Weaponizing Trust: Investigating a Threat Actor Targeting Security Researchers and Academics

Presented at DEF CON 33 (2025), Aug. 8, 2025, 1:30 p.m. (45 minutes).

You patch vulnerabilities, sandbox malware, and audit code. You know not to click suspicious links. But what if the real threat isn't in phishing emails or zero-days—but in the very tools and research you're relying on? In late 2024, we uncovered a new threat actor, MUT-1244, targeting security professionals, red teamers, and academics. They use trojanized proof-of-concept exploits and fake software updates to exploit trust in open-source tools and research environments. During our investigation, we discovered over 390,000 leaked credentials that MUT-1244 exfiltrated from a compromised actor, revealing the scale of their operation. In this talk, we'll reveal how MUT-1244 operates through fake GitHub profiles and showcase our use of OSINT to map their infrastructure and tactics. We'll also share our attribution findings and methodology. Attendees can expect to hear technical details of the campaigns conducted by this threat actor, some notes on attribution, ideas for detecting this activity in your environment and the story of how the speakers discovered over 390,000 credentials inadvertently stolen from unrelated threat actors by MUT-1244. References: - [link](https://arxiv.org/pdf/2210.08374) - [link](https://www.ndss-symposium.org/wp-content/uploads/madweb2022_23001_paper.pdf) - [link](https://www.uptycs.com/blog/threat-research-report-team/fake-poc-repositories-malicious-code-github) - [link](https://www.sonicwall.com/blog/hold-verify-execute-rise-of-malicious-pocs-targeting-security-researchers) - [link](https://www.sciencedirect.com/science/article/pii/S2667096822000477) - [link](https://link.springer.com/article/10.1007/s41870-023-01558-3) - [link](https://checkmarx.com/blog/dozens-of-machines-infected-year-long-npm-supply-chain-attack-combines-crypto-mining-and-data-theft/)

Presenters:

• Matt Muir
  Matt is a security researcher with a passion for UNIX and UNIX-like operating systems. He previously worked as a macOS malware analyst and his background includes experience in the areas of digital forensics, DevOps, and operational cyber security. Matt enjoys technical writing and has published research including the discovery of the first malware family to target AWS Lambda, emerging cloud-focused botnets, and a series of novel Linux malware campaigns.
• Christophe Tafani-Dereeper
  Christophe lives in Switzerland and works on cloud security research and open source at Datadog. He previously worked as a software developer, penetration tester and cloud security engineer. Christophe is the maintainer of several open-source projects such as Stratus Red Team, GuardDog, CloudFlair, Adaz, and the Managed Kubernetes Auditing Toolkit (MKAT).

Similar Presentations:

• DEF CON 33 (2025) / Shaking Out Shells with SSHamble
• DEF CON 32 (2024) / Laundering Money
• DEF CON 33 (2025) / Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software