The Malware Invoice

A new cyber campaign demonstrates once again how threat actors are turning legitimate infrastructure into delivery platforms for malicious code. This time, a financially motivated cybercriminal group is abusing GitHub—a widely trusted platform used by developers and enterprises globally—to host and distribute Amadey malware and a suite of powerful data stealers, including RedLine, Lumma, and Rhadamanthys.

Instead of relying on traditional and easily filtered delivery vectors, the attackers host malicious payloads in public repositories and disseminate them through custom malware loaders like Emmenhtal. This tactic not only circumvents many web filters but also allows the campaign to hide in plain sight by blending in with legitimate developer activity. Phishing emails, primarily invoice-themed, are the primary lure, weaponizing curiosity and routine workflows to deliver these malicious archives across sectors.

The campaign is the latest example of how malware-as-a-service (MaaS) ecosystems are evolving, combining stealth, modularity, and abuse of trusted platforms to maximize impact while minimizing detection.

The invoice arrives: the victims and targeting strategy

The victims in this campaign include both corporate and government employees, particularly those working in IT, finance, and administrative departments—roles that routinely handle invoices, bills, and payment-related documentation. These individuals are specifically targeted with phishing emails that mimic legitimate invoice communications.

Each email typically contains a password-protected archive, a tactic used to prevent security gateways from inspecting the contents. When the victim opens the archive, it executes Emmenhtal, a malware loader that silently drops Amadey and other secondary payloads from attacker-controlled GitHub accounts.

The campaign demonstrates high levels of coordination, with fake GitHub accounts being set up specifically to host the malicious tools. Cisco Talos researchers identified accounts such as Legendary99999, DFfe9ewf, and Milidmdds, all of which were used to store attack components including Amadey plugins, stealers, and execution scripts. These accounts have since been taken down, but the infrastructure they reflect suggests a broader MaaS operation.

Malware beyond filters: how GitHub is weaponized

What makes this campaign especially dangerous is its abuse of GitHub’s legitimate standing. By distributing malware through public repositories, attackers bypass security systems that trust GitHub domains. The campaign begins with a phishing email, but once Emmenhtal is executed, it connects to these fake GitHub repositories to fetch Amadey and its plugins.

Amadey is not new—it’s a modular loader that supports the execution of multiple payload types. In this operation, the attackers use it to:

• Steal system information, including OS, network, and hardware details.

• Exfiltrate credentials from browsers and applications.

• Capture screenshots of the victim’s system.

• Allow remote access to the infected machine.

• Deploy ransomware payloads, including LockBit 3.0 in earlier incidents.

Several of the plugins discovered include known data stealers such as RedLine, Lumma, and Rhadamanthys, each capable of harvesting credentials, clipboard content, and even cryptocurrency wallet data.

In addition, a Python script found in one of the repositories suggests an evolved version of Emmenhtal capable of executing PowerShell commands to download Amadey from hardcoded IP addresses—a technique aimed at increasing redundancy in case GitHub takes down the repos.

By operating under GitHub’s umbrella, the campaign evades both automated web filters and manual scrutiny. Most corporate networks allow GitHub access, and the platform’s traffic does not raise the same level of suspicion as a random IP from a hosting provider. This makes GitHub’s legitimacy a weapon in the attacker’s arsenal.

Keep this bill away: how to defend against invoice-themed malware campaigns

Despite the sophistication of this operation, defenders have multiple entry points to detect and disrupt the attack chain. Organizations should focus on both technical defenses and user awareness, particularly in teams likely to handle invoices or payment-related documents.

To mitigate risk:

• Inspect inbound email traffic for invoice-themed phishing lures and password-protected archives, especially those carrying scripts or unknown executables.

• Monitor outbound traffic to GitHub repositories that are not part of official workflows or development activity.

• Deploy EDR solutions capable of detecting living-off-the-land binaries (LOLBins), PowerShell abuse, and fileless malware commonly used in Emmenhtal and Amadey deployments.

• Train users—particularly in finance and IT—on how to recognize phishing attempts, especially emails requesting invoice verification or containing unexpected attachments.

• Restrict GitHub access using web filtering rules or DNS policies to only allow domains and repos on an allowlist.

• Enforce application allowlisting for scripts and administrative tools, preventing unauthorized binaries and script interpreters from running.

• Limit user privileges to reduce the ability of malware to escalate permissions, install scheduled tasks, or persist beyond the current session.

These steps, when layered together, can significantly reduce the attack surface and make it harder for campaigns like this one to succeed.

GitHub remains an essential tool for developers and enterprises—but its open nature makes it equally valuable to adversaries. As attackers continue to turn legitimate platforms into launchpads for malware, security teams must rethink the boundaries of trust and inspect even the most familiar services with scrutiny.

https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html?m=1