Hackers are exploiting a new TeleMessage SGNL flaw that exposes sensitive data. CISA warns agencies to patch or stop using it by July 22.

TeleMessage SGNL, a made-in-Israel clone of the Signal app used by US government agencies and regulated businesses, has been found running with an outdated configuration that exposes sensitive internal data to the internet, no login required.

The main cause of the problem is how some deployments of TeleMessage SGNL are using older versions of Spring Boot, a Java-based framework. These versions leave a diagnostic endpoint called /heapdump exposed by default.

When not locked down, this endpoint returns a full memory snapshot of the app, weighing in at around 150MB. These dumps can contain usernames, passwords, session details, and other data that should never be public.

According to cybersecurity researchers at GrayNoise, who identified this exploitation and shared its details with Hackread.com earlier today, say that even though newer Spring Boot releases disable this by default, TeleMessage instances were still running the insecure configuration as late as May 5, 2025.

The vulnerability, tracked as CVE-2025-48927, was added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue on July 14, which also suggests that real-world attacks are already underway.

According to GreyNoise, attackers have wasted no time. As of July 16, at least 11 IPs have been logged attempting to exploit the flaw directly. These are not random pings; they’re specific attempts to retrieve the heap memory from exposed TeleMessage SGNL deployments.

The scanning doesn’t stop there. In the past 90 days, over 2,000 IPs have probed Spring Boot Actuator endpoints in general. More than 1,500 IPs targeted the /health endpoint, often used by attackers to check if an app is built on Spring Boot and potentially misconfigured. This kind of scanning is often a sign that more targeted exploitation could follow.

GreyNoise has created a dedicated tracking tag for this activity. The tag identifies scanning behaviour specific to TeleMessage SGNL instances running with the vulnerable /heapdump endpoint exposed.

****TeleMessage SGNL and Cybersecurity Issues****

Security flaws can surface in any platform, but the issue with TeleMessage is more serious. This is a service built to protect sensitive communication, used by government agencies and enterprise organisations, yet it was left open because of outdated setup choices.

When a platform selling secure communication is involved, these kinds of misconfigurations can damage more than just systems. But, reputational damage is not new at TeleMessage. Back in May 2025, the platform suffered a massive breach after an anonymous hacker broke into its systems. The attacker accessed backend infrastructure and private user messages, forcing the company to take its website offline.

Just days later, on May 13, the CISA added CVE-2025-47729, the vulnerability behind that breach, to its Known Exploited Vulnerabilities (KEV) list. Then things got worse. Distributed Denial of Secrets (DDoSecrets), a nonprofit known for publishing leaked datasets, archived and indexed the entire stolen dataset on its website. That archive contained 410 gigabytes of sensitive data taken from the breach.

****CISA’s Binding Operational Directive****

Under its Binding Operational Directive, CISA has instructed all federal agencies to either apply available patches or stop using the affected software by July 22, 2025. While the directive only applies to federal systems, it’s a strong reminder for any organisation using TeleMessage SGNL to act quickly.

Until confirmed patches are applied, the safer approach is to restrict access or temporarily disable the app in environments handling sensitive communication. Nevertheless, researchers are urging organisations using TeleMessage or Spring Boot for internal services to take this seriously and:

*   Review all Actuator endpoint exposure

*   Disable or restrict access to the /heapdump endpoint immediately

*   Block IPs flagged by GreyNoise that are probing for this vulnerability

*   Upgrade to a supported version of Spring Boot that uses more secure default configurations

New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers

Texas adoption agency suffers major data leak, exposing over 1.1M sensitive records including case notes, contact info, and internal communications to public without any security authentication or password.

“While scanning the web for exposed databases, cybersecurity researcher Jeremiah Fowler discovered a massive set of unprotected records linked to the Gladney Center for Adoption, left online without a password, without encryption, and accessible to anyone.”

The database, containing 2.49 gigabytes and holding more than 1.1 million records, included deeply sensitive information about children, adoptive parents, birth families, and internal staff. Everything from names and contact details to case notes and private assessments was accessible to anyone with an internet connection, especially to those who know how to find exposed cloud servers, something cybercriminals are very familiar with.

