TroyDen’s Lure Factory

TroyDen’s Lure Factory is a malware campaign identified by Netskope Threat Labs that uses fake GitHub repositories and trojanized packages to target software developers, gamers, Roblox users, and cryptocurrency users. The campaign is tracked internally as TroyDen’s Lure Factory and is associated in the provided content with the name TroyDen and a Telegram channel, @NumberLocationTrack, which reportedly operated under the name TroyDen since June 2025. The campaign relies on fake repositories impersonating legitimate projects, including AAAbiola/openclaw-docker, which impersonated a Docker deployment tool for the legitimate OpenClaw AI project. The repositories used polished README files, installation instructions, companion GitHub.io pages, fake stars and forks from throwaway GitHub accounts, and search-optimized topic tags such as ai-agents, docker, openclaw, and LLM to increase visibility and credibility. Researchers linked more than 300 confirmed delivery packages and multiple GitHub repositories to the same attacker infrastructure. Observed lures included gaming cheats, phone trackers, VPN crackers, and Roblox scripts. The malware uses a custom LuaJIT trojan with a split payload designed to evade automated scanning. Each malicious ZIP package contained Launch.bat, a renamed LuaJIT runtime named unc.exe, and an obfuscated Lua script disguised as license.txt. The batch file executed the LuaJIT runtime and obfuscated Lua script together so that the individual files appeared benign when scanned separately. The Lua payload was obfuscated with Prometheus Obfuscator to hinder static analysis. Observed behavior includes anti-analysis checks for debugger presence, low RAM, short system uptime, elevated privilege access, and specific computer names, with execution stopping if sandbox or analysis indicators are detected. The malware also used a Sleep() delay of roughly 29,000 years to outlast timed analysis windows. On execution, it geolocated the victim, captured a full desktop screenshot, disabled Windows proxy auto-detection via four registry writes, and communicated with a command-and-control server in Frankfurt, Germany. The screenshot was uploaded via a hardcoded multipart POST request, and the server responded with encrypted task and loader blobs that were saved to the victim’s Documents folder. Researchers identified eight confirmed IP addresses behind the same load-balanced backend infrastructure. The content notes that lure naming patterns and repeated implementation artifacts suggested possible AI-assisted malware production, but this is presented as researcher assessment rather than confirmed attribution. No nation-state attribution is stated in the provided content.