Cyber attackers are always looking for smarter, stealthier ways to spread malware. Lately, they’ve found a new trick – using GitHub to host and spread malware like Amadey and data stealers. It’s a clever and concerning tactic. GitHub is a legitimate and trusted platform used by developers and organizations around the world. But now, it’s being misused to hide harmful files right under everyone’s noses. These attackers rely on people’s trust in GitHub, making it harder to detect their malicious intent in digital communication.
What Is Amadey Malware?
Amadey is a piece of malware that first showed up back in 2018. It’s not flashy or noisy. In fact, it’s designed to stay quiet. Its job? Collect information, monitor infected devices, and help install other, more dangerous malware. It’s like the scout in a cyberattack, checking out the system and reporting back to the attackers. It can even be customized to target specific software, making it more dangerous than it initially appears to the unsuspecting user.
Because it’s lightweight and flexible, Amadey is used by a wide range of cybercriminals. It can steal browser credentials, gather system details, and even open the door for other malware like ransomware or data stealers to enter. In many instances, it has also been used to quietly load malicious plugins or execute commands sent by a remote attacker.
How Are Hackers Using GitHub?
Hackers have started storing malicious files on GitHub, a place that’s meant for developers to share code. Because GitHub is so well-respected and widely used, security tools often don’t question links that point there. That’s exactly what attackers are counting on. The use of GitHub in these campaigns highlights how cybercriminals adapt to current digital habits and enterprise workflows to avoid suspicion.
In these attacks, hackers upload malware files to GitHub and then send links to these files through phishing emails. The emails might claim to be invoices, shipping details, or important company updates. When the victim clicks, they’re unknowingly downloading malware directly from GitHub. This method is effective due to the convincing nature of the emails and the familiar platform used to deliver the payload.
Some files are even disguised as PDFs or software installers. They look harmless, but they contain scripts that download and install malware like Amadey. From there, the malware starts gathering information and contacting the hacker’s command-and-control server. These scripts can be customized with delay timers to avoid immediate detection and allow time for spreading.
Why This Tactic Works
This strategy works so well because GitHub is generally trusted by both people and security systems. Firewalls and antivirus software often don’t block GitHub links. That gives hackers an open channel to send their malware without raising red flags. This level of trust creates a blind spot that cybercriminals are increasingly exploiting to their advantage.
Plus, attackers use tricks like encrypting the files, compressing them into ZIP folders, or encoding them with Base64 to make them harder for antivirus systems to detect. Often, the malware isn’t even directly on the computer at first. Instead, a small script fetches it from GitHub when the time is right. This step-by-step approach helps them avoid early-stage detection by network scanners.
This makes it a multi-stage attack. The first stage looks clean, but it leads to something much more dangerous. These multi-stage techniques also make incident response harder because traces of the original infection source may be removed.
Examples of Real Attacks
In one recent campaign, attackers sent out emails with links to what looked like financial documents on GitHub. These documents were actually malware in disguise. Once downloaded and opened, they launched scripts that installed Amadey on the victim’s computer. The installation happened quietly, leaving users unaware of the danger they just introduced into their systems.
Amadey then started collecting information, including saved passwords and details about the system. It quietly sent all this data back to the attackers. The campaign used a GitHub account that had only been created a few days earlier. It was taken down after being reported, but not before several people had already been infected. The short lifespan of these accounts makes detection and prevention more difficult for defenders.
In some cases, Amadey was just the beginning. Once it was on the system, it downloaded additional malware like RedLine, Vidar, or FormBook. These programs specialize in stealing even more sensitive information. They target login credentials, cryptocurrency wallets, browser history, and even files stored on the computer.
Why GitHub Is Being Targeted
GitHub isn’t just popular – it’s vital to many organizations. Developers use it every day to collaborate on projects and share code. That makes it difficult for companies to block or restrict GitHub access without disrupting work. It’s a platform that’s deeply integrated into modern development and IT workflows.
Hackers know this. They also know that GitHub allows easy uploading, sharing, and updating of files. That means attackers can upload new versions of malware whenever they want. They can even delete old files and rotate new ones in, keeping the attack fresh and harder to track. These actions can be automated using GitHub’s API, reducing the need for constant human involvement.
GitHub’s features, like raw file access and APIs, make it even easier for attackers to automate their campaigns. These automation capabilities are a double-edged sword: useful for developers, but equally useful for threat actors.
GitHub’s Response
GitHub does have rules against using its platform for malicious purposes. When they find or are alerted to malware, they take it down. But the volume of content on GitHub is enormous, and it’s tough to catch everything. This creates a gap between reactive content moderation and proactive threat detection.
Hackers keep coming up with new ways to hide their malware. They use new accounts, obfuscate their code, and constantly change how the malware looks and behaves. That makes it difficult for GitHub’s automated systems and human moderators to catch every threat in time. The evolving nature of these tactics puts a strain on trust-based platforms and cybersecurity operations alike.
What Can Be Done?
Defending against this type of attack takes a layered approach. Companies need to look beyond just blocking bad domains. Even trusted platforms like GitHub need to be monitored more carefully. Security teams must adopt behavior-based detection methods that analyze file activity patterns instead of static reputation lists.
Network traffic going to GitHub should be inspected. Suspicious repositories and download patterns should trigger alerts. Some companies might even block access to certain types of GitHub files unless they’re verified. A zero-trust model should be considered for external platforms, regardless of their general reputation.
Security teams should also use Endpoint Detection and Response (EDR) tools that look for suspicious behavior, not just known malware signatures. Sandboxing unfamiliar files to see how they behave before letting them run can help catch hidden threats. This proactive stance can reduce the chances of a successful infection and reduce incident response times.
Educating employees is just as important. People need to be careful about clicking links in emails or downloading files from unfamiliar sources – even if they appear to be hosted on trusted platforms. Routine security awareness training and simulated phishing tests can go a long way in reducing human error.
Finally, creating internal whitelists and blacklists for GitHub usage can give companies better control over who can access what. Monitoring access logs and setting repository access policies help create accountability in enterprise GitHub usage.
The Bigger Picture
GitHub isn’t the only platform being abused. Attackers are also using services like Dropbox, Google Drive, OneDrive, and Discord to host malware. These platforms offer free storage, reliable service, and wide accessibility – all of which are useful for cybercriminals. Trust in these platforms becomes a weapon in the wrong hands.
Since these services are used every day for legitimate work, completely blocking them isn’t practical. That means security tools need to get smarter. They need to look at context, behavior, and usage patterns to spot when a trusted service is being misused. Security should adapt to intent, not just identity.
The rise of GitHub-based malware campaigns shows just how far attackers will go to avoid detection. It also highlights the need for modern defenses that go beyond just scanning for known threats. These evolving techniques challenge the traditional security mindset and call for dynamic threat modeling.
Final Thoughts
The abuse of GitHub to host malware like Amadey is a troubling trend in the cybersecurity world. It takes advantage of trust, bypasses many traditional defenses, and makes it easier than ever for hackers to spread their tools. This trend calls for urgent upgrades in how we manage digital trust and verify content from popular platforms.
To stay ahead, companies need to rethink how they handle security. That means monitoring trusted services more closely, investing in behavior-based detection tools, and educating users to spot the signs of phishing and malware. Collaboration across security teams, IT departments, and platform providers is essential for effective defense.
As long as attackers continue to innovate, defenders need to evolve as well. The fight against cybercrime isn’t just about blocking bad guys – it’s about questioning what we consider safe and being ready for anything. Resilience, adaptability, and awareness are the keys to surviving the ever-changing threat landscape of today’s digital world.