Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

Threat actors are leveragingpublic GitHub repositoriesto host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025. "The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jacksonsaidin a report published today. The cybersecurity company said the attack chains leverage a malware loader calledEmmenhtal(aka PEAKLIGHT) to deliver Amadey, which, for its part, downloads various custom payloads from public GitHub repositories operated by the threat actors. The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures todistributeSmokeLoader via Emmenhtal in February 2025 in attacks targeting Ukrainian entities. Both Emmenhtal and Amadey function as a downloader for secondary payloads like information stealers, although ...