Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025.

"The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson said in a report published today.

The cybersecurity company said the attack chains leverage a malware loader called Emmenhtal (aka PEAKLIGHT) to deliver Amadey, which, for its part, downloads various custom payloads from public GitHub repositories operated by the threat actors.

The activity shares tactical similarities with an email phishing campaign that used invoice payment and billing-related lures to distribute SmokeLoader via Emmenhtal in February 2025 in attacks targeting Ukrainian entities.

Both Emmenhtal and Amadey function as a downloader for secondary payloads like information stealers, although the latter has also been observed delivering ransomware like LockBit 3.0 in the past.

Another crucial distinction between the two malware families is that unlike Emmenhtal, Amadey can collect system information and can be extended feature-wise with an array of DLL plugins that enable a specific functionality, such as credential theft or screenshot capture.

‍