Full Report
Cybersecurity researchers have disclosed details of a new SmartLoader campaign that involves distributing a trojanized version of a Model Context Protocol (MCP) server associated with Oura Health to deliver an information stealer known as StealC. "The threat actors cloned a legitimate Oura MCP Server – a tool that connects AI assistants to Oura Ring health data – and built a deceptive
Analysis Summary
# Tool/Technique: SmartLoader (via Trojanized MCP Server)
## Overview
This attack involves a sophisticated supply chain and social engineering campaign where threat actors distribute a trojanized version of a **Model Context Protocol (MCP)** server. Specifically, the actors cloned a legitimate Oura Health MCP server to deliver **SmartLoader**, which subsequently drops the **StealC** information stealer. The campaign targets developers and AI users by manufacturing "credibility" through fake GitHub accounts and poisoned tool registries.
## Technical Details
- **Type:** Malware Loader / Supply Chain Attack
- **Platform:** Windows (implied by StealC/Lua execution)
- **Capabilities:** Credential theft, cryptocurrency wallet draining, browser data exfiltration, and evasion via obfuscated scripts.
- **First Seen:** SmartLoader first identified early 2024; this specific MCP campaign reported February 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain]** (Poisoning MCP registries)
- **[T1566.003 - Phishing: Spearphishing via Service]** (Using GitHub and MCP Market to distribute lures)
- **[TA0002 - Execution]**
- **[T1059.006 - Command and Scripting Interpreter: Lua]** (Execution of obfuscated Lua scripts)
- **[T1204.002 - User Execution: Malicious File]** (Tricking users into downloading ZIP archives)
- **[TA0005 - Defense Evasion]**
- **[T1027 - Obfuscated Files or Information]** (Obfuscated Lua scripts)
- **[TA0010 - Exfiltration]**
- **[T1539 - Steal Web Session Cookie]**
- **[T1555.003 - Steal or Forge Authentication Certificates: Credentials from Web Browsers]**
## Functionality
### Core Capabilities
- **Information Stealing (via StealC):** Extracts browser passwords, cookies, and sensitive data from cryptocurrency wallets and API keys.
- **Payload Delivery:** Uses SmartLoader to download and execute secondary malware after initial execution.
- **Credential Manufacturing:** Creates a network of fake contributors and forks on GitHub to bypass user skepticism.
### Advanced Features
- **MCP Poisoning:** Specifically targets the **Model Context Protocol** ecosystem, a niche AI-assistant framework, to reach high-value developer targets.
- **Artificial Intelligence Lures:** Employs AI-generated content or themes to make repositories appear modern and professional.
- **Reputation Laundering:** Invests months in building account history and repository activity before deploying the malicious payload.
## Indicators of Compromise
- **File Names:** `oura-mcp-server` (Trojanized version), various ZIP archives containing Lua scripts.
- **GitHub Accounts:**
- `YuzeHao2023`
- `punkpeye`
- `dvlan26`
- `halamji`
- `yzhao112`
- `SiddhiBagul` (Primary repository host)
- **Network Indicators:**
- `mcpmarket[.]com` (Registry utilized for distribution)
- **Behavioral Indicators:**
- Unusual egress traffic from AI tools/MCP servers.
- Unexpected execution of Lua interpreters on developer workstations.
## Associated Threat Actors
- **SmartLoader Operators:** Known for methodical, patient campaigns targeting developers and crypto users.
## Detection Methods
- **Signature-based detection:** Identify known hashes of the `StealC` infostealer and the `SmartLoader` entry point.
- **Behavioral detection:** Monitor for unauthorized access to browser credential stores (e.g., `Login Data` files) or unexpected network connections from AI-related processes.
- **Inventory Check:** Audit all installed MCP servers and cross-reference their origin with official/verified contributors.
## Mitigation Strategies
- **Supply Chain Verification:** Verify the "Contributor" list of GitHub repositories and ensure the original author is present.
- **Registry Security:** Do not blindly trust third-party registries like MCP Market; perform independent code reviews of third-party servers.
- **Network Segmentation:** Isolate developer environments and monitor for suspicious egress traffic to known C2 patterns.
- **Endpoint Protection:** Use EDR tools to block the execution of unknown or obfuscated scripts (Lua/PowerShell) from temporary directories.
## Related Tools/Techniques
- **StealC:** The primary infostealer payload.
- **RedLine Stealer:** Previously distributed by SmartLoader.
- **ClickFix:** A common social engineering technique used in similar loader campaigns.
- **MintsLoader:** Another loader frequently associated with StealC delivery.