As part of a campaign observed in April 2025, Threat Actors leverages public Github repositories to host malicious payloads and distribute them via Amadey.
“MAAS (Malware-as-a-Service) operators have hosted payloads, tools, and Amadey plugins using fake Github accounts, perhaps in an attempt to bypass web filtering, and Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today.
The cybersecurity company said the attack chain leveraged a malware loader called Emmenhtal (aka Peaklight) to provide Amadey.
The activity shares tactical similarities with the email phishing campaign in February 2025, in which invoice payments and bill-related lures are used to distribute smoke rackers.
Both Emmenhtal and Amadey act as secondary payload downloaders like information steelers, but the latter has also been observed to provide ransomware like Lockbit 3.0 in the past.
Another important distinction between the two malware families is that unlike Emmenhtal, Amadey can collect system information and functionally extend it with an array of DLL plugins that enable certain features such as credentials and screenshot capture.
An analysis of Cisco Talos for the April 2025 campaign uses three Github accounts (Legenedary99999, DFFE9EWF, and MilIDMDDS) including Amadey plug-in, secondary payload, and Lumma Stealer, Redline Stealer, and Rhadamanthys Stealer. The account was then deleted by Github.
Some of the JavaScript files that exist in the GitHub repository are known to be identical to the Emmenthal scripts used in the Smokeloader campaign. The main difference is the downloaded payload. Specifically, the emmenhtal loader file in the repository acts as a delivery vector for legitimate copies of Amadey, Asyncrat, and Putty.exe.
Also discovered in the Github repository is a Python script that represents the evolution of Emmenhtal, which incorporates embedded PowerShell commands to download Amadey from a hard-coded IP address.
The GitHub account used to staging the payload is considered to be part of a large MAAS operation that abuses Microsoft’s code hosting platform for malicious purposes.
This disclosure comes when Trellix details a phishing campaign propagating another malware loader known as Squidloader in a cyberattack directed at a financial services agency in Hong Kong. Additional artifacts unearthed by security vendors suggest that related attacks may be ongoing in Singapore and Australia.
 |
| Squid Attack Chain |
Squidloader is a horrifying threat due to array array arrays of different arrays, anti-sandboxes, and anti-deficiency technologies packed into it, allowing it to avoid detection and hinder investigation efforts. You can also establish communication with a remote server, send information about the infected host, and inject the next stage payload.
“Squidloader employs an attack chain that leads to the deployment of cobalt strike beacons for remote access and control,” said security researcher Charles Crawford. “Its complex anti-analysis, anti-sandboxing and prevention technologies, coupled with its sparse detection rates, pose a major threat to targeted organizations.”
The findings continue to discover a wide range of social engineering campaigns designed to distribute a wide range of malware families.
- An attack likely to be carried out by a financially motivated group called UNC5952 leverages email invoice themes to provide malicious droppers that lead to the deployment of a downloader called Chainverb, which provides Connectwise Screenenconnect remote access software.
- Attack that tricks recipients with tax-related decoys to click on a link that ultimately provides the ConnectWise ScreenConnect installer under the pretext of launching a PDF document
- Attacks that use US Social Security Agency (SSA) themes to collect user qualifications and install a Trojanized version of ConnectWise ScreenConnect.
- An attack that leverages a phishing kit called Logokit to create Lookalike Login pages and host on Amazon Web Services (AWS) infrastructure to bypass detection, while also consolidating CloudFlare TurnStile Captcha validation to create a false sense of security and legitimacy
- Attacks that utilize another custom Python Flask-based phishing kit to promote qualification theft with minimal technical effort
- Attacks attachments with codenames that use QR codes in PDF. Mimic Microsoft login portal by mimicking users to credential harvest pages in email attachments
- Adopt click-fix tactics to deliver rhadamanthys steeler and netsupport rats
- Attacks using offers from services such as Hoax Tech and JS (Cloaking-as-a-Service (CAAS) can only be seen to victims intended as a way to fly under radar by clicking on Cloaker to hide phishing and malicious websites from the security scanner.
- Attacks that leverage HTML and JavaScript to create malicious, realistic emails that can bypass user suspicion and traditional detection tools
- Attacks targeting B2B service providers with embedded JavaScript embedded to facilitate redirection to attacker-controlled infrastructure using scalable Vector Graphics (SVG) image files in phishing emails and using the window.location.location.href function.
According to data compiled by Cofense, QR code usage accounted for 57% of campaigns with advanced tactics, techniques and procedures (TTP) in 2024. Other notable ways include using password-protected archive attachments in emails to avoid secure mail gateways (SEGs).
“By password protecting archives, threat actors prevent segments and other methods from scanning their content and detecting files that are generally clearly malicious,” says Max Gannon, a researcher at Cofense.