Fowler quickly sent a responsible disclosure notice to the organization believed to be the source. The data was secured the following day, but questions remain about how long it was exposed and whether anyone else accessed it before it was taken offline.

What made this data leak especially concerning was not just the volume of data but the nature of it. The records appeared to come from a CRM (Customer Relationship Management) platform used to manage casework and communication across the organization.

In folders labeled “contacts,” “applications,” and “birth fathers,” Fowler found detailed records describing applicants’ personal histories, reasons for adoption denials, family backgrounds, and even mentions of substance use or legal matters. While there were no full case files, each entry carried just enough detail to make them a target for social engineering or fraud.

According to Fowler’s report shared with Hackread.com, one of the more sensitive areas included 284,000 email metadata records. Though the full email bodies weren’t exposed, subject lines sometimes included names or references that could give away context. Some records listed outreach between the agency and healthcare or social service providers, further adding to the potential privacy fallout if this data had fallen into the wrong hands.

The records spanned years of operational history, but evidence suggested the database itself had only recently been created or exported. Whether the system was hosted internally or by a third-party vendor remains unclear. Fowler never received a response to his disclosure, so there’s little clarity about the full extent of the exposure or whether any forensic review was conducted.

From a technical perspective, the records were a mix of plain text and UUIDs (Universally Unique Identifiers), which are typically used in CRM systems to link data. These identifiers may look complex, but they aren’t meant to protect sensitive content. Without encryption, they offer no meaningful protection if accessed by unauthorized users.

Fowler emphasized that encrypting data, especially when it involves children or health-related content, should be a baseline standard. He also suggested organizations limit internal access to sensitive data, regularly audit their systems, and train staff on basic cybersecurity hygiene. Older data no longer in use should be archived or deleted to limit the fallout in case of leaks.

Fowler’s report did not accuse Gladney or its affiliates of wrongdoing, nor did it claim the data was misused. However, he pointed out that the exposed data could hypothetically enable impersonation attempts, phishing scams, or even blackmail. Families involved in adoption often go through stressful and personal experiences, and such leaks make them more vulnerable.

In this case, the data did not appear to be stolen or shared. Fowler only took minimal screenshots for verification and did not download or retain any of the content. His reporting was guided by ethics, transparency, and a commitment to better data security across sectors handling personal information.

Massive Data Leak at Texas Adoption Agency Exposes 1.1 Million Records

### Summary

An attacker can forge a request to redirect an authenticated user to any arbitrary website.

### Details

On the login page, we have a `redirect` field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI.

Paired with a parameter pollution, we can hide our malicious URI (ex: `https://dns.com/?param1=im_hidden_if_theres_lot_of_args?param1=bbb`).

### PoC

https://diracx-cert.app.cern.ch/auth?redirect=https://ipcim.com/en/where/?dsdsd=qsqsfsjfnsfniizaeiaapzqlalkqkaizqqijsjaopmqmxna?redirect=https://diracx-cert-app.cern.ch/auth

This POC can leak user's position.

### Impact

This could be used for phishing and extracting new data (such as redirecting to a new "log in" page, and asking users to reenter credentials).

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-hfj7-542q-8fvv: DiracX-Web is vulnerable to attack through an Open Redirect on its login page

This week, Martin shows how stepping away from the screen can make you a stronger defender, alongside an inside scoop on emerging malware threats.

Thursday, July 17, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter.

Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.

Making a difference and stopping the bad guys means being in cybersecurity for the long haul. Experience is built with each new deployment and each resolved incident. Sometimes the worst incidents are in retrospect the best learning experiences. Professional experience is gained through many years of struggle. Losing a team member through burnout or being unable to continue with a career in the domain is a personal tragedy and a loss of experience to the entire cybersecurity community.

Various factors contribute to the high stress loads felt by cybersecurity teams. Many of these, such as the nature and frequency of attacks, are outside of our control. Others, such as budget approval or the appropriate prioritisation of projects, often appear close to being under control before somehow getting derailed.

