Home / Individual Game / Open Source Intelligence / OSINT CH5
⬅ Back

OSINT Challenge 5 - Ergo Propter Hoc

Prompt

Do NOT email anyone associated with this repository or download any attachments that you find. It is not within scope of this challenge. Zip files on GitHub are NOT SAFE at this time. GitHub is being used by threat actors to disguise malware as legitimate tools to avoid detection.

Answers

Q1 (5 pts) - Let’s look at this repository:
https://github.com/GN-sudo-del/theGoillot
What day of the week was the first commit pushed? Wednesday

Q2 (5 pts) - What is the full filename (including the extension) of the zip file that GN-sudo-del is distributing? Please don’t click on it.
Goillot_the_v1.1.zip

Q3 (5 pts) - How many commits were made to the repo?
3

Q4 (10 pts) - Based on currently documented malware campaigns, what malware campaign is associated with this activity?
GitVenom

Q5 (15 pts) - What is the email address used in this repository that is associated with the commit containing the malicious .zip file?
gawedaneosporin@proton.me

Q6 (15 pts) - Looking at the info from question 5, which UTC time zone does the user probably live in? (i.e. UTC+14)
UTC+3

Q7 (45 pts) - One of the bitcoin wallets associated with the campaign received a 5 BTC payment in November 2024. What is the bitcoin address associated with that wallet?
bc1qtxlz2m6r55q7q6wt7nsdu67zhzqqa4tqkyspzt

Steps I Took

For Q1, I went to the GitHub repository and reviewed the commit history. That also gave me the answer for Q3 because I could see there were three commits.

Screenshot

The first commit was dated February 18, 2026, so I checked what day of the week that was and confirmed it was Wednesday.

For Q2, I identified the ZIP filename directly from the repository files.

Screenshot

For Q5, I looked up how to extract an email address from a GitHub commit and used that method on the malicious commit. This also helped with Q6 because the Date: header showed the likely UTC offset.

https://www.avonture.be/blog/github-retrieve-email/

Screenshot

Screenshot

I first tried looking at the repository in the Wayback Machine, but that did not help.

Screenshot

I also checked the file hash in VirusTotal, but that did not give me the answer I needed for Q7.

Screenshot

Q7 took the longest. I eventually learned about Firstbits and used the partial wallet address bc1qtxlz2m6r on WalletExplorer. That returned the full wallet and showed the 5 BTC transaction from November 2024.

https://www.walletexplorer.com/address/bc1qtxlz2m6r55q7q6wt7nsdu67zhzqqa4tqkyspzt?from_firstbits=bc1qtxlz2m6r

Screenshot

https://securelist.com/gitvenom-campaign/115694/ https://www.kaspersky.com/about/press-releases/kaspersky-exposes-hidden-malware-on-github-stealing-personal-data-and-485000-in-bitcoin https://any.run/report/a45292d4b6d3abeea9e1cf5a712699736b7ede01646947dae9a1f95592f282c6/eab9cdee-8532-4b27-a5aa-08369fdd72ba