On this episode of Uncanny Valley, we dive into the differences between what the US government said about a Jeffrey Epstein video it released and the story told by its metadata.

How WIRED Analyzed the Epstein Video

Fake npm website used in phishing attack to steal maintainer token, leading to malware in popular JavaScript packages like eslint-config-prettier.

A phishing campaign targeting JavaScript developers has led to the compromise of several popular npm packages, including eslint-config-prettier. The breach began with an attacker tricking a maintainer using a fake login page hosted on a lookalike domain, npnjs.com.

Once the attacker got hold of the maintainer’s npm token, they pushed malicious versions of key packages directly through the registry, completely bypassing the GitHub repositories.

According to Socket, a developer-first security platform, which first spotted the scam, four versions of eslint-config-prettier (8.10.1, 9.1.1, 10.1.6, 10.1.7) were found to contain a script that executes on install, targeting Windows machines. The script attempts to launch a node-gyp.dll file using rundll32, which could allow the attacker to execute arbitrary code on affected systems. Security researchers assigned the issue a CVSS score of 7.5 and confirmed a new CVE (CVE-2025-54313) is being tracked.

Socket’s blog post shared with Hackread.com revealed that the attack went undetected for a while since there were no commits or pull requests in the GitHub repo linked to the new versions.

Instead, the attacker relied on their npm credentials to publish directly, avoiding detection until users started noticing suspicious activity. Other affected packages discovered by researchers included the following:

*   synckit: 0.11.9
*   @pkgr/core: 0.2.8
*   napi-postinstall: 0.3.1
*   eslint-plugin-prettier: 4.2.2 and 4.2.3

These packages are widely used in front-end and Node.js projects. Because many developers rely on automated tools like Dependabot or Renovate, compromised versions may have been pulled into projects without anyone noticing. Once installed, the payload could provide remote access to Windows machines running affected builds.

The phishing email used in the campaign (Image via Socket)

The good news is that the maintainer whose token was compromised acted quickly after learning of the breach. The malicious versions were deprecated and removed, credentials were rotated, and npm support was brought in to assist with the cleanup.

Socket has been monitoring the situation and continues to scan for other suspicious activity across the npm registry. Their tools flag any new versions with unexpected install scripts or binary payloads, which could help developers detect issues early before the malicious code spreads.

Nigel Douglas, Head of Developer Relations at Cloudsmith, commented on the wider implications. He pointed out that this is yet another example of how dependency chains can turn into attack vectors. “CI/CD pipelines pull in hundreds of transitive dependencies by default, each with its own maintainers, update cycles, and exposure history,” he said. “Without secure dependency retrieval processes, it only takes one upstream breach to cause chaos in production.”

Douglas also stressed that it’s unreasonable to expect developers to catch every vulnerability on their own. “If a single stolen maintainer token can push malicious code into one of the most widely used linting tools on npm, that should tell us something. You can’t fix this just by focusing on individual packages,” he added.

He called for stronger maintainer practices like scoped tokens and 2FA, along with registry-level safeguards and secure artifact management systems that support things like version immutability and trusted source verification.

Fake npm Website Used to Push Malware via Stolen Token

Kaspersky's SecureList reveals GhostContainer, a new, highly customized backdoor targeting government and high-tech organizations in Asia via Exchange server vulnerabilities. Learn how this APT malware operates and how to stay protected.

Cybersecurity researchers at Kaspersky’s research unit SecureList have revealed a new and highly customized malware, dubbed GhostContainer. This sophisticated backdoor has been found actively targeting Microsoft Exchange servers in high-value organizations across Asia, granting attackers extensive control over compromised systems and enabling various malicious activities, including potential data exfiltration.

****Understanding GhostContainer****

GhostContainer is a multi-functional backdoor designed to evade detection by mimicking standard server components. It is delivered as a file named ‘App_Web_Container_1.dll’ and has a file size of 32.8 KB. Its core functionality is extended through additional downloadable modules. The researchers indicate that the attackers likely exploited a known, unpatched vulnerability (N-day vulnerability) in Exchange servers to gain initial access.

Source: SecureList

A key component of GhostContainer is the ‘Stub’ class, which acts as a command and control (C2) parser. It can execute shellcode, download files, run commands, and load extra .NET byte code. Particularly, the Stub class attempts to bypass Antimalware Scan Interface (AMSI) and Windows Event Log by overwriting specific addresses, further aiding in its stealth.

Researchers identified that data transferred between the attackers and the server is protected using AES encryption, with the key derived from the ASP.NET validation key. The malware’s capabilities include getting system architecture, running shell code, executing command lines, and managing files.

