When a tool is so useful that no one dares to block it, it becomes a magnet for attackers. That is what is happening with GITHUB: public repositories, camouflaged archives, and malicious loads that go unnoticed in corporate environments. Cisco Talos has uncovered a campaign that demonstrates it.

Active since February 2025, this campaign was not an isolated experiment but a  well-structured operation  based on the *malware-as-a-service* model (MaaS). Attack tools are sold as if they were cloud services. In this case, operators used GitHub to distribute malware through seemingly  harmless links .

When the Malicious Code Hides in Full View

“In many environments, a malicious download from GitHub may seem like normal traffic,” Talos researchers explain. There lies the problem: the actors behind this campaign expertly navigated between the legitimate and the harmful without raising suspicions, using the platform owned by Microsoft as an undercover distribution channel.

The process began with Emmenhtal, a  Loader designed to act in layers . Three of these layers were specifically responsible for concealing the malicious code. Only at the end of the process did a Powershell script execute, which contacted a remote address to download the real payload.

The payload was Amadey, a malware known since 2018 in Russian-speaking forums. Its primary function is to collect information from the infected system and download additional files based on the profile of the equipment. Notably, these files did not originate from any well-known sources.

One of the most active accounts, legendary99999, hosted over  160 repositories  with random names, each containing a single malicious file in its release section. From there, attackers could send direct links to victims, masquerading as  legitimate downloads .

GH3 GITHUB Malware

    <span>Legendary 99999999999999 Settle</span>

Legendary9999 was not an isolated case. Talos identified other accounts, such as Milidmdds and DFFE9EWF, which followed a similar pattern: random names, repositories with a harmless appearance, but designed to execute malicious loads. Malware samples such as Rhadamanthys, Lumma, and Redline, or even legitimate tools like Putty and Selenium Webdriver, were detected.

The operation typically maintained the same routine: once a device was infected, Amadey would download the required file from GitHub, tailored to each operator’s needs. The most striking aspect is the  flexibility of the operation , including remote access Trojans like Asyncrat or scripts disguised as MP4 files, and even Python codes with hidden functionalities.

 <img alt="AI Error in Company Identification" width="375" height="142" src="https://i.blogs.es/e0d04d/ia/375_142.jpeg"/>

GitHub acted swiftly. As soon as Talos reported their findings, the accounts were eliminated. However, the underlying issue lies not solely with the platform but with the  strategy behind its utilization : leveraging important and necessary services to conceal malicious activities.

Images | Xataka with Gemini 2.5 Flash | Talos

In Xataka | The “Son in Hurry” scam had wreaked havoc throughout Spain for years. Law enforcement is finally dismantling it.



General News – 2