GitHub Abused in Amadey MaaS Campaign: Talos Uncovers Malware-as-a-Service Network Leveraging Public Repositories

Cisco Talos has uncovered a multi-pronged Malware-as-a-Service (MaaS) operation exploiting public GitHub repositories to distribute a wide array of malware, including Amadey, SmokeLoader, and AsyncRAT. The operation makes use of the Emmenhtal loader, a sophisticated, multilayered downloader originally used in phishing campaigns and now observed in malicious GitHub repositories.

“Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed… and those described by Orange Cyberdefense,” the report states.

The campaign began in early February 2025 with invoice and billing-themed phishing emails targeting Ukrainian entities. These messages carried ZIP, 7Zip, or RAR attachments containing obfuscated JavaScript downloaders. Once executed, they launched a PowerShell script to download SmokeLoader.

“The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system,” the report explains.

Further investigation revealed additional Emmenhtal samples hosted on public GitHub repositories, not delivered via email. Instead of SmokeLoader, these samples downloaded Amadey, a modular bot first spotted in 2018 on Russian-speaking forums.

Talos discovered three key GitHub accounts—Legendary99999, DFfe9ewf, and Milidmdds—used to host payloads and plugins for Amadey. The Legendary99999 account alone contained over 160 repositories with randomized names, each hosting files in the “Releases” section that could be pulled directly via URL.

“By hosting these files in a GitHub repository, they can easily be downloaded… Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered.”

Payloads included:

• Amadey
• Redline, Lumma, and Rhadamanthys infostealers
• AsyncRAT
• Even legitimate binaries, like PuTTY.exe, to aid lateral movement or avoid detection

The Emmenhtal loader is a four-stage downloader:

• Initial JavaScript with obfuscated variable mappings
• A hidden PowerShell launcher using ActiveXObject
• AES-encrypted PowerShell blob
• Final PowerShell that fetches malware from a hard-coded IP

Talos found identical scripts reused across phishing and GitHub samples, revealing a shared toolchain behind seemingly disparate threats.

“Much of the code is the same between all samples… aside from randomized variable and function names.”

Interestingly, some Emmenhtal variants masqueraded as MP4 files, hosted on malicious domains such as pivqmane[.]com. This tactic aligns with observations from Orange Cyberdefense, which noted Emmenhtal samples posing as MP3/MP4 files.

Among the most notable variants was a Python script named “checkbalance.py”, pretending to query cryptocurrency balances. It included an obfuscated lambda function that, when executed, launched a PowerShell downloader nearly identical to the JavaScript version.

“The user is then presented with an error message in Cyrillic… However, the author may have meant ‘no more accounts’ or ‘end of accounts.’”

The script ultimately downloaded Amadey from 185[.]215[.]113[.]16, and contacted its C2 server at hxxp://185[.]215[.]113[.]43/Zu7JuNko/index.php.

Some GitHub repositories also hosted Selenium WebDriver binaries, including ChromeDriver and EdgeDriver. While typically used for automated browser testing, these tools can be repurposed by malware to retrieve payloads, interact with websites, or extract data from a victim’s browser.

“While WebDrivers are helpful for many developers, they can pose a serious security risk when abused.”

The infrastructure used to distribute payloads showed no overlap in C2 servers, suggesting that the operators behind Amadey are distributing custom payloads on behalf of other actors—a defining characteristic of the MaaS business model.

“This distribution of several disparate malware families from a single infrastructure suggests that the threat actors… are distributing payloads for other individuals or groups.”

The accounts and repositories identified have since been taken down by GitHub, thanks to a coordinated takedown effort initiated by Talos.

Related Posts:

• Sophisticated Campaign Targets Manufacturing Industry with Lumma Stealer and Amadey Bot
• SmokeLoader Malware Deployed in Stealthy Campaign Targeting Major Banks
• New Alert: Amadey Trojan Spearheads APT-C-36’s Malicious Campaign
• Russian APT “Secret Blizzard” Leverages Cybercriminal Tools in Ukraine Attacks
• Agenda Ransomware Evolves with NETXLOADER and SmokeLoader in Global Campaigns