We might not be able to control external factors, but we can manage our own responses to the stress that we face. Firstly, set boundaries and stick to them. Once your shift is over, stop working – and that includes thinking about it. This is easier said than done, but unless there is a real emergency, practice stepping away from work at the end of the day. Leaving work at work allows you to destress during your free time. 

Second, prioritize fun activities that don’t involve work or computers. Set aside time during your week to do something that you enjoy. Having many different activities and pastimes in your life helps provide balance. If one aspect of your life is particularly tough, then balance that with another part of your life which is going well. Personally, I find joy and escape in trail running. Finding myself deep in the countryside as far away from computer screens as possible provides me with time to recharge and recover.

Detecting threats and stopping the bad guys requires more than technical prowess. We must be committed to looking after ourselves, and each other, and to disconnecting from our passion for the work to continue doing it for years to come. 

**The one big thing  **

Cisco Talos identified a Malware-as-a-Service (MaaS) operation in early 2025 that used the Emmenhtal loader and Amadey malware to deliver malicious payloads targeting Ukrainian entities, often via public GitHub repositories. Talos worked with GitHub to remove these malicious accounts and recommends security solutions to prevent similar threats. 

**Why do I care?  **

This operation shows how easily adversaries can use trusted platforms like GitHub to deliver malware, making it more difficult for organizations to detect and block threats — especially if GitHub access is required for legitimate purposes.   

**So now what?**

Organizations should review their security policies around GitHub access, deploy advanced security controls and remain vigilant for phishing campaigns and malware leveraging public repositories to minimize the risk of compromise.

**Top security headlines of the week  **

**Four arrested in connection with M&S and Co-op cyber-attacks**   
The National Crime Agency (NCA) says a 20-year-old woman was arrested in Staffordshire, and three males - aged between 17 and 19 - were detained in London and the West Midlands. (BBC)

**Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb**    
The flaw allows unauthenticated attackers to execute remote code by writing malicious files to the server's filesystem, potentially leading to full remote code execution. (Security Affairs)

**Train brakes can be hacked over radio — and the industry knew for 20 years**   
“Successful exploitation... could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said. (SecurityWeek)

**Episource is notifying millions of people that their health data was stolen**   
The breach affects more than 5.4 million people, making it one of the largest healthcare breaches of the year so far. The attacker stole personal information and protected health data. (TechCrunch)

**Can’t get enough Talos? **

**The significance of timeliness in incident response**   
Cisco Talos IR compares two real-world ransomware engagements and shares how the organizations’ response times made all the difference in the outcome of an attack.

**Talos Takes: Why attackers love your remote access tools**  
Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries.

**TTP: The next phase of LLM abuse**   
Talos researcher Jaeson Schultz explores how cybercriminals are starting to integrate LLMs into full attack workflows, and even experiment with manipulating the data these models rely on.

**Upcoming events where you can find Talos  **

*   NIRMA (July 28 – 30) St. Augustine, FL 
*   Black Hat USA (Aug. 2 – 7) Las Vegas, NV

**Most prevalent malware files from Talos telemetry over the past week   **

**SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Claimed Product: N/A   
Detection Name: Win.Worm.Coinminer::1201

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**     
MD5: 7bdbd180c081fa63ca94f9c22c457376   
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details   
Typical Filename: IMG001.exe    
Claimed Product: N/A   
Detection Name: Simple\_Custom\_Detection

**SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**   
MD5: 71fea034b422e4a17ebb06022532fdde    
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details   
Typical Filename: VID001.exe    
Claimed Product: N/A    
Detection Name: Coinminer:MBT.26mw.in14.Talos

This is your sign to step away from the keyboard

Threat actors are leveraging public GitHub repositories to host malicious payloads and distribute them via Amadey as part of a campaign observed in April 2025.
"The MaaS [malware-as-a-service] operators used fake GitHub accounts to host payloads, tools, and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use," Cisco Talos researchers Chris Neal and Craig Jackson

Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

In an operation called Eastwood, authorities arrested two people and shut down more than 100 servers linked to the Russian group NoName057(16).

