GitHub Abused to Spread Amadey, Lumma and Redline InfoStealers in Ukraine

A newly identified Malware-as-a-Service (MaaS) operation is using GitHub repositories to spread a mix of infostealer families. This campaign was spotted by cybersecurity researchers at Cisco Talos, who published their findings earlier today, detailing how the threat actors behind this activity are using the Amadey bot to pull malware directly from public GitHub pages onto infected systems.

This operation surfaced in April 2025, but its activity traces back to at least February, around the same time Ukrainian organizations were being hit with SmokeLoader phishing emails. Talos analysts noticed a notable overlap in tactics and infrastructure between that campaign and the new Amadey-driven one, suggesting the same hands may be behind both.

What stood out in this case was the abuse of GitHub. The attackers created fake accounts and used them like open directories, hosting payloads, tools, and Amadey plug-ins. By leveraging GitHub’s widespread use and trust in corporate environments, the attackers likely sidestepped many standard web filters that might have otherwise blocked malicious domains.

One GitHub account in particular, as per Cisco Talos’ technical blog post, named “Legendary99999,” was used heavily. It hosted more than 160 repositories, each containing just a single malicious file ready to be downloaded via a direct GitHub URL.

Two other accounts, “Milidmdds” and “DFfe9ewf,” followed a similar approach, though “DFfe9ewf” appeared to be more experimental. In total, these accounts hosted scripts, loaders and binaries from several infostealer families including Amadey, Lumma, Redline and AsyncRAT.

Amadey isn’t new. It first appeared in 2018 on Russian-speaking forums, sold for around $500, and has since been used by various groups to create botnets and drop additional malware.

The malware can harvest system info, download more tools, and expand its functionality with plug-ins. Despite being commonly used as a downloader, its flexible design means it can pose a larger threat depending on how it’s configured.

The technical link between this campaign and the earlier SmokeLoader operation centers on a loader known as “Emmenhtal.” First documented in 2024 by Orange Cyberdefense, Emmenhtal is a multi-layer downloader that wraps its final payload in layers of obfuscation. Talos found that variants of Emmenhtal were not only used in the phishing campaign that targeted Ukrainian entities but also embedded in scripts hosted on the fake GitHub accounts.

What’s additionally noteworthy is that several scripts from the “Milidmdds” account, such as “Work.js” and “Putikatest.js,” were nearly identical to those seen in the earlier campaign. The only differences were minor changes in function names and final download targets. Instead of SmokeLoader, these versions fetched Amadey, PuTTY executables and remote access tools like AsyncRAT.

The use of GitHub wasn’t limited to JavaScript droppers. Talos also found a Python script named “checkbalance.py” masquerading as a crypto tool. In reality, it decoded and ran a PowerShell script that downloaded Amadey from a known command and control address. Even more, it showed an error message in broken Cyrillic, hinting at its origins or intended audience.

While GitHub acted quickly to shut down the identified accounts after being alerted, this incident highlights how everyday platforms can be exploited for malicious purposes. In environments where GitHub access is required, spotting this kind of misuse isn’t easy.

Talos researchers are continuing to monitor the infrastructure and believe the operators are distributing payloads on behalf of multiple clients. The variety of infoStealers seen in these repositories supports that theory, and with GitHub’s accessibility, it offers an efficient delivery method for MaaS operations looking to stay undetected.