惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
L
LangChain Blog
Microsoft Azure Blog
Microsoft Azure Blog
雷峰网
雷峰网
Recent Announcements
Recent Announcements
WordPress大学
WordPress大学
The GitHub Blog
The GitHub Blog
博客园_首页
The Cloudflare Blog
M
MIT News - Artificial intelligence
博客园 - 【当耐特】
MyScale Blog
MyScale Blog
S
SegmentFault 最新的问题
P
Proofpoint News Feed
Y
Y Combinator Blog
Jina AI
Jina AI
博客园 - 聂微东
A
About on SuperTechFans
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
F
Full Disclosure
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Microsoft Security Blog
Microsoft Security Blog
爱范儿
爱范儿
T
Tailwind CSS Blog
J
Java Code Geeks
Vercel News
Vercel News
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Stack Overflow Blog
Stack Overflow Blog
罗磊的独立博客
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
T
The Blog of Author Tim Ferriss
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
宝玉的分享
宝玉的分享
IT之家
IT之家
Hacker News: Ask HN
Hacker News: Ask HN
The Register - Security
The Register - Security
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs

Malwarebytes

Kali365 phishing kit bypasses MFA and steals Microsoft logins Company bragged phone mics could listen to conversations. They couldn’t. Fake LinkedIn emails abuse Adobe to track victims Fake software on GitHub and SourceForge distribute Deno RAT 700+ education and tech websites hijacked in huge ClickFix malware campaign Scammers pretending to be Microsoft had help from US executives A week in security (May 18 – May 24) Update Chrome now: Critical bugs could let attackers run code Microsoft Defender vulnerabilities are being exploited in the wild TikTok, YouTube, and Roblox face scrutiny, but age gates won’t fix child safety Catch spyware in the act with Windows Webcam Monitoring Researchers left AI agents alone in a virtual town and watched it all unravel Fake malware-signing service Fox Tempest dismantled by Microsoft Firefox 151 packs big privacy upgrades into a small update Biometrics, diagnoses, and bank details exposed in major healthcare breach Facebook scam promises cheap Aldi meat boxes, steals payment info instead YouTube wants your face to fight deepfakes Microsoft is changing Edge’s plaintext password behavior A week in security (May 11 – May 17) AI is distorting the Holocaust (Lock and Code S07E10) Attackers replaced JDownloader installer downloads with malware Meta’s confusing new approach to chat privacy Why Malwarebytes blocks some Yahoo Mail redirects Deepfake sextortion forces schools to remove student photos from websites Texas sued Netflix over claims it secretly collected and sold users’ data May 2026 Patch Tuesday: no zero-days but plenty to fix Fake Claude search results lure Mac users into ClickFix attack 1 in 8 employees have sold company logins or know someone who has Stolen Canvas data was “returned” after hacker agreement, Instructure says Yarbo responds to robot flaws that could mow down their owners A week in security (May 4 – May 10) Microsoft says Edge’s plaintext password behavior is “by design” ShinyHunters escalates Canvas attacks with school login defacements Massive AI investment scam network spans 15,500 domains If a fake moustache can fool age checks, is the Online Safety Act working? Google Chrome’s silent 4GB AI download problem Attackers adopt JavaScript runtime Bun to spread NWHStealer Millions of students’ personal data stolen in major education breach Update WhatsApp now: Two new flaws could expose you to malicious files Cyberattacks are raising your prices (Lock and Code S07E09) Thousands of Facebook accounts stolen by phishing emails sent through Google The 2026 World Cup scam economy is already running before the first whistle A week in security (April 27 – May 3) 3 easy-to-miss cybersecurity risks for small businesses Actively exploited cPanel bug exposes millions of websites to takeover More PayPal emails hijacked to deliver tech support scams Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do Researchers built a chatbot that only knows the world before 1931 Microsoft won’t patch PhantomRPC: Feature or bug? Scam-checking just got a lot easier: Malwarebytes is now in Claude Fake CAPTCHA scam turns a quick click into a costly phone bill Chinese engineer stole US military and NASA software for years A week in security (April 20 – April 26) Medical data of 500,000 UK volunteers listed for sale on Alibaba How cyberattacks on companies affect everyone Apple fixes iOS bug that kept deleted notifications, including chat previews Roblox clamps down on chats and age checks as legal pressure builds Malicious trading website drops malware that hands your browser to attackers Researcher claims Claude Desktop installs “spyware” on macOS Fake Google Antigravity downloads are stealing accounts in minutes Real Apple notifications are being used to drive tech support scams Android 17 ends all-or-nothing access to your contacts Big Tech can stop scams. They just don’t (Lock and Code S07E08) Mythos: An AI tool too powerful for public release A week in security (April 13 – April 19) This old-school scam is still working “Your shipment has arrived” email hides remote access software Browser Guard gets even better with Access Control “iCloud storage is full” scam is back, and now it wants your payment details A fake Slack download is giving attackers a hidden desktop on your machine Booking.com breach gives scammers what they need to target guests AI clickbait can turn your notifications into a scam feed Fake YouTube copyright notices can steal your Google login From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere April Patch Tuesday fixes two zero-days, including one under active attack Credit Resources Vault: Why this credit email set off our scam alarms Omnistealer uses the blockchain to steal everything it can ChatGPT under scrutiny as Florida investigates campus shooting Simply opening a PDF could trigger this Adobe Reader zero-day A week in security (April 6 – April 12) Fake Claude site installs malware that gives attackers access to your computer ClickFix finds a new way to infect Macs Scammers pose as Amazon support to steal your account NSFW app leak exposes 70,000 prompts linked to individual users 30,000 private Facebook images allegedly downloaded by Meta employee This fake Windows support website delivers password-stealing malware Your extensions leak clues about you, so we made sure Browser Guard doesn’t Russian hacking group targets home and small office routers to spy on users Timeshare owners warned to watch out for cartel-linked scams Traffic violation scams swap links for QR codes to steal your card details Support platform breach exposes Hims & Hers customer data A week in security (March 30 – April 5) Killer robots are here. Now what? (Lock and Code S07E07) That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords Blocking children from social media is a badly executed good idea Apple expands “DarkSword” patches to iOS 18.7.7 Malwarebytes Privacy VPN receives full third-party audit Wikipedia’s AI agent row likely just the beginning of the bot-ocalypse WhatsApp on Windows users targeted in new campaign, warns Microsoft Why we’re still not doing April Fools’ Day
Retro gaming fans are the new target for fake GitHub malware
Stefan Dasic · 2026-06-18 · via Malwarebytes

Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console.

We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer.

The project, called EQVita, looks like a normal homebrew plugin. It has a polished README, a download button, screenshots, and a tidy layout. But the file you download doesn’t contain anything for a Vita at all. It contains three Windows files, and the harmless-looking text file among them is actually a hidden script that quietly connects to the attacker’s server once you run it.

This isn’t a one-off. Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader, which then pulls in password and wallet-stealing malware such as Lumma Stealer. The EQVita download uses the same method, repackaged to appeal to retro gaming fans.

Take a look at the comparison below. On the left we have a fake GitHub repository, on the right a real one.

Left ImageRight Image

There’s even a small trick in the version number. The real EQVita is on version 1.10, while the fake is labeled 1.3. At a glance, 1.3 may appear newer—but it isn’t. In software, 1.10 comes after 1.9, so the real project is the more up-to-date one. The fake just borrows a number that looks current.

If you’re not into retro consoles, the PS Vita might not mean much to you. But for a large and active community, it’s a big deal, and that makes it a target.

I’ll admit a soft spot here: I bought my own Vita 1000 second hand about ten years ago, and it still runs beautifully. It comes off the shelf every now and then, mostly because the library is so deep there’s always something worth coming back to. I’m clearly not alone.

Even though Sony stopped making the Vita years ago, fans have kept it alive by writing their own software for it: emulators, file managers, and plugins. A modded Vita can run its own PSP games at full speed and emulate older systems like the SNES, Game Boy Advance, and Sega Genesis, which turns the handheld into a do-everything retro machine. In 2026 the scene is thriving, with active developers and even homebrew contests with cash prizes.

That demand shows up in the price, too. With no new units made since 2019, working Vitas have become a sought-after retro item, and resale prices have climbed across the major marketplaces over the past year—the older OLED model, prized by modders for its firmware, has risen the most. In other words, more people than ever are buying a Vita specifically to mod it, which means more people hunting for plugins and tools to install.

That enthusiasm is exactly what attackers abuse. Homebrew users are used to downloading files from GitHub, dropping them into folders, and running them. The whole hobby runs on trusting code from individual developers. Scammers know this, so a fake “Vita plugin” is an easy way to get people to run something they normally wouldn’t.

