

3. Regular Security Audits: Conduct regular security audits of all repositories, including those from trusted sources. This includes checking for unusual patterns or hidden code that may indicate tampering.

4. Employee Training: Provide comprehensive training to developers and cybersecurity professionals on recognizing and mitigating supply chain attacks. Awareness programs can help in identifying suspicious activities early.

5. Monitoring and Alerts: Implement continuous monitoring and alert systems to detect any unusual activity within repositories. This includes setting up alerts for changes in code that do not follow standard practices or protocols.

6. Multi-Factor Authentication (MFA): Enforce the use of multi-factor authentication for all access points, especially those related to code repositories and development environments. This adds an extra layer of security against unauthorized access.

7. Patch Management: Ensure that all software and tools used in the development process are up-to-date with the latest patches and security updates. Vulnerabilities in outdated software can be exploited by threat actors.

8. Incident Response Plan: Develop and maintain an incident response plan specific to supply chain attacks. This plan should include steps for containment, eradication, and recovery, as well as communication protocols for stakeholders.

Conclusion

The campaign launched by the Banana Squad threat actor group highlights the evolving nature of cyber threats and the need for proactive security measures. By understanding the tactics, techniques, and procedures (TTPs) used in this campaign, organizations can better prepare and defend against similar attacks. The SOC will continue to monitor this threat and provide updates as new information becomes available.

For additional details, please refer to the following external references:

1. Security Boulevard: https://securityboulevard.com/2025/06/threat-actor-banana-squad-exploits-github-repos-in-new-campaign
2. OTX AlienVault: https://otx.alienvault.com/pulse/685444dd82d2d53888c6afb4

We recommend visiting the Security Boulevard page for a more in-depth analysis and additional recommendations on how to protect your organization from this threat.