15.10.2024
9 min
1261
Modern cyberattacks are increasingly less likely to look like a direct breach. Instead, they disguise themselves as ordinary emails, files, or routine work processes, quietly triggering a chain of events that is hard to detect at first glance. This article looks at a new wave of threats linked to a service-based model for distributing malware, which is already being used against Ukrainian organizations. It helps explain the overall logic behind these attacks, why they are becoming widespread, and what businesses and security professionals should be paying attention to.
In April 2025, activity linked to a Malware-as-a-Service (MaaS) operation was identified. In this scheme, Amadey was used to deliver malicious components. The operators relied on fake GitHub accounts to host payloads, tools, and Amadey plugins, likely to bypass web filtering and make distribution easier.
Some of the tactics, techniques, and procedures used in this operation overlap with a SmokeLoader phishing campaign detected in early 2025 that targeted Ukrainian organizations. Within the MaaS scheme, the same variant of the Emmenhtal loader used in the SmokeLoader campaign was employed to deliver Amadey and other tools.
In early February 2025, a series of phishing emails themed around invoices and payments was observed, likely aimed at Ukrainian organizations. These emails contained compressed attachments (ZIP, 7Zip, or RAR) with at least one JavaScript file. The file was heavily obfuscated and concealed a PowerShell downloader. When the JavaScript and PowerShell scripts were executed on the victim’s system, SmokeLoader was downloaded and launched. The JavaScript downloaders were identified as Emmenhtal based on characteristic obfuscation techniques similar to those described by other researchers.
During analysis of Emmenhtal samples obtained from this phishing campaign, additional samples with very similar structure were found on VirusTotal, though they did not belong to the original activity cluster. The key difference was that these files were not distributed via email but were hosted in public GitHub repositories. Instead of delivering SmokeLoader, they were used to deliver Amadey, which then downloaded various custom payloads from other public GitHub repositories.
Further analysis of the related GitHub accounts and files showed that they may be part of a larger MaaS operation. In this scheme, public GitHub repositories are effectively used as open directories for storing and distributing custom malicious components.
Malware-as-a-Service (MaaS) is a business model in which operators sell access to malware or ready-made infrastructure. In this operation, Amadey was used to download multiple malware families onto infected systems, while the payloads themselves were hosted in fake public GitHub repositories. The first signs of this activity appeared in February 2025, around the same time as the SmokeLoader campaign.
The fact that several different types of malware are distributed from the same infrastructure points to the service-based nature of the operation. This suggests that the Amadey operators are likely delivering payloads not only for themselves, but also for other individuals or groups. This is further supported by the fact that the command-and-control infrastructures of the secondary payloads do not overlap with Amadey’s own C2, indicating the involvement of multiple independent customers within a single MaaS scheme.
Emmenhtal is a multi-stage loader that has been described by various research teams. It was named Emmenhtal in August 2024, though it is sometimes also referred to as PEAKLIGHT, a name commonly used for its final PowerShell stage. Activity linked to elements of this loader can be traced back to at least April 2024.
Different Emmenhtal variants have been found both embedded within other files and deployed as standalone samples. A typical loader consists of four layers. Three of them are used for obfuscation to hide the true purpose of the code, while the final layer is a PowerShell script responsible for downloading additional malware.
Amadey, also known as the Amadey bot, first appeared in late 2018 on Russian-language hacking forums and was sold for around $500. It was initially used to build botnets, but over time evolved into a versatile delivery tool for other types of malware. It has been observed distributing RedLine, Lumma, StealC, and SmokeLoader.
The main functions of Amadey are collecting information about the infected system and downloading secondary payloads. At the same time, it has a modular architecture that allows its capabilities to be extended through plugins. These plugins are implemented as DLL files and can add features such as taking screenshots or harvesting credentials. Because of this flexibility and broad functionality, Amadey remains a serious threat, even if it may appear at first glance to be just a downloader.
During the investigation of the MaaS operation, three GitHub accounts were identified that were being used as open directories to store tools, secondary payloads, and Amadey plugins:
Legendary99999
DFfe9ewf
Milidmdds
Beyond the convenience of file hosting, downloading files from GitHub repositories often allows attackers to bypass web filtering if an organization does not block access to the GitHub domain. Some companies do restrict GitHub to reduce the risk of abuse involving open-source offensive tools or malware distribution. However, for many organizations, especially those with development teams, access to GitHub is essential. In such environments, a malicious download from GitHub can easily blend in with normal, legitimate web traffic and go unnoticed.
The identified accounts were reported to GitHub and were quickly taken down. This effectively stopped the use of these repositories within the described scheme.
The Legendary99999 account was used most actively. It contained more than 160 repositories with random names. Each repository held only a single file located in the Releases section, indicating a deliberate use of GitHub as a simple storage and distribution platform for malicious components.
The files hosted in the Legendary99999 account represent a collection of payloads from various malware families. By placing these files in GitHub repositories, they could be easily downloaded directly via URLs from the Releases section of the respective repositories.
https://github.com/[account_name]/[repository_name]/releases/download/[release_name]/[file_name]
Once a system was infected with Amadey, the operators of this service could choose which payload would be delivered next. To do so, they only needed to download the required file from the corresponding URL.
Additional GitHub accounts were also identified that are likely linked to the same operator. This is indicated by similarities in account names, file names, repository structure, and the type of hosted malware, particularly information stealers delivered via Amadey. The earliest “first seen” date on VirusTotal for files associated with these repositories was January 3, 2025. At the time of analysis, none of these accounts were active.
The DFfe9ewf account was likely used for testing purposes. All repositories included the word test in their names, and no new commits were made after February 2025. This is the same month when the first commit appeared in the Legendary99999 account, suggesting that both accounts were used in parallel during the early stage of the activity.
