Close Menu
IOupdate | IT News and SelfhostingIOupdate | IT News and Selfhosting
  • Home
  • News
  • Blog
  • Selfhosting
  • AI
  • Linux
  • Cyber Security
  • Gadgets
  • Gaming

Subscribe to Updates

Get the latest creative news from ioupdate about Tech trends, Gaming and Gadgets.

[contact-form-7 id="dd1f6aa" title="Newsletter"]
What's Hot

Hyprland Controversy, German State with Open Source, New Flatpak App Center and a Lot More Linux Stuff

October 23, 2025

PeaZip 10.7 Open-Source Archive Manager Introduces an Image Viewer

October 23, 2025

I Used This Open Source Library to Integrate OpenAI, Claude, Gemini to Websites Without API Keys

October 23, 2025
Facebook X (Twitter) Instagram
Facebook Mastodon Bluesky Reddit
IOupdate | IT News and SelfhostingIOupdate | IT News and Selfhosting
  • Home
  • News
  • Blog
  • Selfhosting
  • AI
  • Linux
  • Cyber Security
  • Gadgets
  • Gaming
IOupdate | IT News and SelfhostingIOupdate | IT News and Selfhosting
Home»Cyber Security»Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters
Cyber Security

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

MichaBy MichaJuly 18, 2025No Comments6 Mins Read
Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters


In the dynamic world of cyber security, staying ahead of evolving threats is paramount. Recent threat intelligence highlights a concerning trend: adversaries are increasingly leveraging legitimate platforms like public GitHub repositories to host malicious payloads. This strategy, combined with sophisticated social engineering tactics, enables the distribution of diverse malware families, from versatile downloaders to potent information stealers and remote access tools. Understanding these intricate attack chains and adopting proactive defense strategies is no longer optional but a critical necessity for safeguarding digital assets.

The Evolving Threat Landscape: GitHub as a Malicious Payload Host

Cybercriminals are constantly innovating their methods to bypass traditional security defenses. A notable shift in recent campaigns involves abusing trusted platforms like GitHub, transforming them into stealthy distribution channels for malware. This approach helps attackers evade web filtering and simplifies their operations, making their campaigns harder to detect.

Amadey and Emmenhtal: A Deep Dive into MaaS Operations

Observed in April 2025, a significant campaign utilized public GitHub accounts to host and distribute malicious payloads via Amadey, a popular malware-as-a-service (MaaS) offering. Threat actors behind this operation employed fake GitHub accounts (e.g., Legendary99999, DFfe9ewf, Milidmdds, since taken down) to store payloads, tools, and Amadey plug-ins. This tactic is part of a broader trend where MaaS operators exploit legitimate infrastructure for nefarious purposes.

The attack chains leveraged a malware loader dubbed Emmenhtal (also known as PEAKLIGHT) to deliver Amadey. Amadey, in turn, downloaded various custom payloads, including well-known information stealers like Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer, along with AsyncRAT and even a legitimate copy of PuTTY.exe. While both Emmenhtal and Amadey function as downloaders for secondary payloads, Amadey distinguishes itself with enhanced system information collection capabilities and extensibility through DLL plugins for functionalities like credential theft or screenshot capture. This campaign shares tactical similarities with earlier attacks targeting Ukrainian entities in February 2025, which also used Emmenhtal to distribute SmokeLoader. A unique tip for enhanced security: Organizations should implement stringent content scanning and behavioral analysis even for seemingly benign files from trusted sources like GitHub. Moreover, monitoring for rapid changes in public repositories associated with suspicious activity can provide early warnings.

SquidLoader’s Stealthy Operations Against Financial Institutions

Beyond GitHub-hosted threats, another formidable loader, SquidLoader, has been observed in campaigns targeting financial services institutions across Hong Kong, Singapore, and Australia. Detailed by Trellix, SquidLoader is particularly dangerous due to its intricate array of anti-analysis, anti-sandbox, and anti-debug techniques. These capabilities allow it to evade detection and significantly hinder malware analysis efforts, making it a persistent threat. Once established, SquidLoader establishes communication with a remote server to exfiltrate host information and ultimately inject a Cobalt Strike beacon, providing attackers with potent remote access and control. Its low detection rates underscore the need for advanced threat hunting and robust endpoint detection and response (EDR) solutions.

Social Engineering: The Human Element in Cyber Attacks

While technical exploits remain a concern, the human element continues to be a primary target for cybercriminals. Social engineering campaigns are increasingly sophisticated, using a variety of lures to trick victims into compromising their security.

Diverse Phishing Tactics and Malware Delivery

Recent observations reveal a wide spectrum of social engineering campaigns designed to distribute various malware families:

