Threat actors are increasingly using public GitHub repositories to host malicious software and distribute it through a tool known as Amadey, as revealed in a recent campaign documented by Cisco Talos. This scheme, first observed in April 2025, involves the misuse of fake GitHub accounts to upload harmful payloads and tools, including Amadey plugins, aiming to evade detection by security filters.
According to researchers Chris Neal and Craig Jackson from Cisco Talos, this operation follows a Malware-as-a-Service (MaaS) model. A loader maliciously named Emmenhtal (also termed PEAKLIGHT) facilitates the download of Amadey and other payloads from the compromised GitHub accounts. The campaign bears striking similarities to previous phishing initiatives that tricked users into downloading SmokeLoader, which targeted entities in Ukraine.
Both Emmenhtal and Amadey function primarily as downloaders for secondary payloads, but Amadey is particularly notable for its capacity to collect system information and utilize various DLL plugins to extend its functionality, enabling actions like credential theft and taking screenshots.
The investigation into the April 2025 campaign identified three specific GitHub accounts, which hosted various malicious scripts, including Lumma Stealer and RedLine Stealer, among others. These accounts have since been removed by GitHub.
Some of the uploaded JavaScript files were found to be copies of those used in the earlier SmokeLoader campaign, differing mainly in the payloads they delivered. Emmenhtal scripts acted as delivery mechanisms for Amadey, AsyncRAT, and even a legitimate version of PuTTY.exe. A Python script discovered among the repositories seems to evolve from Emmenhtal, featuring a hard-coded command to download Amadey from a specific IP address.
This ongoing exploitation of GitHub illustrates how threat actors leverage reputable platforms for distributing malicious software, marking a serious concern for cybersecurity efforts.
In related developments, Trellix has uncovered an additional phishing campaign promoting another malware loader named SquidLoader, which has targeted financial institutions in Hong Kong. This tool employs complex evasive techniques, significantly complicating detection and analysis for security teams.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.