In a coordinated operation this week, law enforcement from a dozen countries gathered together in an attempt to dismantle the infrastructure of the pro-Russian hacking group known as NoName057(16). The operation, named Eastwood, was led by Europol and Eurojust and included action across Europe and North America.

NoName057(16) has been known for flooding websites with traffic in politically motivated distributed denial-of-service (DDoS) attacks. Their usual targets have ranged from Ukrainian government platforms to critical websites in NATO countries that support Ukraine.

While many of their attackers were disruptive, they rarely caused long-lasting damage due to quick mitigation from targeted organisations. What’s noteworthy is that this group didn’t rely on elite hackers with advanced techniques. Instead, its strength came from numbers. Investigators found more than 4,000 people involved, many of them Russian-speaking with limited technical skills.

The group relied heavily on automation tools and “gamified tactics” to recruit and motivate followers. Some were lured in with cryptocurrency payments and leaderboard-style shoutouts that turned cyberattacks into a form of competitive sport.

According to Europol’s press release, during the joint operation between 14 and 17 July, over 100 servers connected to the group’s operations were taken offline. Authorities also carried out 24 house searches in seven countries, questioned 13 individuals, and made two arrests in France and Spain.

Germany, which has been a major target of the group’s activity, issued six arrest warrants. These include two people accused of being central figures in NoName057(16)’s operations. Seven arrest warrants have been issued in total, all linked to Russian nationals who are now internationally wanted.

Since its emergence, NoName057(16) also targeted countries that backed Ukraine with military or diplomatic support. In Germany alone, 14 waves of DDoS attacks since late 2023 have hit more than 250 organisations. Similar attempts were reported during major political events in Switzerland and the Netherlands, including the NATO summit and the 2024 Ukraine Peace Summit.

The investigators also took a different route to put pressure on low-level participants. More than 1,000 supporters of the network received official warnings via messaging apps, with 15 of them flagged as administrators. The messages reminded them of their individual legal liability under national laws.

Authorities have also pointed out that NoName057(16) doesn’t need a traditional chain of command to keep going. Instead, they used a mix of messaging apps, social media, and online forums to spread attack guides, updates, and propaganda. These channels also recruited individuals, often coming from gaming or low-level hacking communities.

Although Operation Eastwood has disrupted NoName057(16)’s infrastructure, it doesn’t mean the group is finished. Russian-based groups have a track record of rebranding or regrouping and continuing their attacks.

Police Shut Down 100 Servers Tied to Russian NoName057(16), Arrest 2

The database contained 1,115,061 records including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes.

Security researcher Jeremiah Fowler found a publicly accessible database online that contained highly personal information from an adoption agency.

Jeremiah, who specializes in locating exposed cloud storage, is used to finding sensitive information exposed. However, because of the nature of the information, this one immediately raised his concern and he hurried to find out who owned the data.

Research indicated that the database belonged to the Fort Worth (TX) based non-profit Gladney Center for Adoption. After notifying the agency, the database was secured the following day. Let’s hope nobody else found it before that time.

In total, the unencrypted and non-password-protected database contained 1,115,061 records including the names of children, birth parents, adoptive parents, and other potentially sensitive information like case notes.

The risks of leaking this type of data and it potentially falling in the hands of cybercriminals are huge. The sensitivity of adoption-related data makes these exposures particularly damaging, both for children and families, since adoption records often include highly personal details about children, birth parents, adoptive parents, and agency staff.

Criminals that get their hands on this kind of information could engage in phishing with very specific information, making their queries plausible. And in some cases, the information could even be sensitive enough to use for extortion or identity theft.

The researcher notes:

> “The records did not contain full case files, and the publicly exposed records were a combination of plain text and unique identifiers.”

He goes on to explain that unique identifiers are not necessarily a security enhancement.

> “From a cybersecurity perspective, a UUID is designed for unique identification, not secrecy, and it can potentially be guessed, reverse-engineered, or enumerated. UUIDs are not recommended to be used to protect sensitive data.”

