Hackers Exploit GitHub Accounts to Distribute Amadey Malware

Edward Zhou
Edward Zhou

CEO & Founder

 
July 19, 2025 5 min read

Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins

Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins
Image courtesy of Source Name

A sophisticated Malware-as-a-Service operation has emerged that exploits the trusted GitHub platform to distribute malicious payloads, representing a significant evolution in cybercriminal tactics. This operation leverages fake GitHub accounts to host an arsenal of malware tools, plugins, and payloads, capitalizing on GitHub’s widespread corporate acceptance to bypass traditional web filtering mechanisms.

The malicious campaign targets Ukrainian entities through carefully crafted phishing emails containing compressed archive attachments. These archives conceal JavaScript files that employ multiple layers of obfuscation to disguise PowerShell downloaders, ultimately delivering the Amadey malware and its associated tooling.

First layer of obfuscation (Source – Cisco Talos)
Image courtesy of Cisco Talos

The attack initially gained attention through its connection to a separate SmokeLoader phishing campaign that also targeted Ukrainian organizations. However, Cisco Talos analysts identified the broader scope of the operation in April 2025, revealing its true nature as a comprehensive MaaS platform. The researchers discovered that the same Emmenhtal loader variant used in the SmokeLoader campaign was being repurposed to deliver Amadey payloads and other malicious tools.

What makes this operation particularly concerning is its abuse of GitHub’s legitimate infrastructure. The threat actors created three primary accounts—Legendary99999, DFfe9ewf, and Milidmdds—each serving distinct purposes within the malware distribution network.

Legendary99999 GitHub account overview (Source – Cisco Talos)
Image courtesy of Cisco Talos

The most active account, Legendary99999, contained over 160 repositories with randomized names, each hosting a single malicious file in the “Releases” section.

Advanced Infection Mechanism and Multi-Stage Payload Delivery

The Emmenhtal loader serves as the primary infection vector, employing a sophisticated four-layer obfuscation scheme that demonstrates advanced evasion capabilities. The first layer defines a series of two-letter variables mapped to numeric values, which are applied to a long string of comma-separated values stored in a randomly named variable such as “qiXSF.” This initial obfuscation layer effectively conceals the malicious code from basic static analysis tools.

The second layer utilizes the ActiveXObject function to execute an encoded PowerShell command through WScript.Shell, while the third layer contains a PowerShell command with an AES-encrypted binary blob. The final layer decrypts and executes an additional AES-encrypted PowerShell script that initiates the download of the next-stage payload from hardcoded IP addresses, including 185.215.113.16 and 185.215.113.43.

This multi-stage approach allows the malware to deliver diverse payloads including information stealers like Rhadamanthys, Lumma, and Redline, as well as remote access trojans such as AsyncRAT. The operation’s adaptability is further demonstrated by its ability to deliver legitimate tools like PuTTY.exe alongside malicious payloads, showcasing the MaaS model’s flexibility in meeting various client requirements.

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

GitHub Trojan
Image courtesy of Source Name

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today.

The cybersecurity company noted that the attack chains leverage a malware loader called Emmenhtal (aka PEAKLIGHT) to deliver Amadey, which downloads various custom payloads from public GitHub repositories operated by the threat actors. This activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025 targeting Ukrainian entities.

Both Emmenhtal and Amadey function as a downloader for secondary payloads, although the latter has also been observed delivering ransomware like LockBit 3.0 in the past. Another crucial distinction between the two malware families is that unlike Emmenhtal, Amadey can collect system information and can be extended feature-wise with various DLL plugins that enable specific functionalities, such as credential theft or screenshot capture.

Cisco Talos' analysis of the April 2025 campaign uncovered three GitHub accounts (Legendary99999, DFfe9ewf, and Milidmdds) being used to host Amadey plugins, secondary payloads, and other malicious attack scripts, including Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer. The accounts have since been taken down by GitHub.

Malware-as-a-Service Operation Using Emmenhtal and Amadey Linked to Threats Against Ukrainian Entities

In April 2025, Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads. The MaaS operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use. Several operator tactics, techniques, and procedures (TTPs) overlap with a SmokeLoader phishing campaign identified in early 2025 that targeted Ukrainian entities.

The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling. In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails targeting Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip, or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader.

During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar but did not appear to be part of the original activity cluster. Most notably, these samples were hosted in several public GitHub repositories and delivered Amadey instead of SmokeLoader as a next-stage payload.

Cybersecurity
Image courtesy of Source Name

Further review of the associated GitHub accounts and the files hosted within related repositories showed they might be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.

MaaS

Edward Zhou
Edward Zhou

CEO & Founder

 

CEO & Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions..

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article