When a tool is so useful that no one dares to block it, it becomes a magnet for attackers. That is what is happening with Girub: public repositories, camouflaged archives and malicious loads that go unnoticed in corporate environments. Cisco Talos has uncovered a campaign that demonstrates it.
The campaign, active since February 2025, was not an isolated experiment. It was a well structured operation based on the malware-as-a-service model (MaaS), in which attack tools are sold as if they were cloud services. In this case, the operators used Github to distribute malware through seemingly harmless links.
When the malicious code hides in full view
“In many environments, a malicious download from Github may seem normal traffic”, Explain the talos researchers. And there is the problem: the actors behind this campaign knew how to move between the legitimate and the harmful without raising suspicions, using the Microsoft platform owned by Microsoft as an undercover distribution channel.
The process began with Emmenhtal, a Loader designed to act by layers. Three of them were exclusively responsible for hiding the code. Only at the end of the process a script was executed in Powershell that contacted a remote address to download the real payload.
That payload was Amadey, a malware known since 2018 in Russian speech forums. Its main function is to collect information from the infected system and Download additional files depending on the profile of the equipment. The most striking thing is that these files did not
One of the most active accounts was legendary99999. In it, more than 160 repositories with random names were detected, each hosting a single malicious file in its release section. From there, the attackers could send direct links to the victims, as if it were any other legitimate download.
Legendary 99999999999999 Settle
Legendary9999 was not an isolated case. Talos identified other accounts, such as Milidmdds or DFFE9EWF, which followed a similar pattern: random names, repositories with harmless appearance, but designed to execute malicious loads. In total, malware samples such as Rhadamanthys, Lumma, Redline or even legitimate tools such as Putty and Selenium Webdriver were detected.
The operation was always the same: once the equipment was infected, Amadey downloaded the necessary file from Github, according to the needs of each operator. The most striking is the flexibility of the operation: from remote access Trojans such as Asyncrat, to scripts disguised as MP4 files or even python code with hidden functions.
Github acted quickly. As soon as Talos notified the findings, LThe accounts were eliminated. But the problem does not seem to be the platform yes, but the strategy behind its use: take advantage of legitimate and necessary services to hide malicious activities.
Images | WorldOfSoftware with Gemini 2.5 Flash | Talos
In WorldOfSoftware | The “Son in Hurry” scam had been wreaking havoc throughout Spain for years. Police are finally dismantling it
