Member-only story
Hackers Are Hiding Malware in Plain Sight — On GitHub!
Cyber-AppSec
Follow
3 min read·Jul 18, 2025
Listen
Share
A Humanized Cyber Kill Chain Breakdown of the Amadey Stealer Campaign
If GitHub is for developers, why are hackers using it like Dropbox for malware?
In a world where Malware-as-a-Service (MaaS) has gone full SaaS, cybercriminals are getting clever — too clever. A new wave of attacks shows just how deeply threat actors are embedding themselves into our trusted platforms. GitHub, yes that GitHub, is now being abused to host payloads, steal data, and evade detection.
[Press enter or click to view image in full size]
From GitHub to Ransomware: The Shocking New Malware Delivery Chain
Let’s break down the entire attack lifecycle using the Cyber Kill Chain — the framework every cyber defender should have tattooed in their brain.
1. Reconnaissance:
The attackers don’t start by swinging a hammer — they start with a Google search.
What happened:
They likely profiled targets who are susceptible to finance-related email lures (invoice, billing themes), particularly in Ukraine, Hong Kong, Singapore, and Australia.
Human spin:
Think of this like a scammer following your social media to figure out what kind of phishing bait would work best.
2. Weaponization:
CSD0tFqvECLokhw9aBeRqrwTEtKAgZr3is/psY/zBV0Ta/trCh21FkbXFaBN2qgGRCrD5RBF/xZU6Mtxu1M8LHk8u/K13Io17m/sVMsM/GqvW6Qag6OdPi6VI+7xwHiz9m6bRipdq+4DwZ8AdQzcWw==
