Ethical Hacking News
Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via malware-as-a-service (MaaS) operations. This latest development serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of vigilance in the face of such dangers.
Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via malware-as-a-service (MaaS) operations. GitHub accounts were used by threat actors to bypass web filtering and for ease of use, delivering various secondary payloads including information stealers and ransomware like LockBit 3.0. The Amadey malware family is a formidable threat due to its ability to collect system information and expandability through DLL plugins. The use of GitHub repositories allows threat actors to bypass detection tools and security filters, making it harder for researchers and defenders to detect their malicious activities. QR codes are being used in phishing attacks, with 57% of campaigns using QR codes as part of their advanced Tactics, Techniques, and Procedures (TTPs) in 2024. Cloaking-as-a-service offerings are being used to conceal malicious websites from security scanners, allowing threat actors to fly under the radar. Social engineering tactics, including phishing kits, custom Python scripts, and legitimate-looking emails with attachments containing malicious payloads, are being used to trick users into divulging sensitive information or installing malware.
Hackers have long been known to exploit various platforms, tools, and technologies to further their nefarious goals. Recently, it has come to light that threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via malware-as-a-service (MaaS) operations. This latest development serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of vigilance in the face of such dangers.
According to Cisco Talos researchers Chris Neal and Craig Jackson, threat actors used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use. The MaaS operators utilized these platforms to deliver various secondary payloads, including information stealers and ransomware like LockBit 3.0. This campaign is notable for its similarities with a previous email phishing campaign that targeted Ukrainian entities in February 2025.
The Amadey malware family differs from other malware families, such as Emmenhtal, in its ability to collect system information and its expandability through the use of DLL plugins. These capabilities allow Amadey to be extended to perform various functionalities, including credential theft and screenshot capture. This level of customizability makes Amadey a formidable threat, particularly when compared to other malware families that lack such features.
Furthermore, the use of GitHub repositories by threat actors allows them to bypass detection tools and security filters. By hosting their payloads in public repositories, they can make it more difficult for security researchers and defenders to detect their malicious activities. This tactic is especially noteworthy given the importance of open-source platforms like GitHub in the cybersecurity community.
The attack chain used by these threat actors involves a malware loader called Emmenhtal (aka PEAKLIGHT), which delivers Amadey, which in turn downloads various custom payloads from public GitHub repositories operated by the threat actors. This process is reminiscent of previous campaigns that have utilized similar tactics to distribute malware and evade detection.
The role of QR codes in phishing attacks has also come under scrutiny recently. According to data compiled by Cofense, 57% of campaigns with advanced Tactics, Techniques, and Procedures (TTPs) in 2024 used QR codes as part of their phishing strategies. Other notable methods include the use of password-protected archive attachments in emails to get around secure email gateways (SEG).
In addition to these tactics, threat actors are also using cloaking-as-a-service (CaaS) offerings like Hoax Tech and JS Click Cloaker to conceal phishing and malicious websites from security scanners. This allows them to fly under the radar and only show their malicious content to intended victims.
The use of social engineering in cyber attacks has also been a growing trend. Threat actors are using various tactics, including phishing kits, custom Python scripts, and even legitimate-looking emails with attachments containing malicious payloads. These tactics allow them to trick users into divulging sensitive information or installing malware on their systems.
In light of these recent developments, it is more important than ever for cybersecurity professionals and individuals alike to remain vigilant in the face of cyber threats. By staying informed about emerging tactics and techniques used by threat actors, we can better equip ourselves to defend against such dangers.
The recent discovery of a phishing campaign that propagates another malware loader known as SquidLoader in cyber attacks directed against financial services institutions in Hong Kong serves as a stark reminder of the ever-present threat of MaaS operations. According to security researcher Charles Crofford, SquidLoader is a formidable threat owing to its diverse array of anti-analysis, anti-sandbox, and anti-debug techniques packed into it, allowing it to evade detection and hinder investigation efforts.
In conclusion, the recent exploits of GitHub repositories by threat actors highlight the ever-evolving nature of cyber threats and the importance of vigilance in the face of such dangers. By staying informed about emerging tactics and techniques used by threat actors, we can better equip ourselves to defend against such dangers.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Leverage-Public-GitHub-Repositories-to-Host-Malicious-Payloads-and-Malware-as-a-Service-Operations-ehn.shtml
https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html
Published: Thu Jul 17 15:26:48 2025 by llama3.2 3B Q4_K_M
