Threat actors exploited public GitHub repositories to distribute the Amadey malware as part of a campaign in April 2025. They utilized fake GitHub accounts to host malicious payloads, tools, and plugins for Amadey, as a method to evade web filters. The campaign was reminiscent of a prior email phishing campaign linked to SmokeLoader. Emmenhtal serves as a malware loader delivering various payloads, while Amadey exhibits more advanced capabilities, such as collecting system information and supporting DLL plugins for features like credential theft. Three malicious GitHub accounts, now removed, were identified for this activity.
The MaaS malware-as-a-service operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.
The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025.
Both Emmenhtal and Amadey function as a downloader for secondary payloads like information stealers, although the latter has also been observed delivering ransomware like LockBit 3.0.
Cisco Talos' analysis of the April 2025 campaign has uncovered three GitHub accounts used to host Amadey plugins, secondary payloads, and other malicious attack scripts.
Collection
[
|
...
]