GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine

Hackers abused fake GitHub accounts to spread Emmenhtal, Amadey, Lumma and Redline infoStealers in attacks linked to a phishing campaign targeting Ukraine in early 2025.

A newly identified Malware-as-a-Service (MaaS) operation is using GitHub repositories to spread a mix of infostealer families. This campaign was spotted by cybersecurity researchers at Cisco Talos, who published their findings earlier today, detailing how the threat actors behind this activity are using the Amadey bot to pull malware directly from public GitHub pages onto infected systems.

This operation surfaced in April 2025, but its activity traces back to at least February, around the same time Ukrainian organizations were being hit with SmokeLoader phishing emails. Talos analysts noticed a notable overlap in tactics and infrastructure between that campaign and the new Amadey-driven one, suggesting the same hands may be behind both.

What stood out in this case was the abuse of GitHub. The attackers created ...