A complicated Malware-as-a-Service operation has emerged that exploits the trusted GitHub platform to distribute malicious payloads, representing a big evolution in cybercriminal ways.
The operation leverages faux GitHub accounts to host an arsenal of malware instruments, plugins, and payloads, capitalizing on GitHub’s widespread company acceptance to bypass conventional net filtering mechanisms.
The malicious marketing campaign targets Ukrainian entities by rigorously crafted phishing emails containing compressed archive attachments.
These archives conceal JavaScript recordsdata that make use of a number of layers of obfuscation to disguise PowerShell downloaders, finally delivering the Amadey malware and its related tooling.
First layer of obfuscation (Supply – Cisco Talos)
The operation’s infrastructure demonstrates exceptional sophistication, using public GitHub repositories as open directories for staging customized payloads throughout a number of malware households.
The assault initially gained consideration by its connection to a separate SmokeLoader phishing marketing campaign that additionally focused Ukrainian organizations.
Nevertheless, Cisco Talos analysts recognized the broader scope of the operation in April 2025, revealing its true nature as a complete MaaS platform.
The researchers found that the identical Emmenhtal loader variant used within the SmokeLoader marketing campaign was being repurposed to ship Amadey payloads and different malicious instruments.
What makes this operation significantly regarding is its abuse of GitHub’s official infrastructure.
Legendary99999 GitHub account overview (Supply – Cisco Talos)
The menace actors created three major accounts—Legendary99999, DFfe9ewf, and Milidmdds—every serving distinct functions inside the malware distribution community.
Milidmdds GitHub account overview (Supply – Cisco Talos)
Essentially the most lively account, Legendary99999, contained over 160 repositories with randomized names, every internet hosting a single malicious file within the “Releases” part.
Superior An infection Mechanism and Multi-Stage Payload Supply
The Emmenhtal loader serves as the first an infection vector, using a complicated four-layer obfuscation scheme that demonstrates superior evasion capabilities.
The primary layer defines a sequence of two-letter variables mapped to numeric values, that are utilized to a protracted string of comma-separated values saved in a randomly named variable similar to “qiXSF.”
This preliminary obfuscation layer successfully conceals the malicious code from primary static evaluation instruments.
The second layer makes use of the ActiveXObject perform to execute an encoded PowerShell command by WScript.Shell, whereas the third layer incorporates a PowerShell command with an AES-encrypted binary blob.
The ultimate layer decrypts and executes a further AES-encrypted PowerShell script that initiates the obtain of the next-stage payload from hardcoded IP addresses, together with 185.215.113.16 and 185.215.113.43.
This multi-stage method permits the malware to ship numerous payloads together with info stealers like Rhadamanthys, Lumma, and Redline, in addition to distant entry trojans similar to AsyncRAT.
The operation’s adaptability is additional demonstrated by its means to ship official instruments like PuTTY.exe alongside malicious payloads, showcasing the MaaS mannequin’s flexibility in assembly varied consumer necessities.
Enhance detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Attempt ANY.RUN Now
