Warning: Undefined variable $comments_html in /home/u319666691/domains/cybersecurityboard.com/public_html/_template.php on line 527

Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins

The operation leverages fake GitHub accounts to host an arsenal of malware tools, plugins, and payloads, capitalizing on GitHub’s widespread corporate acceptance to bypass traditional web filtering mechanisms. The researchers discovered that the same Emmenhtal loader variant used in the SmokeLoader campaign was being repurposed to deliver Amadey payloads and other malicious tools. The operation’s adaptability is further demonstrated by its ability to deliver legitimate tools like PuTTY.exe alongside malicious payloads, showcasing the MaaS model’s flexibility in meeting various client requirements. A sophisticated Malware-as-a-Service operation has emerged that exploits the trusted GitHub platform to distribute malicious payloads, representing a significant evolution in cybercriminal tactics. The operation’s infrastructure demonstrates remarkable sophistication, utilizing public GitHub repositories as open directories for staging custom payloads across multiple malware families. This multi-stage approach allows the malware to deliver diverse payloads including information stealers like Rhadamanthys, Lumma, and Redline, as well as remote access trojans such as AsyncRAT. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These archives conceal JavaScript files that employ multiple layers of obfuscation to disguise PowerShell downloaders, ultimately delivering the Amadey malware and its associated tooling. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This initial obfuscation layer effectively conceals the malicious code from basic static analysis tools. The Emmenhtal loader serves as the primary infection vector, employing a sophisticated four-layer obfuscation scheme that demonstrates advanced evasion capabilities. The malicious campaign targets Ukrainian entities through carefully crafted phishing emails containing compressed archive attachments. However, Cisco Talos analysts identified the broader scope of the operation in April 2025, revealing its true nature as a comprehensive MaaS platform. The second layer utilizes the ActiveXObject function to execute an encoded PowerShell command through WScript.Shell, while the third layer contains a PowerShell command with an AES-encrypted binary blob. The most active account, Legendary99999, contained over 160 repositories with randomized names, each hosting a single malicious file in the “Releases” section. The threat actors created three primary accounts—Legendary99999, DFfe9ewf, and Milidmdds—each serving distinct purposes within the malware distribution network.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 12:30:13 +0000

Cyber News related to Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins

Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins - The operation leverages fake GitHub accounts to host an arsenal of malware tools, plugins, and payloads, capitalizing on GitHub’s widespread corporate acceptance to bypass traditional web filtering mechanisms. The researchers discovered that ...
1 month ago Cybersecuritynews.com

25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
2 months ago Cybersecuritynews.com

Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
1 year ago Microsoft.com Kimsuky

Microsoft to End Malware Delivery In Excel XLL Add-ins - Microsoft has revealed plans to end the malicious use of Excel XLL add-ins, which have been used by some to deliver malware. XLL add-ins are files that can be used to add custom functions to Excel spreadsheets. Unfortunately, these add-ins have been ...
2 years ago Bleepingcomputer.com

TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
1 year ago Feeds.fortinet.com CVE-2023-42793 APT29

Five best practices for securing Active Directory service accounts - Windows Active Directory (AD) service accounts are prime cyber-attack targets due to their elevated privileges and automated/continuous access to important systems. To support software-specific functions, service accounts require elevated permissions ...
6 months ago Bleepingcomputer.com

New Unfurling Hemlock threat actor floods systems with malware - A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files. The types of malware delivered this way include ...
1 year ago Bleepingcomputer.com Medusa

Hackers push USB malware payloads via news, media hosting sites - A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content. The attackers ...
1 year ago Bleepingcomputer.com

Operation Morpheus took down 593 Cobalt Strike servers used by threat actors - Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers. Threat actors may have exploited a zero-day in older iPhones, Apple warns. Nation-state ...
1 year ago Securityaffairs.com CVE-2024-0769 CVE-2022-38028 CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-4966 APT28

Hackers Weaponize Microsoft Visual Studio Add-Ins to Push Malware - Security researchers have warned that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as a method to achieve persistence and execute code on a target machine via malicious Office add-ins. This technique is an ...
2 years ago Bleepingcomputer.com

Multi-Malware 'Cluster Bomb' Campaign Drops Widespread Cyber Havoc - The attacker's approach essentially involves using compressed Microsoft Cabinet files nested within other compressed CAB files - sometimes as many as seven - to distribute a variety of information stealers and malware loaders on victim systems. ...
1 year ago Darkreading.com

Top 10 Best Dynamic Malware Analysis Tools in 2025 - FireEye Malware AnalysisEnterprise-grade solution, zero-day detection, integration with threat intelligence, memory forensics.Enterprise-grade malware detection and forensicsPricing details not publicly available; contact for quote.Yes6. Detux ...
6 months ago Cybersecuritynews.com

APT32 Hackers Weaponizing GitHub to Attack Cybersecurity Professionals & Enterprises - The malware, detected by ThreatBook analysts as Trojan.CobaltGate, employs a multi-stage infection chain beginning with socially engineered GitHub repositories posing as legitimate penetration testing tools. This technique allows the malware to blend ...
4 months ago Cybersecuritynews.com APT3 APT32

What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
1 year ago Techrepublic.com

Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com

20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
5 months ago Cybersecuritynews.com

How To Use YARA Rules To Identify Financial Sector Targeted Attacks - By analyzing multiple samples from the same malware family, security teams can create YARA rules that identify various iterations of the threat, even as attackers attempt to modify their code to evade detection. By scanning network traffic for ...
4 months ago Cybersecuritynews.com Hunters

Critical WordPress Plug-in RCE Bug Exposes Reams of Websites to Takeover - A critical unauthenticated remote control execution bug in a backup plug-in that's been downloaded more than 90,000 times exposes vulnerable WordPress sites to takeover - another example of the epidemic of risk posed by flawed plug-ins for the ...
1 year ago Darkreading.com CVE-2023-6553

Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
1 year ago Pandasecurity.com

How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
1 year ago Pandasecurity.com

Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
1 year ago Techrepublic.com

8 Tips on Leveraging AI Tools Without Compromising Security - Forecasts like the Nielsen Norman Group estimating that AI tools may improve an employee's productivity by 66% have companies everywhere wanting to leverage these tools immediately. How can companies employ these powerful AI/ML tools without ...
1 year ago Darkreading.com

PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
1 year ago Securityintelligence.com

How to Extract Malware Configurations in a Sandbox - The most sought-after source of these indicators is malware configurations. Malware Sandboxing Leader ANY.RUN handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to ...
1 year ago Gbhackers.com