Hackers Exploit GitHub Repositories to Distribute Amadey Malware in 2025 Campaign

In April 2025, malicious actors were observed leveraging public GitHub repositories to host and distribute malicious payloads as part of a campaign involving the Amadey malware. This tactic, reported by Cisco Talos researchers Chris Neal and Craig Jackson, highlights a growing trend where threat actors abuse legitimate platforms to evade detection and facilitate malware distribution.

Amadey is a modular malware known for its versatility and stealth capabilities. It is often distributed through Malware-as-a-Service (MaaS) operations, allowing cybercriminals to rent malware infrastructure for their campaigns. By hosting payloads, tools, and Amadey plugins on GitHub, attackers can bypass traditional web filters that might block traffic to known malicious domains. GitHub's reputation as a trusted platform for developers makes it an attractive vector for malware distribution, as organizations are less likely to block or scrutinize traffic to and from GitHub.

The implications of this campaign are significant for the cybersecurity landscape. The abuse of trusted platforms like GitHub underscores the need for organizations to implement more stringent monitoring and filtering of traffic to such services. It also highlights the importance of continuous threat intelligence and anomaly detection to identify and respond to such threats promptly.

From an expert perspective, this tactic is not entirely new but serves as a reminder that attackers are constantly evolving their methods to evade detection. Organizations should consider enhancing their security posture by implementing behavior-based detection systems and robust anomaly detection mechanisms. Additionally, regular audits of network traffic to and from platforms like GitHub can help identify and mitigate potential threats.

In conclusion, the use of GitHub repositories for hosting malicious payloads represents a sophisticated evasion technique that leverages the trust and ubiquity of legitimate platforms. Cybersecurity professionals must remain vigilant and adapt their defenses to counter such evolving threats effectively.