****Sophisticated Features and Open-Source Roots****

GhostContainer also includes a ‘virtual page injector’ class (App_Web_843e75cf5b63) that creates ghost pages to bypass file checks and load a .NET reflection loader. This loader then activates the web proxy class (App_Web_8c9b251fb5b3), a central element of the malware. This web proxy component possesses capabilities for web proxying, socket forwarding, and covert communication.

SecureList’s investigation also revealed that the attackers leveraged several open-source projects to build GhostContainer. For instance, the Stub class appears to be based on _ExchangeCmdPy.py_, an open-source tool for exploiting the Exchange vulnerability CVE-2020-0688.

Similarly, the virtual page injector utilizes code from ‘PageLoad_ghostfile.aspx,’ and the web proxy component is a customized version of ‘Neo-reGeorg,’ another open-source project. This blend of public tools with custom modifications showcases the attackers’ advanced skills.

****Targeting High-Value Organizations****

Telemetry data gathered by the researchers suggests that GhostContainer is part of an Advanced Persistent Threat (APT) campaign. The identified victims so far include a key government agency and a high-tech company, both situated in Asia.

The attackers do not rely on a traditional C2 infrastructure; instead, they control the compromised server by embedding commands within regular Exchange web requests. This approach makes it challenging to identify their specific IP addresses or domains.

The investigation into the full scope of these attack activities is ongoing. Meanwhile, organizations should act swiftly and immediately apply all available security updates and patches for Exchange servers and other software to close known vulnerabilities.

New GhostContainer Malware Hits High-Value MS Exchange Servers in Asia

Trellix exposes SquidLoader malware targeting Hong Kong, Singapore, and Australia's financial service institutions. Learn about its advanced evasion tactics and stealthy attacks.

Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia.

****A Covert Attack****

The attack begins with spear-phishing emails written in Mandarin, accurately crafted to impersonate financial institutions. These emails deliver a password-protected RAR archive containing a malicious executable. The email body itself is crucial to the deception, as it provides the password for the attachment. The subject line often poses as a “Registration Form for Bond Connect Investors Handling Foreign Exchange Business through Overseas Banks.”

The email claims to be from a financial representative, requesting the recipient to check and confirm the attached “scanned copy of the Bond Connect investor foreign exchange business registration form.” This file is cunningly disguised, not only mimicking a Microsoft Word document icon but also falsely adopting the file properties of a legitimate AMDRSServ.exe to bypass initial scrutiny.

Upon execution, SquidLoader unleashes a complex five-stage infection. It first unpacks its core payload, then initiates contact with a Command and Control (C2) server using a URL path that mimics legitimate Kubernetes services (e.g., /api/v1/namespaces/kube-system/services) to blend with normal network traffic.

This initial C2 communication transmits critical host information, including IP address, username, computer name, and Windows version, back to its operators. Finally, the malware downloads and executes a Cobalt Strike Beacon, which then establishes a connection to a secondary C2 server at a different address (e.g., 182.92.239.24), granting attackers persistent remote access.

Attack Chain (Source: Trellix)

****Evasive Tactics and Global Implications****

A key reason for SquidLoader’s danger is its extensive array of anti-analysis, anti-sandbox, and anti-debugging techniques. These include checking for specific analysis tools like IDA Pro (ida.exe) or Windbg (windbg.exe) and common sandbox usernames.

Notably, it employs a sophisticated threading trick involving long sleep durations and Asynchronous Procedure Calls (APCs) to detect and evade emulated environments. Should it detect any analysis attempt, the malware self-terminates. After its checks, it displays a deceptive pop-up message in Mandarin: “The file is corrupted and cannot be opened,” requiring user interaction that can thwart automated sandboxes.

“Its intricate anti-analysis, anti-sandbox, and anti-debugging techniques, coupled with its sparse detection rates, pose a significant threat to targeted organisations,” Trellix researchers emphasised in their report.

The observed targeting in multiple countries highlights the global nature of this evolving threat, urging financial institutions worldwide, particularly in Hong Kong, Singapore, and Australia, to increase their security against such highly evasive adversaries.

