{"id":156666,"date":"2025-07-18T21:25:05","date_gmt":"2025-07-18T21:25:05","guid":{"rendered":"https:\/\/teknomers.com\/en\/github-is-essential-for-millions-of-users-which-is-why-it-has-become-a-prime-location-for-concealing-malware\/"},"modified":"2025-07-18T21:25:07","modified_gmt":"2025-07-18T21:25:07","slug":"github-is-essential-for-millions-of-users-which-is-why-it-has-become-a-prime-location-for-concealing-malware","status":"publish","type":"post","link":"https:\/\/teknomers.com\/en\/github-is-essential-for-millions-of-users-which-is-why-it-has-become-a-prime-location-for-concealing-malware\/","title":{"rendered":"GitHub is essential for millions of users, which is why it has become a prime location for concealing malware."},"content":{"rendered":"\n<p>When a tool is so useful that no one dares to block it, it becomes a magnet for attackers. That is what is happening with <strong>GITHUB<\/strong>: public repositories, camouflaged archives, and malicious loads that go unnoticed in corporate environments. <a rel=\"noopener, noreferrer nofollow\" href=\"https:\/\/blog.talosintelligence.com\/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities\/\" target=\"_blank\">Cisco Talos has uncovered a campaign that demonstrates it<\/a>.<\/p>\n<p><!-- BREAK 1 --> <\/p>\n<p>Active since February 2025, this campaign was not an isolated experiment but a \u00a0well-structured operation\u00a0 based on the *malware-as-a-service* model (MaaS). Attack tools are sold as if they were cloud services. In this case, operators used GitHub to distribute malware through seemingly \u00a0harmless links\u00a0.<\/p>\n<p><!-- BREAK 2 --><\/p>\n<h2>When the Malicious Code Hides in Full View<\/h2>\n<p>\u201cIn many environments, a malicious download from GitHub may seem like <strong>normal traffic<\/strong>,\u201d <a rel=\"noopener, noreferrer nofollow\" href=\"https:\/\/blog.talosintelligence.com\/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities\/#:~:text=a%20malicious%20GitHub%20download%20may%20be%20difficult%20to%20differentiate%20from%20regular%20web%20traffic.\" target=\"_blank\">Talos researchers explain<\/a>. There lies the problem: the actors behind this campaign expertly navigated between the legitimate and the harmful without raising suspicions, using the platform owned by Microsoft as an undercover distribution channel.<\/p>\n<p><!-- BREAK 3 -->  <\/p>\n<p>The process began with Emmenhtal, a \u00a0Loader designed to act in layers\u00a0. Three of these layers were specifically responsible for concealing the malicious code. Only at the end of the process did a Powershell script execute, which contacted a remote address to download the real payload.<\/p>\n<p><!-- BREAK 4 --><\/p>\n<p>The payload was <a rel=\"noopener, noreferrer nofollow\" href=\"https:\/\/www.checkpoint.com\/cyber-hub\/threat-prevention\/what-is-botnet\/amadey-botnet\/\" target=\"_blank\">Amadey<\/a>, a malware known since 2018 in Russian-speaking forums. Its primary function is to collect information from the infected system and <strong>download additional files<\/strong> based on the profile of the equipment. Notably, these files did not originate from any well-known sources.<\/p>\n<p><!-- BREAK 5 --><\/p>\n<p>One of the most active accounts, legendary99999, hosted over \u00a0160 repositories\u00a0 with random names, each containing a single malicious file in its release section. From there, attackers could send direct links to victims, masquerading as \u00a0legitimate downloads\u00a0.<\/p>\n<p><!-- BREAK 6 --> <\/p>\n<div class=\"article-asset-image article-asset-normal article-asset-center\">\n<div class=\"asset-content\">\n<div class=\"caption-img \">\n<p>   <img decoding=\"async\" alt=\"GH3 GITHUB Malware\" class=\"centro_sinmarco\" src=\"https:\/\/teknomers.com\/en\/wp-content\/uploads\/2025\/07\/GitHub-is-essential-for-millions-of-users-which-is-why.jpeg\"\/><\/p>\n<pre><code>    &lt;span&gt;Legendary 99999999999999 Settle&lt;\/span&gt;<\/code><\/pre>\n<\/div><\/div>\n<\/div>\n<p>Legendary9999 was not an isolated case. Talos identified other accounts, such as Milidmdds and DFFE9EWF, which followed a similar pattern: random names, <strong>repositories with a harmless appearance<\/strong>, but designed to execute malicious loads. Malware samples such as Rhadamanthys, Lumma, and Redline, or even legitimate tools like Putty and Selenium Webdriver, were detected.<\/p>\n<p><!-- BREAK 7 --><\/p>\n<p>The operation typically maintained the same routine: once a device was infected, Amadey would download the required file from GitHub, tailored to each operator&#8217;s needs. The most striking aspect is the \u00a0flexibility of the operation\u00a0, including remote access Trojans like Asyncrat or scripts disguised as MP4 files, and even Python codes with hidden functionalities.<\/p>\n<p><!-- BREAK 8 --><\/p>\n<div class=\"article-asset article-asset-normal article-asset-center\">\n<div class=\"desvio-container\">\n<div class=\"desvio\">\n<div class=\"desvio-figure js-desvio-figure\">\n<pre><code> &lt;img alt=\"AI Error in Company Identification\" width=\"375\" height=\"142\" src=\"https:\/\/i.blogs.es\/e0d04d\/ia\/375_142.jpeg\"\/&gt;<\/code><\/pre>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>GitHub acted swiftly. As soon as Talos reported their findings, <strong>the accounts were eliminated<\/strong>. However, the underlying issue lies not solely with the platform but with the \u00a0strategy behind its utilization\u00a0: leveraging important and necessary services to conceal malicious activities.<\/p>\n<p><!-- BREAK 9 --><\/p>\n<p>Images | Xataka with Gemini 2.5 Flash | <a rel=\"noopener, noreferrer nofollow\" href=\"https:\/\/blog.talosintelligence.com\/content\/images\/2025\/07\/GH3.png\" target=\"_blank\">Talos<\/a><\/p>\n<p>In Xataka | The &#8220;Son in Hurry&#8221; scam had wreaked havoc throughout Spain for years. Law enforcement is finally dismantling it.<\/p>\n<p><br \/>\n<br \/><a href=\"https:\/\/teknomers.com\/category\/general\/\" rel=\"dofollow\">General News &#8211; 2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>When a tool is so useful that no one dares to block it, it becomes a magnet for attackers. That is what is happening with GITHUB: public repositories, camouflaged archives, and malicious loads that go unnoticed in corporate environments. Cisco Talos has uncovered a campaign that demonstrates it. Active since February 2025, this campaign was [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":156667,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36399],"tags":[25527,23249,36831,2497,39126,2264,2330,9305],"class_list":["post-156666","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-concealing","tag-essential","tag-github","tag-location","tag-malware","tag-millions","tag-prime","tag-users"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/156666","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/comments?post=156666"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/posts\/156666\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media\/156667"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/media?parent=156666"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/categories?post=156666"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/en\/wp-json\/wp\/v2\/tags?post=156666"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}