Digital Event Horizon
A new MaaS operator has emerged using GitHub as a channel for distributing malicious software. This development highlights the evolving threat landscape and the need for increased vigilance in cybersecurity measures.
Malware-as-a-service (MaaS) operator uses public GitHub accounts to distribute malicious software. The MaaS operator has been active since February 2025 and utilizes various malware families. GitHub can be used as a channel for distributing malware, bypassing Web filtering. The Amadey malware platform collects system information from infected devices and downloads customized payloads. The distribution mechanism suggests that the threat actors are distributing payloads for other individuals or groups. The use of GitHub makes it challenging to detect and block such threats, requiring organizations to adapt their security measures.
Malware-as-a-service (MaaS) has become a prevalent threat vector in recent years, and a new player has emerged in this ecosystem. Researchers from Cisco's Talos security team have uncovered a MaaS operator that leverages public GitHub accounts to distribute malicious software to targets.
The MaaS operator, which has been active since February 2025, utilizes GitHub as a channel for distributing an assortment of malware families. This approach allows the MaaS operator to tap into the ease of use and widespread adoption of GitHub within enterprise networks. According to Talos researchers Chris Neal and Craig Jackson, downloading files from a GitHub repository can bypass Web filtering that is not configured to block the GitHub domain. However, this also presents a significant challenge for organizations with software development teams that require access to GitHub in some capacity.
The MaaS campaign, which has been identified as using a previously known malware loader tracked under names including Emmenhtal and PeakLight, employed Amadey, a separate malware platform known since 2018. Amadey is designed to collect system information from infected devices and download a set of secondary payloads that are customized to their individual characteristics.
The primary function of Amadey is to act as a platform for delivering malware payloads to targets. Once an infected device is part of the Amadey campaign, operators can choose which payloads to deliver through a simple GitHub URL. This distribution mechanism suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups.
The use of GitHub by this MaaS operator has significant implications for cybersecurity. The ability to distribute malware through a legitimate platform like GitHub makes it increasingly difficult to detect and block such threats. As the threat landscape continues to evolve, organizations must remain vigilant and adapt their security measures to stay ahead of emerging threats like this.
In light of this new development, it is essential to understand the indicators that can help determine if a network has been targeted by this campaign. By recognizing these indicators, admins and defenders can take proactive steps to mitigate potential damage.
Related Information:
https://www.digitaleventhorizon.com/articles/Github-Malware-as-a-Service-A-New-Threat-Vector-for-Cybersecurity-deh.shtml
https://arstechnica.com/security/2025/07/malware-as-a-service-caught-using-github-to-distribute-its-payloads/
Published: Thu Jul 17 21:47:59 2025 by llama3.2 3B Q4_K_M
