Hackers Leverage Amadey Botnet to Spread Malware via Fake GitHub Accounts
In a recent analysis by Cisco Talos, cybersecurity researchers unveiled a concerning trend in the use of public GitHub repositories for distributing malware, specifically through the Amadey botnet. This ongoing campaign appears to be part of a broader malware-as-a-service (MaaS) operation. The perpetrators established fake GitHub accounts to host malicious payloads and tools, exploiting the platform’s legitimate traffic to evade detection mechanisms.
The attackers have targeted organizations in Ukraine, utilizing techniques reminiscent of earlier phishing campaigns observed in early 2025 that employed SmokeLoader malware. In that scenario, phishing emails with invoice themes and JavaScript-based loaders were deployed. The latest operation mirrors these strategies by introducing a multistage loader called Emmenhtal, which is responsible for delivering the Amadey bot. This approach leverages the trusted environment of GitHub, complicating efforts for defenders to distinguish between legitimate and malicious traffic.
Emmenhtal, also referred to as PEAKLIGHT, employs obfuscation techniques involving layers of JavaScript and PowerShell scripts to execute its final payloads. Targeted payloads include Amadey, AsyncRAT, and PuTTY, highlighting a MaaS model that disseminates various malware varieties for different clientele. Within this campaign, the researchers identified Emmenhtal variants masquerading as MP4 files, further enhancing their evasion tactics.
The fake GitHub accounts, particularly one named “Legendary99999,” served as primary distribution points, hosting over 160 repositories with unique payloads. These ranged from common infostealers like Redline to legitimate software such as PuTTY.exe, which could facilitate post-exploitation activities. This misuse of GitHub poses significant risks for organizations, especially in environments where GitHub access is commonplace, making any malicious download challenging to detect against the backdrop of normal web traffic.
In response to these threats, Cisco Talos reported the malicious accounts to GitHub, which promptly took them down. However, the discovery of additional linked accounts raises alarms regarding the potential scale and duration of this campaign. One of the more alarming payloads unearthed was a Python script named “checkBalance.py,” disguised as a cryptocurrency utility, which included encoded commands that ultimately downloaded Amadey and reached out to a known command-and-control server.
The presence of Amadey, first identified in 2018 within Russian-speaking forums, signals its versatility in reconnaissance and payload delivery. This modular bot can gather system information and deploy various plugins for credential harvesting or capturing screenshots. Its integration into the MaaS model exemplifies the pressing threat posed by the exploitation of publicly available infrastructures for malicious purposes.
This incident serves as a stark reminder of how open platforms can be repurposed for covertly distributing malware. Organizations are urged to monitor GitHub traffic closely, restrict access as necessary, and implement advanced threat detection systems to identify unusual downloading patterns and PowerShell execution activities. As the cyber landscape continues to evolve, understanding tactics such as initial access, persistence, and privilege escalation, as outlined in the MITRE ATT&CK framework, becomes vital for fortifying defenses against such sophisticated threats.
