GitHub Weaponized: Cisco Talos Uncovers Massive MaaS Operation Distributing Amadey, Loaders, and Infostealers

In April 2025, cybersecurity experts from Cisco Talos uncovered a new threat vector: cybercriminals exploiting public repositories on GitHub to host malicious payloads used in distributing the Amadey trojan. According to researchers, the creation of counterfeit GitHub accounts enabled threat actors to bypass web filters while streamlining the logistical execution of their campaign.

At the heart of this operation lies the Emmenhtal loader (also known as PEAKLIGHT), which serves as the delivery mechanism for Amadey onto victim machines. Once deployed, Amadey downloads a variety of malicious modules directly from GitHub, including plugins designed to augment its capabilities. Notably, Emmenhtal had previously been observed in a similar phishing campaign in February 2025, where it facilitated the spread of SmokeLoader through fraudulent invoices and payment notifications.

Both Emmenhtal and Amadey function as loaders for subsequent malware, including infostealers and ransomware. However, unlike Emmenhtal, Amadey possesses native capabilities for system reconnaissance and can be extended through DLL-based plugins to enable credential theft and screenshot capture.

Three GitHub accounts—Legendary99999, DFfe9ewf, and Milidmdds—were instrumental in disseminating attack tools, Amadey plugins, and auxiliary malware, including Lumma Stealer, RedLine Stealer, and Rhadamanthys Stealer. These accounts have since been removed by GitHub administrators.

Several JavaScript-based malicious scripts sourced from these repositories were identical to those used in previous SmokeLoader campaigns. The critical distinction lies in the payloads: Amadey has supplanted SmokeLoader, accompanied by AsyncRAT and even a legitimate version of PuTTY.exe, complicating detection efforts.

One repository also contained a Python script representing an enhanced iteration of Emmenhtal. This version featured an embedded PowerShell command used to download Amadey from a predetermined IP address, providing compelling evidence of a large-scale Malware-as-a-Service (MaaS) operation leveraging GitHub as a malware delivery infrastructure.

Meanwhile, Trellix released a report detailing a separate phishing campaign targeting financial institutions in Hong Kong. This campaign centered on the SquidLoader loader, a sophisticated tool employing a myriad of anti-analysis, anti-debugging, and anti-emulation techniques that render it exceptionally elusive. Upon successful infiltration, it deploys the Cobalt Strike Beacon to facilitate remote access and command execution.

Concurrently, adversaries worldwide are escalating their use of advanced social engineering techniques to propagate malware. These include lures themed around taxation, electronic invoices, and messages impersonating government agencies—including spoofed U.S. entities. Some campaigns even embed QR codes within PDF files that redirect victims to fraudulent login pages, or deploy phishing kits disguised as AWS login portals, protected by Cloudflare CAPTCHA.

Of particular note is the rising prevalence of evasion techniques such as password-protected archives, SVG files with embedded JavaScript, and entire services dedicated to cloaking malicious domains—collectively known as Cloaking-as-a-Service (CaaS).

According to Cofense, nearly 60% of the most technically sophisticated phishing attacks in 2024 employed QR codes, while encrypted archives remain a primary means of bypassing email security filters—making these threats increasingly difficult to detect and neutralize.