MalwareJun 8, 2026
Totally legit "DocuSign" release in a GitHub (Microsoft owned service) repo: https://github[.]com...
Malware disguised as DocuSign release found in GitHub repo.
Summary
A malicious executable, DocusignSetup.exe, has been discovered within a GitHub repository, masquerading as a legitimate DocuSign release. The malware is signed with a certificate attributed to 'Paula Foster', which appears to be a Microsoft-issued certificate, potentially lending it a false sense of legitimacy. It communicates with a command-and-control server via the domain bbytati25iy2.anondns[.]net, which resolves to the IP address 84.54.33[.]250.
Indicators of Compromise
- url — https://github[.]com/lonergigs-code/DocuSign/releases/
- domain — bbytati25iy2.anondns[.]net
- ip — 84.54.33[.]250
Entities
DocuSign (product)Microsoft (vendor)GitHub (technology)