Hackers Exploit GitHub for Amadey Malware and Data Stealers
Threat Actors Weaponizing GitHub Accounts to Host Payloads, Tools, and Amadey Malware Plug-Ins
Image courtesy of Cisco Talos
A sophisticated Malware-as-a-Service operation has emerged using fake GitHub accounts to distribute malicious payloads, significantly evolving cybercriminal tactics.
This operation targets Ukrainian entities through phishing emails with compressed archive attachments that conceal JavaScript files employing multiple layers of obfuscation. These are designed to execute PowerShell downloaders, ultimately delivering the Amadey malware and associated tools.
The infrastructure used is notably sophisticated, leveraging public GitHub repositories as open directories for staging malware payloads across various families. Cisco Talos analysts identified this operation's broader scope in April 2025, linking it to previous campaigns targeting the same geographic region.
.webp)
Image courtesy of Cisco Talos
The threat actors created accounts like Legendary99999, DFfe9ewf, and Milidmdds, with the most active account, Legendary99999, containing over 160 repositories, each hosting a single malicious file in the “Releases” section.
Advanced Infection Mechanism and Multi-Stage Payload Delivery
The Emmenhtal loader serves as the primary infection vector, employing a sophisticated four-layer obfuscation scheme. The first layer uses two-letter variables mapped to numeric values that conceal the malicious code from basic static analysis tools.
The second layer executes an encoded PowerShell command via ActiveXObject, while the third includes a PowerShell command with an AES-encrypted binary blob. The final layer decrypts and executes an additional AES-encrypted PowerShell script for downloading next-stage payloads from hardcoded IP addresses, such as 185.215.113.16 and 185.215.113.43.
This multi-stage approach allows for delivering diverse payloads, including information stealers like Rhadamanthys, Lumma, and Redline, alongside remote access trojans such as AsyncRAT. The operation’s adaptability is highlighted by its ability to deliver legitimate tools like PuTTY.exe along with malicious payloads, illustrating the flexibility of the MaaS model.
Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters
Image courtesy of The Hacker News
Threat actors are utilizing public GitHub repositories to host malicious payloads and distribute them through Amadey as part of a campaign observed in April 2025. Cisco Talos researchers noted that the operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins to evade web filtering.
The attack chains leverage a malware loader called Emmenhtal to deliver Amadey, which subsequently downloads various custom payloads from the same repositories. This activity shares similarities with an earlier email phishing campaign that targeted Ukrainian entities.
Cisco Talos identified three GitHub accounts linked to this operation: Legendary99999, DFfe9ewf, and Milidmdds. The accounts have since been taken down by GitHub. The JavaScript files in the repositories showed similarities to the Emmenhtal scripts from the SmokeLoader campaign, mainly differing in the downloaded payloads.
MaaS Operation Using Emmenhtal and Amadey Linked to Threats Against Ukrainian Entities
Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that exploited GitHub to distribute various dangerous payloads. The campaign primarily targeted Ukrainian entities using phishing emails that contained JavaScript files designed to deploy the Emmenhtal loader, subsequently delivering Amadey payloads.
The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It employs a four-layer obfuscation process to conceal its operation.
.webp)
Image courtesy of Cisco Talos
Talos observed that the GitHub accounts were used as open directories for hosting tools, secondary payloads, and Amadey plugins. This strategy exploits GitHub's accessibility, allowing malicious downloads that are difficult to detect.
Organizations should consider implementing strict access policies and monitoring GitHub activity to mitigate risks. Gopher Security's AI-Powered Zero Trust Platform, along with our other advanced security solutions, can help protect against such threats by providing comprehensive visibility and control over network access.
.webp)
Image courtesy of Cisco Talos
This campaign underscores the necessity for organizations to adopt advanced security measures such as Gopher Security's Advanced AI Authentication Engine, which leverages AI to enhance identity protection and access management across diverse environments.
For an effective defense strategy, organizations must implement robust monitoring and filtering solutions to identify and block malicious downloads from compromised repositories.
Explore our services at Gopher Security to learn more about our innovative cybersecurity solutions designed to safeguard your organization against evolving threats. Visit us at https://www.gopher.security.