Given the long-standing reputation of an adoption center like Gladney, people feel confident to share their personal information. People providing that amount of trust should not be let down by something as basic as securing an online database with a password.

It should be noted that it is unknown whether the database was exposed by Gladney itself or a third-party provider.

Wired posted a statement by Gladney’s Chief Operating Officer, which was not very helpful in determining what went wrong:

> “The Gladney Center for Adoption takes security seriously. We always work with the assistance of external information technology experts to conduct a detailed investigation into any incident. Data integrity and operations are our top priority.”

**Protecting yourself after a data breach**

While there are no indications that this database was found by cybercriminals before it was secured, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Adoption agency leaks over a million records 

File sharing site WeTransfer has rolled back language that allowed it to train machine learning models on any files that its users uploaded.

File sharing site WeTransfer has rolled back language that allowed it to train machine learning models on any files that its users uploaded. The change was made after criticisms from its users.

The company had quietly inserted the new language in the terms and conditions on its website. Sometime after July 2, it updated clause 6.3 of the document to include this claim:

> “You hereby grant us a perpetual, worldwide, non-exclusive, royalty-free, transferable, sub-licensable license to use your Content for the purposes of operating, developing, commercializing, and improving the Service or new technologies or services, including to improve performance of machine learning models that enhance our content moderation process, in accordance with the Privacy & Cookie Policy.”

In short, if you upload a document, WeTransfer would be able to train AI on it. The company could also license that content to other people, and could do these things forever.

The license would also include “the right to reproduce, distribute, modify, prepare derivative works based upon, broadcast, communicate to the public, publicly display, and perform Content,” the language said, adding that users wouldn’t be paid for any of this.

You can view the offending text on the Wayback Machine, which archives snapshots of documents online.

WeTransfer displayed this version of the text on July 14. However, today the text simply reads:

> “You hereby grant us a royalty-free license to use your Content for the purposes of operating, developing, and improving the Service, all in accordance with our Privacy & Cookie Policy.”

The company told the BBC that it had changed the clause “as we’ve seen this passage may have caused confusion for our customers.” It is not using AI to process content and doesn’t sell content to third parties, it added.

One studio manager posting on Reddit said that they had told their staff not to use the service anymore when they learned of the original policy change.

“Its crazy how WeTransfer is trying to tell us we ‘misunderstood’ them saying ‘perpetual license to distribute’,” they said. “I’m glad they changed the clause at least despite playing dumb.”

So what options exist for WeTransfer users still worried about the company’s motives? The best tip is to encrypt your content before uploading it. You can zip your file and password protect it, sending the password to the file’s recipient via another secure channel.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 WeTransfer walks back clause that said it would train AI on your files 

Google has released an update for its Chrome browser to patch six security vulnerabilities including one zero-day.

Google has released an update for its Chrome browser to patch six security vulnerabilities, including one zero-day.

This update is crucial since it addresses one actively exploited vulnerability which can be abused when the user visits a malicious website. It doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The update brings the version number to 138.0.7204.157/.158 for Windows, Mac and 138.0.7204.157 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.

You can find more elaborate update instructions and the version number information in our article on how to update Chrome on every operating system.

**Technical details on the zero-day vulnerability**

Attackers can exploit the vulnerability tracked as CVE-2025-6558 by taking advantage of insufficient validation of untrusted input in Chrome’s ANGLE and GPU components. This flaw, which affects versions of Google Chrome prior to 138.0.7204.157, enables an attacker to craft a malicious HTML page and, upon convincing a user to open it, escape the browser’s security sandbox

ANGLE (Almost Native Graphics Layer Engine) is open-source software developed by Google that acts as a translator for graphics commands in browsers like Chrome. It helps your browser display complex graphics, such as 3D games or interactive web apps, and works on a wide range of computers and devices, even if they use different underlying graphics systems.

As an everyday user you may never see or even notice ANGLE directly, but it powers a huge part of the web experience. Especially 3D content in Chrome, Edge, and Firefox on Windows, Mac, and even Android.

