Threat Actors Exploit GitHub Accounts to Host Payloads, Tools, and Amadey Malware Plugins

Cisco Talos researchers identified a sophisticated Malware-as-a-Service (MaaS) operation in April 2025 that employed the Amadey botnet to distribute various payloads.

This operation exploited fake GitHub accounts as open directories for hosting malicious payloads, tools, and Amadey plugins, aiming to evade web filtering mechanisms and simplify distribution.

By leveraging GitHub’s legitimate domain, threat actors could bypass organizational security controls that might otherwise block suspicious downloads, particularly in environments where GitHub access is essential for software development.

Malware-as-a-Service Operation

The MaaS model allows operators to sell access to malware infrastructure, with Amadey serving as a modular downloader capable of deploying information stealers like Redline, Lumma, and StealC, alongside custom plugins for functions such as credential harvesting and screenshot capture.

Initial activity traces back to February 2025, coinciding with a separate SmokeLoader phishing campaign targeting Ukrainian entities, highlighting overlapping tactics, techniques, and procedures (TTPs) including the use of the Emmenhtal multistage ...