Ethical Hacking News
A new cyber threat has emerged, targeting developers and leveraging AI-generated lures to deliver an information stealer known as StealC through a trojanized version of the Oura MCP server. The SmartLoader campaign highlights the need for improved security measures against these types of threats.
The SmartLoader campaign uses a trojanized version of the Model Context Protocol (MCP) server to deliver an information stealer known as StealC. The threat actors build credibility by creating fake GitHub accounts and repositories to trick users into downloading ZIP archives that deploy SmartLoader. SmartLoader executes an obfuscated Lua script, which drops the malicious payload and deploys StealC to steal credentials, browser passwords, and cryptocurrency wallet data. The campaign targets developers, whose systems have become high-value targets due to their sensitive data. To combat this threat, organizations should inventory MCP servers, establish security reviews, verify server origins, and monitor suspicious traffic.
SmartLoader is a malicious campaign that has been gaining attention in recent months due to its sophisticated tactics and evasion techniques. At the center of this campaign lies a trojanized version of the Model Context Protocol (MCP) server, associated with Oura Health, which is being used to deliver an information stealer known as StealC.
The SmartLoader campaign is notable for its methodical approach, which involves building credibility through fake GitHub accounts and repositories. The threat actors created at least five fake GitHub accounts under the names YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112 to build a collection of seemingly legitimate repository forks of Oura MCP server. This is an attempt to trick users into downloading ZIP archives that deploy SmartLoader.
The actors then created another Oura MCP server repository under the new account "SiddhiBagul" containing the malicious payload. They added the newly created fake accounts as "contributors" to lend a veneer of credibility, while deliberately excluding the original author from contributor lists. The goal is to make the trojanized version of the Oura MCP server appear legitimate and increase its chances of being downloaded by unsuspecting users.
Once a user downloads the ZIP archive containing SmartLoader, it executes an obfuscated Lua script that drops SmartLoader, which then proceeds to deploy StealC. This infostealer allows the threat actors to steal credentials, browser passwords, and data from cryptocurrency wallets.
The evolution of the SmartLoader campaign indicates a shift from targeting users looking for pirated software to developers, whose systems have become high-value targets due to their sensitive data. The stolen data could then be abused to fuel follow-on intrusions.
To combat this threat, organizations are recommended to inventory installed MCP servers, establish a formal security review before installation, verify the origin of MCP servers, and monitor for suspicious egress traffic and persistence mechanisms. This is an attempt to expose fundamental weaknesses in how organizations evaluate AI tooling.
SmartLoader's success depends on security teams and developers applying outdated trust heuristics to a new attack surface. The campaign highlights the need for improved security measures to protect against these types of threats.
In conclusion, the SmartLoader attack utilizing Trojanized Oura MCP servers is a complex threat that requires attention from cybersecurity professionals. By understanding the tactics and techniques used in this campaign, organizations can take steps to improve their defenses and prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Front-in-Cybersecurity-The-SmartLoader-Attack-Utilizing-Trojanized-Oura-MCP-Servers-ehn.shtml
https://thehackernews.com/2026/02/smartloader-attack-uses-trojanized-oura.html
https://aviatrix.ai/threat-research-center/smartloader-oura-mcp-server-stealc-2026/
https://dailysecurityreview.com/security-spotlight/stealc-malware-upgraded-with-advanced-data-theft-and-stealth-capabilities/
https://www.techrepublic.com/article/news-fake-captcha-scam-stealc-malware-windows/
Published: Wed Feb 18 11:10:39 2026 by llama3.2 3B Q4_K_M
