Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025.
“The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use,” Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today.
The cybersecurity company said the attack chains leverage a malware loader called Emmenhtal (aka PEAKLIGHT) to deliver Amadey, which, for its part, downloads various custom payloads from public GitHub repositories operated by the threat actors.
The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025 in attacks targeting Ukrainian entities.
Both Emmenhtal and Amadey function as a downloader for secondary payloads like information stealers, although the latter has also been observed delivering ransomware like LockBit 3.0 in the past.
Another crucial distinction between the two malware families is that unlike Emmenhtal, Amadey can collect system information and can be extended feature-wise with an array of DLL plugins that enable a specific functionality, such as credential theft or screenshot capture.
Cisco Talos’ analysis of the April 2025 campaign has uncovered three GitHub accounts (Legendary99999, DFfe9ewf, and Milidmdds) being used to host Amadey plugins, secondary payloads, and other malicious attack scripts, including Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer. The accounts have since been taken down by GitHub.
Some of the JavaScript files present in the GitHub repositories have been found to be identical to the Emmenthal scripts employed in the SmokeLoader campaign, the primary difference being the payloads downloaded. Specifically, the Emmenhtal loader files in the repositories serve as a delivery vector for Amadey, AsyncRAT, and a legitimate copy of PuTTY.exe.
Also discovered in the GitHub repositories is a Python script that likely represents an evolution of Emmenhtal, incorporating an embedded PowerShell command to download Amadey from a hard-coded IP address.
It’s believed that the GitHub accounts used to stage the payloads are part of a larger MaaS operation that abuses Microsoft’s code hosting platform for malicious purposes.
The disclosure comes as Trellix detailed a phishing campaign that propagates another malware loader known as SquidLoader in cyber attacks directed against financial services institutions in Hong Kong. Additional artifacts unearthed by the security vendor suggest related attacks may be underway in Singapore and Australia.
 |
| SquidLoader attack chain |
SquidLoader is a formidable threat owing to the diverse array of anti-analysis, anti-sandbox, and anti-debug techniques packed into it, allowing it to evade detection and hinder investigation efforts. It can also establish communication with a remote server to send information about the infected host and inject the next-stage payload.
“SquidLoader employs an attack chain culminating in the deployment of a Cobalt Strike beacon for remote access and control,” security researcher Charles Crofford said. “Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organizations.”
The findings also follow the discovery of a wide range of social engineering campaigns that are engineered to distribute various malware families –
- Attacks likely undertaken by a financially motivated group referred to as UNC5952 that leverage invoice themes in emails to serve malicious droppers that lead to the deployment of a downloader called CHAINVERB that, in turn, delivers the ConnectWise ScreenConnect remote access software
- Attacks that employ tax-related decoys to trick recipients into clicking on a link that ultimately delivers a ConnectWise ScreenConnect installer under the pretext of launching a PDF document
- Attacks that U.S. Social Security Administration (SSA) themes to harvest user credentials or install trojanized version of ConnectWise ScreenConnect, following which victims are instructed to install and sync Microsoft’s Phone Link app to possibly collect text messages and two-factor authentication codes sent to the connected mobile device
- Attacks that leverage a phishing kit called Logokit to enable credential harvesting by creating lookalike login pages and hosting them on Amazon Web Services (AWS) infrastructure to bypass detection, while simultaneously integrating Cloudflare Turnstile CAPTCHA verification to create a false sense of security and legitimacy
- Attacks that another custom Python Flask-based phishing kit to facilitate credential theft with minimal technical effort
- Attacks codenamed Scanception that employ QR codes in PDF email attachments to direct users to credential harvesting pages mimicking the Microsoft login portal
- Attacks that employ the ClickFix tactic to deliver Rhadamanthys Stealer and NetSupport RAT
- Attacks that utilize cloaking-as-a-service (CaaS) offerings like Hoax Tech and JS Click Cloaker to conceal phishing and malicious websites from security scanners and show them only to intended victims as a way to fly under the radar
- Attacks that leverage HTML and JavaScript to craft malicious realistic-looking emails that can bypass user suspicion and traditional detection tools
- Attacks targeting B2B service providers that Scalable Vector Graphics (SVG) image files in phishing emails and which embed obfuscated JavaScript to facilitate redirects to attacker-controlled infrastructure using the window.location.href function once they are opened in a web browser
According to data compiled by Cofense, the use of QR codes accounted for 57% of campaigns with advanced Tactics, Techniques, and Procedures (TTPs) in 2024. Other notable methods include the use of password-protected archive attachments in emails to get around secure email gateways (SEG).
“By password-protecting the archive, threat actors prevent SEGs and other methods from scanning its contents and detecting what is typically a clearly malicious file,” Cofense researcher Max Gannon said.
