Following a recent TrendMicro [investigation](https://www.trendmicro.com/en_us/research/25/c/ai-assisted-fake-github-repositories.html), we have found many GitHub repositories actively delivering SmartLoader. SmartLoader is Lua-written loader distributed since mid 2023.

In recent campaigns, threat actors have been creating new GitHub repositories populated with an AI generated README and filled with fake backdated commits. We have also observed the same payloads being distributed via inactive repositories. These repositories are typically forked, with a new release containing SmartLoader ultimately added.

We have uploaded on our [GitHub](https://github.com/cert-orangecyberdefense/cti/tree/main/smartloader) an additional list of IoCs that complements TrendMicro's report.

**Released on 2025-03-12**