Although this GitHub account does not share direct similarities with the other two accounts described above, files associated with the MaaS operation interacted with at least one repository belonging to this account.
The DFfe9ewf account contained only six repositories. One of them was a fork of DInvoke, a tool that allows arbitrary unmanaged code to be invoked from managed code. Attackers frequently use DInvoke for process injection and to bypass Windows API hooking, helping them evade security detection.
The test3 repository contained a legitimate Selenium WebDriver file, along with versions for Microsoft Edge and Google Chrome, including ChromeDriver. WebDriver is a powerful development tool designed to automate the testing of web applications by remotely and programmatically controlling a browser. However, in a malicious context, such tools can be abused on a victim’s system to perform various actions, such as downloading payloads from malicious URLs or accessing local browser data.
While WebDriver is widely used in legitimate development, it can pose a serious security risk when misused. Security considerations for using WebDriver are подробно covered in the official ChromeDriver documentation.
The third account, named Milidmdds, contained ten repositories with random names similar to those used in the Legendary99999 account. Several malicious scripts were found in these repositories, which ultimately downloaded payloads onto infected systems.
During the investigation, clear overlaps were identified in tactics, techniques, and indicators between the SmokeLoader campaign and the MaaS activity involving Amadey. In particular, three JavaScript files hosted in the Milidmdds GitHub account are almost identical to the Emmenhtal scripts used in the SmokeLoader campaign.
Aside from randomly generated variable and function names, as well as different download targets in the final PowerShell script, most of the code across all samples is the same. The loader files found in various Milidmdds repositories had the following names:
Work.js
Workhmv.js
Putikatest.js
Although these scripts were not observed being used directly in live attacks, they were likely prepared for delivery via phishing emails or embedded into malicious files using the same approach seen in the SmokeLoader campaign.
Below are the similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian organizations (referred to as Sample 1) and those found in the Milidmdds repositories (referred to as Sample 2, Sample 3, and Sample 4).
The first obfuscation layer in the Emmenhtal samples defines a set of two-letter variables, each mapped to a two- or three-digit numeric value. These variables are applied to a long string of comma-separated values stored in a randomly named variable, such as qiXSF.
After the initial script is executed, a second script is revealed that uses the ActiveXObject function to run an encoded PowerShell command via WScript.Shell.
The third layer consists of a PowerShell command that contains an AES-encrypted binary large object (blob).
This blob contains another AES-encrypted PowerShell script, which is decrypted and executed by the initial script. The final script then initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian organizations, this final payload was SmokeLoader along with a decoy PDF file.
At the same time, Emmenhtal loaders found in public GitHub repositories were used to deliver a variety of files, including:
Amadey
a legitimate copy of PuTTY.exe
AsyncRAT
The presence of a legitimate PuTTY utility among the files delivered via Emmenhtal from public GitHub repositories clearly demonstrates the flexibility of the MaaS operation. It is capable of distributing whatever tools its customers require, whether malicious software or entirely legitimate programs.
Examples of the final decrypted PowerShell downloader are shown below.
During the analysis of both activity clusters described in this article, Emmenhtal samples were identified that were disguised as MP4 files. Two URLs pointed to files with the .mp4 extension hosted on the domain pivqmane[.]com:
pivqmane[.]com/testonload[.]mp4/
pivqmane[.]com/doc/fb[.]mp4
Although both MP4 files had already been removed at the time of analysis, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation is also consistent with earlier findings that some Emmenhtal variants may masquerade as MP3 or MP4 files.
During this research, another unique file was discovered in the Milidmdds GitHub account. This was a malicious Python script named checkbalance.py. Unlike the samples discussed earlier, it did not use the initial obfuscation layers. However, the subsequent PowerShell stages were almost identical to those described above. This may indicate an evolution of the Emmenhtal loader or, more likely, a purpose-built variant developed for a specific campaign.
At first glance, the script masquerades as a simple tool that supposedly checks the contents of Zerion cryptocurrency accounts. However, it contains a large lambda function with a Base64-encoded and compressed blob embedded inside. This code is executed at runtime.
After execution, the user is shown an error message in Cyrillic: “Аккаунт кончились”. The message is grammatically incorrect, as “Аккаунт” is singular while “кончились” is plural. Based on the context, the author likely intended something along the lines of “no more accounts” or “accounts have run out.”
After that, the lambda function launches a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell code is almost identical to the JavaScript variants described earlier.
The final PowerShell command downloads the Amadey payload from the IP address 185[.]215[.]113[.]16 as a file named amnew.exe. The PowerShell script embedded in checkbalance.py is fully identical to the one derived from Sample 2 (work.js), which was also found in the Milidmdds repository.
After execution, this payload connects to hxxp://185[.]215[.]113[.]43/Zu7JuNko/index.php, a known Amadey command-and-control (C2) server.
This case shows something very simple but important. Modern cyberattacks do not try to look dangerous anymore. They look normal. They arrive as things people see every day and trust without thinking twice.
Nothing here stands out at first glance. A file download, a GitHub link, a script running in the background. All of this fits perfectly into a normal workday. And that is the whole point. When an attack looks ordinary, it is easy to ignore and hard to question.
Emmenhtal and Amadey are not impressive because of advanced tricks. They are effective because they are practical. The same setup can be reused, reshaped, and sold to different actors for completely different purposes. One day it steals data, another day it opens remote access, and sometimes it delivers tools that look entirely legitimate.
The uncomfortable truth is this. Today’s threats do not break trust. They use it. They hide inside routine actions and familiar tools, waiting for the moment when nobody is paying attention anymore. And by then, the attack has already done its job.
