A new malware distribution campaign leveraging public GitHub repositories as a delivery infrastructure for various malicious payloads has been uncovered by security researchers from Cisco Talos.
The operation utilizes the Amadey botnet and Emmenhtal loaders to deliver malware, including SmokeLoader, Lumma and AsyncRAT, to compromised systems.
Emmenhtal Loaders Found Outside Email Campaigns
In an advisory published earlier today, Cisco Talos stated that it initially observed the Emmenhtal loader in early February 2025, within phishing emails targeting Ukrainian organizations. These messages included compressed attachments with JavaScript files designed to deploy SmokeLoader.
However, further analysis revealed additional Emmenhtal variants uploaded directly to public GitHub repositories, bypassing email-based distribution altogether. Unlike the initial campaign, these samples delivered Amadey, which subsequently downloaded secondary payloads from GitHub.
The cybersecurity firm found that these GitHub-hosted campaigns were likely part of a larger malware-as-a-service (MaaS) operation.
Operators used GitHub as an open directory, exploiting the platform’s accessibility to host payloads, tools and plugins associated with Amadey. Because GitHub is often allowed in enterprise environments, malicious downloads from it are more challenging to detect.
Read more on malware loaders: Threat Actors Target Victims with HijackLoader and DeerStealer
Cisco Talos researchers identified three main accounts tied to the campaign:
-
Legendary99999, hosting over 160 repositories filled with malware payloads
-
DFfe9ewf, likely a test account containing toolkits like Selenium WebDriver and DInvoke
-
Milidmdds, containing malicious JavaScript scripts and a custom Python variant of Emmenhtal
Files hosted by these accounts were structured to be downloaded via direct GitHub URLs, allowing Amadey to fetch and execute them post-infection.
Technical Links Between Campaigns
Despite different distribution methods, the Emmenhtal scripts found in GitHub repositories mirrored those used in the earlier Ukrainian-targeted phishing campaign.
They featured the same four-layer architecture, comprising:
-
Obfuscated JavaScript
-
ActiveXObject-based PowerShell launcher
-
AES-encrypted blob
-
Final PowerShell downloader targeting specific IPs
The campaign also employed variants disguised as MP4 files and a unique Python-based loader, “checkbalance.py,” which pretended to check cryptocurrency account balances before launching an identical PowerShell chain.
To defend against similar threats, organizations should implement strict filtering for script-based attachments, monitor PowerShell execution and evaluate GitHub access policies where feasible. Defense-in-depth and behavioral monitoring can help detect unusual download patterns or payload execution.
Talos has reported the identified accounts to GitHub, which swiftly removed the content.
No tags.