How the scam works

The download, EQ_Vita_v1.3.zip, contains three files:

  • Launch.bat
  • luajit.exe
  • x64.txt

Here’s the clever part. luajit.exe is a real, harmless program that runs scripts. The batch file simply tells it to open x64.txt. Despite the .txt name, that file isn’t text at all—it’s a hidden script, and LuaJIT runs it. Calling it .txt is what makes it look harmless and easy to scroll past. Researchers found the same setup in the SmartLoader campaign: the only dangerous file in the download is the disguised script, and everything around it is legitimate.

So nothing in the download looks dangerous on its own. There’s no obvious installer and no scary-looking app—just a trusted tool being used to run someone else’s code.

We watched what happened when it ran. First, the script checked where in the world the computer was. Then it quietly contacted a server on the internet and sent it data, using a web address scrambled into a meaningless-looking string. The server answered back.

An audio plugin has no reason to do any of that. This is how a malware “loader” behaves: it phones home to the attacker’s server to receive instructions and fetch its next piece of malware. In this campaign, that next piece is usually a stealer—malware that hunts for cryptocurrency wallets, saved browser passwords, and login codes.

Malwarebytes blocks this threat, so protected users are stopped before the file can run.

How to spot the fake

Most Vita plugins are installed on the Vita, using tools like VitaShell or Autoplugin, and they come as Vita files (the kind ending in .skprx or .vpk).

Some legitimate tools in the scene—installers, file-transfer helpers, build tools—do run on a PC, so a Windows program isn’t automatically bad. The key is to check before you run it.

Is it well known? Is it widely used? Is it recommended by trusted community sources, or did you just stumble onto it in an unfamiliar repository? A “plugin” that quietly leans on a .bat file to launch a hidden program is exactly what that check is meant to catch.

A few habits help:

  • Match the file to the device, and verify PC tools. Most Vita plugins are Vita files, not Windows programs. Some legitimate tools do run on your PC, so don’t panic at an .exe or .bat, but check that it’s a well-known, trusted tool before running it.
  • Be wary of “Download Now” polish. Real homebrew READMEs are written for users like other developers. In this campaign, the fake repositories lean on AI-generated text, which tends to read like marketing: heavy on emoji, friendly phrasing, and a big download button. A project that pushes you to click fast deserves a second look.
  • Stick to trusted sources. Established community hubs and trusted-source lists exist for a reason. Check before you download.
  • Add another layer of protection. Malwarebytes Browser Guard can help block known malicious pages and downloads before they reach you.

What to do if you’ve already run it

If you have downloaded and run EQ_Vita_v1.3.zip, you should treat the computer as compromised. Here’s what to do:

  • Run a full malware scan with up-to-date security software.
  • Because this campaign delivers information-stealing malware, change your important passwords from a different, clean device, and review your accounts for unauthorized logins.
  • If you keep any cryptocurrency on that computer, move your funds using a different, clean device and rotate your keys and seed phrases.
  • Check your two-factor authentication (2FA) settings, as stealers can also target 2FA data.
  • Finally, delete the three files and report the GitHub repository so it can be taken down.

Why this scam works

It works because it doesn’t look like a scam. It lives on GitHub, where homebrew users already place their trust. It uses a real, harmless tool to do its dirty work. And it hides the dangerous part inside a file that looks like plain text. None of those tricks is clever on its own, but together they slip right past the quick checks most people actually do.

What makes this one worth noting is where it’s aimed. Retro communities run on goodwill—volunteers who keep old hardware alive, share their work for free, and vouch for one another’s tools. That same trust is what this campaign exploits, and every fake repository that slips through makes the next genuine project a little harder to trust.

The best defense is the one these communities already have: trusted-source lists, established wikis, and people who test things and report back. Verify where a file comes from before you run it, and when something doesn’t add up, say so. That habit is what keeps the scene safe for everyone in it.

Indicators of Compromise (IOCs)

Domains

https://github.com/Voistace/EQVita
https://voistace.github.io

IP

85.137.52.21 C2


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

About the author

Passionate about antivirus solutions, Stefan has been involved in malware testing and AV product QA from an early age. As part of the Malwarebytes team, Stefan is dedicated to protecting customers and ensuring their security.