do son 
SHELBYLOADER & SHELBYC2 Execution Chain | Image: Elastic Security Labs
Elastic Security Labs has uncovered a sophisticated malware family—dubbed SHELBY—that combines GitHub-based C2 infrastructure, anti-analysis techniques, and stealthy persistence to compromise enterprise systems. This malware is at the heart of a targeted intrusion campaign (tracked as REF8685) that has been active in the Middle East, with evidence of tailored spear phishing and infrastructure linked to high-profile regional organizations.
“The SHELBY malware family abuses GitHub for command-and-control, stealing data and retrieving commands,” the report states. “The attacker’s C2 design has a critical flaw: anyone with the PAT token can control infected machines.”
The REF8685 campaign came to light through a phishing email sent from within an Iraq-based telecommunications provider—suggesting that either endpoint or mail server compromise occurred. The email, disguised as an internal discussion on network issues, included a ZIP archive named details.zip, which contained:
Once launched, the binary executed SHELBYLOADER, a malicious DLL that used reflection to decrypt and load another DLL named SHELBYC2—a stealthy backdoor—directly into memory, sidestepping disk-based detection entirely.
SHELBY’s core innovation is its use of private GitHub repositories as a command-and-control (C2) hub. Using Personal Access Tokens (PATs) embedded in the malware binary, infected hosts authenticate to GitHub and interact with attacker-controlled repos by:
- Uploading system fingerprinting data
- Receiving encrypted payloads and commands
- Sending heartbeats via timestamped commits
The infection chain begins with a request to retrieve a decryption key via a GitHub file (License.txt), used to unlock the AES-encrypted backdoor.
However, Elastic analysts found this clever system had a major flaw: “It enables any victim to weaponize the embedded PAT and take control of all active infections… any third party could access infection-related data or take over the infections entirely.”
SHELBYLOADER implements seven sandbox detection techniques, including:
- WMI Queries for virtualization indicators
- Process enumeration (e.g., vmtools, vboxservice)
- File system checks for VM driver files
- Disk size analysis
- Parent process checks
- Sleep time deviation detection
- Video controller name checks
Only after these checks pass does the malware download its next-stage payload—an evasion technique that ensures only non-sandboxed, real environments get fully infected.
SHELBY malware can perform various malicious activities, including:
- Stealing data from infected machines.
- Executing arbitrary commands.
- Establishing persistence on infected systems.
- Evading detection using anti-sandbox techniques.
While the SHELBY malware family may be in early development—evidenced by dead code, limited obfuscation, and low detection rates—its deployment in the wild is anything but amateur.
Elastic Security Labs warns: “Using this malware, whether by an authorized red team or a malicious actor, would constitute malpractice.”
By relying on mainstream infrastructure like GitHub and embedding secrets directly into binaries, the attackers have exposed their operations to takeover by anyone with the right tools.
