Ethical Hacking News
Ars Technica has uncovered a worrisome trend in the world of cybersecurity, as researchers from Cisco's Talos security team have identified a malware-as-a-service (MaaS) operator that leverages public GitHub accounts to distribute an assortment of malicious software to unsuspecting targets. The use of GitHub poses a significant challenge for organizations that rely on the platform for their software development needs.
A malware-as-a-service (MaaS) operator is using public GitHub accounts to distribute malicious software.The MaaS operation evades Web filtering by hosting malicious payloads on the trusted GitHub platform.A previously known malware loader, Emmenhtal, is being used with a new twist: distribution through GitHub repositories.Amadey, another malware platform, is collecting system information and downloading customized secondary payloads tailored to infected devices.Organizations must stay vigilant and adapt security measures in response to emerging threats like this MaaS operation.
Ars Technica has uncovered a worrisome trend in the world of cybersecurity, as researchers from Cisco's Talos security team have identified a malware-as-a-service (MaaS) operator that leverages public GitHub accounts to distribute an assortment of malicious software to unsuspecting targets. The use of GitHub, which is widely regarded as a trusted platform for developers and organizations alike, has been repurposed by this MaaS operation to serve as a reliable and easy-to-use distribution channel.
According to the researchers, the malware-as-a-service operator utilizes the GitHub domain to host malicious payloads, thereby evading Web filtering that may be configured to block such activity. This exploitation of the platform's trustworthiness poses a significant challenge for organizations that rely on GitHub for their software development needs, as it can be difficult to differentiate between legitimate and malicious downloads.
The campaign in question, which has been ongoing since February 2025, utilizes a previously known malware loader tracked under names including Emmenhtal and PeakLight. Researchers from security firm Palo Alto Networks and Ukraine's major state cyber agency SSSCIP had already documented the use of Emmenhtal in a separate campaign that embedded the loader into malicious emails to distribute malware to Ukrainian entities.
The Talos team has found the same Emmenhtal variant used by this MaaS operation, but with an added twist. Instead of distributing malware through email attachments, it uses GitHub repositories as a distribution channel. This shift highlights the ever-evolving nature of cybersecurity threats and the need for organizations to stay vigilant in the face of emerging threats.
The malware-as-a-service operation utilizes Amadey, a separate malware platform known since 2018, which was initially used to assemble botnets. According to Talos researchers, Amadey's primary function is to collect system information from infected devices and download customized secondary payloads tailored to their specific characteristics.
Once an infected device is hooked by the Amadey malware, campaign operators can access it through a simple GitHub URL, showcasing the versatility of this MaaS operation. The researchers have identified indicators that network administrators can use to determine if a network has been targeted by this malicious campaign.
This revelation highlights the importance of staying informed about emerging threats and adapting security measures accordingly. As cybersecurity threats continue to evolve and become more sophisticated, it is crucial for organizations and individuals alike to remain vigilant and proactive in their efforts to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Github-Malware-Malaise-The-Rise-of-a-Malicious-MaaS-Operation-ehn.shtml
https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-github-to-distribute-its-payloads/
Published: Thu Jul 17 20:52:13 2025 by llama3.2 3B Q4_K_M
