Last Updated on April 14, 2026

Introduction

This post serves as an identification and tracking of multiple SmartLoader/StealC variants discovered across GitHub repositories.

The objective is to analyze campaign-level reuse, including documentation language, loader structure, and obfuscation patterns rather than redistribute or operationalize malicious code.

What is tracked

IoC’s: File hashes and repository origin (archived)
Code samples: Obfuscated code samples can be found on the Malware-Variant-Tracker GitHub Repository.

Disclaimer

All content provided is to be used for defensive and educational purposes only. For compiled samples and binary analysis, I recommend referring to established repositories such as the vx-underground. The focus here is to document the source and its evolution.

First Spotted (YYYY/MM/DD): 2026/02/27

Lua hashes:
MD5 af5aad5795b69d9e37080dfc1eeaa822
SHA-1: 239087899df69b7ef9ba5d9716e3312c73c800ba
SHA-256: 8b5d6ff49034626532fbf5d2b9f4ffeee53facde63252e3c8aaa89f05029b8d4

Discovery Source: GitHub
Repo Creation Date (YYYY/MM/DD): 2026/01/21
Repo Takedown (YYYY/MM/DD): 2026/04/14
Commit Timing: Every 2 hours.
Archival Link(s):
https://web.archive.org/web/20260227215121/https://github.com/kukil-saikia/cracked-save-to-smartsheet-extension
https://web.archive.org/web/20260227212138/https://github.com/kukil-saikia/DivineRebelEmilyFreeDL

File Size:
Minified 319KB
Formatted 1.05MB

Post Views: 10

0xCMV

SmartLoader/StealC Repositories Tracker

Introduction

What is tracked

Disclaimer

0xCMV

Introduction

What is tracked

Disclaimer

SmartLoader/StealC+

Cracked Software Campaign+

0xCMV