Full Report
Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses.
Analysis Summary
# Threat Actor: Unattributed Malware-as-a-Service (MaaS) Operators / SmokeLoader Campaign Actors
## Attribution & Identity
The activity discussed centers around a Malware-as-a-Service (MaaS) operation utilizing Amadey, which displays significant overlap with a SmokeLoader phishing campaign targeting Ukrainian entities in early 2025. Attribution beyond the MaaS framework or the specific affiliate distributing payloads is not established in the text.
Known aliases and overlapping malware usage include:
* **Emmenhtal Loader:** Used by both the initial SmokeLoader campaign and the MaaS operation to download Amadey payloads.
* **PEAKLIGHT:** Alternative name used by Mandiant for the Emmenhtal final-stage PowerShell downloader.
## Activity Summary
The summary covers two related but potentially separate activities observed in early 2025:
1. **SmokeLoader Phishing Campaign (Early February 2025):** Targeted Ukrainian entities aggressively via invoice payment/billing-themed phishing emails. These emails contained obfuscated JavaScript/PowerShell downloaders (identified as Emmenhtal) leading to SmokeLoader execution.
2. **MaaS Operation (Identified April 2025):** A MaaS operation using Amadey to download various secondary payloads from fake GitHub repositories. This operation shares the Emmenhtal loader variant with the SmokeLoader campaign. The MaaS operators use GitHub as open directories to stage custom payloads and Amadey plugins.
## Tactics, Techniques & Procedures
- Delivery via invoice payment and billing-themed phishing emails.
- Use of compressed archive attachments (ZIP, 7Zip, RAR) containing obfuscated JavaScript files.
- JavaScript utilizing several layers of obfuscation to deploy a PowerShell downloader (Emmenhtal loader).
- Emmenhtal loader involves four layers, with the final stage being a PowerShell downloader script.
- Leveraging public GitHub repositories as open directories to host and distribute tools, secondary payloads, and Amadey plug-ins, potentially to bypass web filtering.
- Amadey used as a primary downloader, which subsequently downloads other malware families from GitHub.
## Targeting
- **Sectors:** Financial/Billing (implied by phishing theme).
- **Geography:** Ukrainian entities (explicitly mentioned for the initial SmokeLoader campaign).
- **Victims:** Specific organizations are not named, but the targeting appears geographically focused.
## Tools & Infrastructure
- **Malware Families Used:**
* Amadey (Bot/Downloader)
* SmokeLoader (Secondary payload in one campaign)
* Emmenhtal (Loader/Dropper, sometimes referred to as PEAKLIGHT)
* Other commodity infostealers (Redline, Lumma, StealC mentioned as potential payloads associated with Amadey generally).
- **Infrastructure:**
* Fake GitHub accounts used as payload hosts: `Legendary99999`, `DFfe9ewf`, `Milidmdds`.
* Command and Control (C2) infrastructures for secondary payloads do not overlap with Amadey's C2.
## Implications
The use of MaaS indicates a professionalized distribution model where operators sell access or infrastructure. The actors leverage common cloud services like GitHub to stage malware, aiming to bypass traditional perimeter web filtering solutions that may not be configured to block the GitHub domain entirely. The overlap between the Emmenhtal loader in both the MaaS operation and the targeted SmokeLoader campaign suggests a common upstream supplier or shared initial access techniques utilized by different threat actor groups.
## Mitigations
- Implement robust web filtering that specifically analyzes content hosted on GitHub used for potentially malicious file downloads, beyond just blocking the domain outright where possible.
- Deploy network analytics solutions capable of detecting connections to suspicious/new GitHub accounts hosting malware staging.
- Utilize security tools like Cisco Secure Network/Cloud Analytics (Stealthwatch) to alert on potentially unwanted activity.
- Deploy endpoint protection (Cisco Secure Malware Analytics / Threat Grid) to identify and block malicious binaries.
- Ensure Umbrella or Secure Web Appliance solutions are configured to block connections to known malicious domains/IPs and block connections to the identified MaaS staging user accounts/repositories if intelligence permits.
- Implement Multi-Factor Authentication (Duo) for access to critical systems to limit impact if credentials are harvested by infostealers dropped by Amadey.