Threat actors are exploiting public GitHub repositories to distribute malicious payloads, using fake accounts and leveraging loaders like Emmenhtal to deliver malware such as Amadey, Lumma Stealer, and Rhadamanthys Stealer. These campaigns reveal an ongoing effort to evade detection and facilitate secondary payloads, with similar tactics observed in phishing attacks targeting financial institutions and organizations worldwide. #Amadey #Emmenhtal #GitHubMalicious #LummaStealer #PhishingCampaigns
Keypoints
- Threat actors utilize fake GitHub accounts to host and distribute malicious scripts and payloads.
- Amadey and Emmenhtal serve as loaders that deliver secondary malware and perform system information collection.
- GitHub repositories have been used to stage malware including Amadey plugins and other Trojan families.
- The campaigns include sophisticated phishing tactics using invoice, tax, and social security themes.
- Techniques like cloaking services and obfuscated scripts help malicious campaigns avoid detection.
Read More: https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html