Hackers Exploit GitHub for Amadey Malware and Data Stealers

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 19, 2025 3 min read

Threat Actors Weaponizing GitHub Accounts to Host Payloads, Tools, and Amadey Malware Plug-Ins

Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins
Image courtesy of Cisco Talos

A sophisticated Malware-as-a-Service operation has emerged using fake GitHub accounts to distribute malicious payloads, significantly evolving cybercriminal tactics.

This operation targets Ukrainian entities through phishing emails with compressed archive attachments that conceal JavaScript files employing multiple layers of obfuscation. These are designed to execute PowerShell downloaders, ultimately delivering the Amadey malware and associated tools.

The infrastructure used is notably sophisticated, leveraging public GitHub repositories as open directories for staging malware payloads across various families. Cisco Talos analysts identified this operation's broader scope in April 2025, linking it to previous campaigns targeting the same geographic region.

First layer of obfuscation (Source – Cisco Talos)
Image courtesy of Cisco Talos

The threat actors created accounts like Legendary99999, DFfe9ewf, and Milidmdds, with the most active account, Legendary99999, containing over 160 repositories, each hosting a single malicious file in the “Releases” section.

Advanced Infection Mechanism and Multi-Stage Payload Delivery

The Emmenhtal loader serves as the primary infection vector, employing a sophisticated four-layer obfuscation scheme. The first layer uses two-letter variables mapped to numeric values that conceal the malicious code from basic static analysis tools.

The second layer executes an encoded PowerShell command via ActiveXObject, while the third includes a PowerShell command with an AES-encrypted binary blob. The final layer decrypts and executes an additional AES-encrypted PowerShell script for downloading next-stage payloads from hardcoded IP addresses, such as 185.215.113.16 and 185.215.113.43.

This multi-stage approach allows for delivering diverse payloads, including information stealers like Rhadamanthys, Lumma, and Redline, alongside remote access trojans such as AsyncRAT. The operation’s adaptability is highlighted by its ability to deliver legitimate tools like PuTTY.exe along with malicious payloads, illustrating the flexibility of the MaaS model.

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

GitHub Trojan
Image courtesy of The Hacker News

Threat actors are utilizing public GitHub repositories to host malicious payloads and distribute them through Amadey as part of a campaign observed in April 2025. Cisco Talos researchers noted that the operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins to evade web filtering.

The attack chains leverage a malware loader called Emmenhtal to deliver Amadey, which subsequently downloads various custom payloads from the same repositories. This activity shares similarities with an earlier email phishing campaign that targeted Ukrainian entities.

Cisco Talos identified three GitHub accounts linked to this operation: Legendary99999, DFfe9ewf, and Milidmdds. The accounts have since been taken down by GitHub. The JavaScript files in the repositories showed similarities to the Emmenhtal scripts from the SmokeLoader campaign, mainly differing in the downloaded payloads.

MaaS Operation Using Emmenhtal and Amadey Linked to Threats Against Ukrainian Entities

Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that exploited GitHub to distribute various dangerous payloads. The campaign primarily targeted Ukrainian entities using phishing emails that contained JavaScript files designed to deploy the Emmenhtal loader, subsequently delivering Amadey payloads.

The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It employs a four-layer obfuscation process to conceal its operation.

Legendary99999 GitHub account overview (Source – Cisco Talos)
Image courtesy of Cisco Talos

Talos observed that the GitHub accounts were used as open directories for hosting tools, secondary payloads, and Amadey plugins. This strategy exploits GitHub's accessibility, allowing malicious downloads that are difficult to detect.

Organizations should consider implementing strict access policies and monitoring GitHub activity to mitigate risks. Gopher Security's AI-Powered Zero Trust Platform, along with our other advanced security solutions, can help protect against such threats by providing comprehensive visibility and control over network access.

Milidmdds GitHub account overview (Source – Cisco Talos)
Image courtesy of Cisco Talos

This campaign underscores the necessity for organizations to adopt advanced security measures such as Gopher Security's Advanced AI Authentication Engine, which leverages AI to enhance identity protection and access management across diverse environments.

For an effective defense strategy, organizations must implement robust monitoring and filtering solutions to identify and block malicious downloads from compromised repositories.

Explore our services at Gopher Security to learn more about our innovative cybersecurity solutions designed to safeguard your organization against evolving threats. Visit us at https://www.gopher.security.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article