  • Invoice and Billing Themes: Financially motivated groups, such as UNC5952, leverage fake invoice emails to deliver malicious droppers like CHAINVERB, leading to the deployment of ConnectWise ScreenConnect remote access software.
  • Tax-Related Deceptions: Similar tactics employ tax-related decoys to trick recipients into clicking malicious links that install ConnectWise ScreenConnect.
  • SSA Impersonations: Attacks mimicking the U.S. Social Security Administration aim to harvest user credentials or install trojanized versions of ConnectWise ScreenConnect, often instructing victims to sync Microsoft’s Phone Link app to collect sensitive data like text messages and 2FA codes.
  • Sophisticated Phishing Kits: Adversaries use advanced phishing kits like Logokit, hosted on AWS infrastructure with Cloudflare Turnstile CAPTCHA for false legitimacy, and custom Python Flask-based kits to facilitate credential theft with minimal technical effort.
  • QR Code Exploitation (Scanception): A rising trend, as highlighted by Cofense data, indicates QR codes accounted for 57% of campaigns with advanced Tactics, Techniques, and Procedures (TTPs) in 2024. Attacks codenamed Scanception use QR codes embedded in PDF email attachments to direct users to credential harvesting pages mimicking Microsoft login portals. This highlights a critical need for user awareness around QR code legitimacy.
  • Evasion Techniques: Attackers also employ cloaking-as-a-service (CaaS) offerings like Hoax Tech and JS Click Cloaker to hide malicious content from security scanners, along with crafting realistic HTML and JavaScript emails to bypass user suspicion and traditional detection tools. SVG image files embedded with obfuscated JavaScript are also used to redirect users to attacker-controlled infrastructure.

Evading Detection: New TTPs in Play

Beyond QR codes, threat actors are deploying other clever methods to bypass security controls. The use of password-protected archive attachments in emails is a prevalent tactic to circumvent secure email gateways (SEGs). By encrypting the archive, attackers prevent SEGs from scanning its contents, allowing otherwise clearly malicious files to reach inboxes. This emphasizes the importance of robust user education and multi-layered security approaches beyond perimeter defenses.


FAQ

Question 1: What is ‘Malware-as-a-Service’ (MaaS) and why is it a significant threat in cyber security?
Answer 1: MaaS is a subscription-based business model where cybercriminals offer access to malware, infrastructure, and technical support, lowering the barrier to entry for aspiring attackers. It’s a significant threat because it democratizes cybercrime, enabling individuals with limited technical skills to launch sophisticated attacks. This leads to a wider proliferation of malware and an increase in the volume and variety of cyberattacks, making defense more challenging.

Question 2: How do attackers use public platforms like GitHub for malicious purposes?
Answer 2: Attackers exploit the legitimate nature and high trust associated with platforms like GitHub to host malicious payloads, command-and-control (C2) infrastructure, or even complete phishing kits. By leveraging these platforms, they can often bypass traditional web filtering and security policies that might block traffic from less reputable sources. The sheer volume of legitimate traffic on these platforms also helps their malicious activities blend in, making detection more difficult.

Question 3: What are some practical steps organizations can take to defend against advanced social engineering and malware campaigns?
Answer 3: To counter advanced social engineering and malware campaigns, organizations should implement a multi-layered defense strategy. Key steps include:

  1. Robust Security Awareness Training: Educate employees about phishing, QR code scams, and other social engineering tactics, emphasizing vigilance and reporting suspicious activity.
  2. Multi-Factor Authentication (MFA): Implement MFA for all accounts, especially those with access to sensitive data, to prevent credential theft from leading to full account compromise.
  3. Advanced Email Security: Utilize Secure Email Gateways (SEGs) with sandboxing, DMARC/SPF/DKIM for email authentication, and URL/attachment scanning.
  4. Endpoint Detection and Response (EDR): Deploy EDR solutions for continuous monitoring, threat detection, and rapid incident response on endpoints.
  5. Regular Software Updates and Patching: Keep all operating systems, applications, and security software up to date to patch known vulnerabilities that attackers might exploit.
  6. Threat Intelligence Integration: Continuously consume and act upon current threat intelligence to understand new attack vectors, TTPs, and indicators of compromise (IoCs).



Read the original article

0 Like this
Amadey Bypassing data Filters GitHub hackers Host malware Repositories Stealers
Share. Facebook LinkedIn Email Bluesky Reddit WhatsApp Threads Copy Link Twitter
Previous ArticleMortal Kombat Releases Johnny Cage Teaser Ahead Of Official Sequel Trailer
Next Article Exhausted man defeats AI model in world coding championship

Related Posts

Linux

10 Essential Linux Command-Line Tools for Data Scientists

October 16, 2025
Cyber Security

Murky Panda hackers exploit cloud trust to hack downstream customers

August 24, 2025
Cyber Security

AI-powered financial scams swamp social media

August 22, 2025
Add A Comment
Leave A Reply Cancel Reply

Top Posts

AI Developers Look Beyond Chain-of-Thought Prompting

May 9, 202515 Views

6 Reasons Not to Use US Internet Services Under Trump Anymore – An EU Perspective

April 21, 202512 Views

Andy’s Tech

April 19, 20259 Views
Stay In Touch
  • Facebook
  • Mastodon
  • Bluesky
  • Reddit

Subscribe to Updates

Get the latest creative news from ioupdate about Tech trends, Gaming and Gadgets.

About Us

Welcome to IOupdate — your trusted source for the latest in IT news and self-hosting insights. At IOupdate, we are a dedicated team of technology enthusiasts committed to delivering timely and relevant information in the ever-evolving world of information technology. Our passion lies in exploring the realms of self-hosting, open-source solutions, and the broader IT landscape.

Most Popular

AI Developers Look Beyond Chain-of-Thought Prompting

May 9, 202515 Views

6 Reasons Not to Use US Internet Services Under Trump Anymore – An EU Perspective

April 21, 202512 Views

Subscribe to Updates

Facebook Mastodon Bluesky Reddit
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms and Conditions
© 2025 ioupdate. All Right Reserved.

Type above and press Enter to search. Press Esc to cancel.