Its universal role means that when a security issue is found in ANGLE, everybody using Chrome (and Chromium browsers) is potentially at risk.

An attacker only needs to present a target with an especially crafted HTML file, meaning they just need to lure them to a malicious website. HTML is just the code that makes up a web page.

The sandbox escape means that successful exploitation of the vulnerability not only affects the—sandboxed—browser, but can compromise the victim’s device.

Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 23, 2025. The TAG group focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

**We don’t just report on** **browser vulnerabilities**, Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

 Chrome fixes 6 security vulnerabilities. Get the update now! 

Hackers abused fake GitHub accounts to spread Emmenhtal, Amadey, Lumma and Redline infoStealers in attacks linked to a phishing campaign targeting Ukraine in early 2025.

A newly identified Malware-as-a-Service (MaaS) operation is using GitHub repositories to spread a mix of infostealer families. This campaign was spotted by cybersecurity researchers at Cisco Talos, who published their findings earlier today, detailing how the threat actors behind this activity are using the Amadey bot to pull malware directly from public GitHub pages onto infected systems.

This operation surfaced in April 2025, but its activity traces back to at least February, around the same time Ukrainian organizations were being hit with SmokeLoader phishing emails. Talos analysts noticed a notable overlap in tactics and infrastructure between that campaign and the new Amadey-driven one, suggesting the same hands may be behind both.

What stood out in this case was the abuse of GitHub. The attackers created fake accounts and used them like open directories, hosting payloads, tools, and Amadey plug-ins. By leveraging GitHub’s widespread use and trust in corporate environments, the attackers likely sidestepped many standard web filters that might have otherwise blocked malicious domains.

One GitHub account in particular, as per Cisco Talos’ technical blog post, named “Legendary99999,” was used heavily. It hosted more than 160 repositories, each containing just a single malicious file ready to be downloaded via a direct GitHub URL.

The malicious Legendary99999 account (Image via Cisco Talos)

Two other accounts, “Milidmdds” and “DFfe9ewf,” followed a similar approach, though “DFfe9ewf” appeared to be more experimental. In total, these accounts hosted scripts, loaders and binaries from several infostealer families including Amadey, Lumma, Redline and AsyncRAT.

Amadey isn’t new. It first appeared in 2018 on Russian-speaking forums, sold for around $500, and has since been used by various groups to create botnets and drop additional malware.

The malware can harvest system info, download more tools, and expand its functionality with plug-ins. Despite being commonly used as a downloader, its flexible design means it can pose a larger threat depending on how it’s configured.

The technical link between this campaign and the earlier SmokeLoader operation centers on a loader known as “Emmenhtal.” First documented in 2024 by Orange Cyberdefense, Emmenhtal is a multi-layer downloader that wraps its final payload in layers of obfuscation. Talos found that variants of Emmenhtal were not only used in the phishing campaign that targeted Ukrainian entities but also embedded in scripts hosted on the fake GitHub accounts.

What’s additionally noteworthy is that several scripts from the “Milidmdds” account, such as “Work.js” and “Putikatest.js,” were nearly identical to those seen in the earlier campaign. The only differences were minor changes in function names and final download targets. Instead of SmokeLoader, these versions fetched Amadey, PuTTY executables and remote access tools like AsyncRAT.

The use of GitHub wasn’t limited to JavaScript droppers. Talos also found a Python script named “checkbalance.py” masquerading as a crypto tool. In reality, it decoded and ran a PowerShell script that downloaded Amadey from a known command and control address. Even more, it showed an error message in broken Cyrillic, hinting at its origins or intended audience.

While GitHub acted quickly to shut down the identified accounts after being alerted, this incident highlights how everyday platforms can be exploited for malicious purposes. In environments where GitHub access is required, spotting this kind of misuse isn’t easy.

Talos researchers are continuing to monitor the infrastructure and believe the operators are distributing payloads on behalf of multiple clients. The variety of infoStealers seen in these repositories supports that theory, and with GitHub’s accessibility, it offers an efficient delivery method for MaaS operations looking to stay undetected.

Tag

#web