As part of a campaign observed in April 2025, Threat Actors leverages public Github repositories to host malicious payloads and distribute them via Amadey.
“Mers [malware-as-a-service] The operators used fake Github accounts to host payloads, tools, and Amadey plugins. This is probably an attempt to bypass web filtering and is easy to use,” Cisco Talos researchers Chris Neal and Craig Jackson said in a report released today.
The cybersecurity company said the attack chain leveraged a malware loader called Emmenhtal (aka Peaklight) to provide Amadey.
The activity shares tactical similarities with the email phishing campaign in February 2025, in which invoice payments and bill-related lures are used to distribute smoke rackers.
Both Emmenhtal and Amadey act as secondary payload downloaders like information steelers, but the latter has also been observed to provide ransomware like Lockbit 3.0 in the past.
Another important distinction between the two malware families is that unlike Emmenhtal, Amadey can collect system information and functionally extend it with an array of DLL plugins that enable certain features such as credentials and screenshot capture.
An analysis of Cisco Talos for the April 2025 campaign uses three Github accounts (Legenedary99999, DFFE9EWF, and MilIDMDDS) including Amadey plug-in, secondary payload, and Lumma Stealer, Redline Stealer, and Rhadamanthys Stealer. The account was then deleted by Github.
Some of the JavaScript files that exist in the GitHub repository are known to be identical to the Emmenthal scripts used in the Smokeloader campaign. The main difference is the downloaded payload. Specifically, the emmenhtal loader file in the repository acts as a delivery vector for legitimate copies of Amadey, Asyncrat, and Putty.exe.
Also discovered in the Github repository is a Python script that represents the evolution of Emmenhtal, which incorporates embedded PowerShell commands to download Amadey from a hard-coded IP address.
The GitHub account used to staging the payload is considered to be part of a large MAAS operation that abuses Microsoft’s code hosting platform for malicious purposes.
This disclosure comes when Trellix details a phishing campaign propagating another malware loader known as Squidloader in a cyberattack directed at a financial services agency in Hong Kong. Additional artifacts unearthed by security vendors suggest that related attacks may be ongoing in Singapore and Australia.
Squid Attack Chain
Squidloader is a horrifying threat due to array array arrays of different arrays, anti-sandboxes, and anti-deficiency technologies packed into it, allowing it to avoid detection and hinder investigation efforts. You can also establish communication with a remote server, send information about the infected host, and inject the next stage payload.
“Squidloader employs an attack chain that leads to the deployment of cobalt strike beacons for remote access and control,” said security researcher Charles Crawford. “Its complex anti-analysis, anti-sandboxing and prevention technologies, coupled with its sparse detection rates, pose a major threat to targeted organizations.”
The findings continue to discover a wide range of social engineering campaigns designed to distribute a wide range of malware families.
An attack likely to be carried out by a financially motivated group called UNC5952, leverages the theme of email invoices to provide malicious droppers that lead to the deployment of a downloader called Chainverb. PDF document attacks that use US Social Security Agency (SSA) themes to collect user credentials and install a Trojanized version of ConnectWise ScreenConnect. Consolidate your Amazon Web Services (AWS) infrastructure with bypass detection, integrate CloudFlare TurnStile Captcha validation to create a sense of false and legitimacy of security, and leverage another custom Python Flask-based phishing kit to promote qualification theft with minimal technical effort attacks. Login Portal Attack employs Clickfix tactics provides Rhadamanthys Stealer and NetSupport Rat Attack. Realistic emails that can bypass user suspicion and traditional detection tools use scalable vector graphics (SVG) image files in phishing emails and embed obfuscated JavaScript to use inventory to facilitate redirection to attacker-controlled infrastructure.
According to data compiled by Cofense, QR code usage accounted for 57% of campaigns with advanced tactics, techniques and procedures (TTP) in 2024. Other notable ways include using password-protected archive attachments in emails to avoid secure mail gateways (SEGs).
“By password protecting archives, threat actors prevent segments and other methods from scanning their content and detecting files that are generally clearly malicious,” says Max Gannon, a researcher at Cofense.
Source link