SquidLoader Malware Campaign Hits Hong Kong Financial Firms

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-54313

**eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code**

High severity GitHub Reviewed Published Jul 19, 2025 to the GitHub Advisory Database • Updated Jul 21, 2025

**Package**

npm @pkgr/core (npm)

**Affected versions**

\= 0.2.8

npm eslint-config-prettier (npm)

\= 8.10.1

\= 9.1.1

\>= 10.1.6, <= 10.1.7

npm eslint-plugin-prettier (npm)

npm napi-postinstall (npm)

**Description**

Published to the GitHub Advisory Database

Jul 19, 2025

Last updated

Jul 21, 2025

GHSA-f29h-pxvx-f335: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

Of those, more than 200 appear to have had outages of services related to patient care following CrowdStrike’s disastrous crash, researchers have revealed.

When, one year ago today, a buggy update to software sold by the cybersecurity firm CrowdStrike took down millions of computers around the world and sent them into a death spiral of repeated reboots, the global cost of all those crashed machines was equivalent to one of the worst cyberattacks in history. Some of the various estimates of the total damage worldwide have stretched well into the billions of dollars.

Now a new study by a team of medical cybersecurity researchers has taken the first steps toward quantifying the cost of CrowdStrike's disaster not in dollars, but in potential harm to hospitals and their patients across the US. It reveals evidence that hundreds of those hospitals' services were disrupted during the outage, and raises concerns about potentially grave effects to patients’ health and well-being.

Researchers from the University of California San Diego today marked the one-year anniversary of CrowdStrike's catastrophe by releasing a paper in JAMA Network Open, a publication of the Journal of the American Medical Association Network, that attempts for the first time to create a rough estimate of the number of hospitals whose networks were affected by that IT meltdown on July 19, 2024, as well as which services on those networks appeared to have been disrupted.

A chart showing a massive spike in detected medical service outages on the day of CrowdStrike’s crashes.

Courtesy of UCSD and JAMA Network Open

By scanning internet-exposed parts of hospital networks before, during, and after the crisis, they detected that at minimum 759 hospitals in the US appear to have experienced network disruption of some kind on that day. They found that more than 200 of those hospitals seemed to have been hit specifically with outages that directly affected patients, from inaccessible health records and test scans to fetal monitoring systems that went offline. Of the 2,232 hospital networks they were able to scan, the researchers detected that fully 34 percent of them appear to have suffered from some type of disruption.

All of that indicates the CrowdStrike outage could have been a “significant public health issue,” argues Christian Dameff, a UCSD emergency medicine doctor and cybersecurity researcher, and one of the paper's authors. “If we had had this paper's data a year ago when this happened," he adds, “I think we would have been much more concerned about how much impact it really had on US health care.”

CrowdStrike, in a statement to WIRED, strongly criticized the UCSD study and JAMA’s decision to publish it, calling the paper “junk science.” They note that the researchers didn’t verify that the disrupted networks ran Windows or CrowdStrike software, and point out that Microsoft’s cloud service Azure experienced a major outage on the same day, which may have been responsible for some of the hospital network disruptions. “Drawing conclusions about downtime and patient impact without verifying the findings with any of the hospitals mentioned is completely irresponsible and scientifically indefensible,” the statement reads.

“While we reject the methodology and conclusions of this report, we recognize the impact the incident had a year ago,” the statement adds. “As we’ve said from the start, we sincerely apologize to our customers and those affected and continue to focus on strengthening the resilience of our platform and the industry.”

In response to CrowdStrike’s criticisms, the UCSD researchers say they stand by their findings. The Azure outage that CrowdStrike noted, they point out, began the previous night and affected mostly the central US, while the outages they measured began at roughly midnight US east coast time on July 19—about the time when CrowdStrike’s faulty update began crashing computers—and affected the entire country. (Microsoft did not immediately respond to a request for comment.) “We are unaware of any other hypothesis that would explain such simultaneous geographically-distributed service outages inside hospital networks such as we see here” other than CrowdStrike’s crash, writes UCSD computer science professor Stefan Savage, one of the paper’s co-authors, in an email to WIRED. (JAMA declined to comment in response to CrowdStrike’s criticisms.)

In fact, the researchers describe their count of detected hospital disruptions as only a minimum estimate, not a measure of the real blast radius of CrowdStrike's crashes. That's in part because the researchers were only able to scan roughly a third of America's 6,000-plus hospitals, which would suggest that the true number of medical facilities affected may have been several times higher.

The UCSD researchers' findings stemmed from a larger internet-scanning project they call Ransomwhere?, funded by the Advance Research Projects Agency for Health and launched in early 2024 with the intention of detecting hospitals' ransomware outages. As a result of that project, they were already probing US hospitals using the scanning tools ZMap and Censys when CrowdStrike's July 2024 calamity struck.

For the 759 hospitals in which the researchers detected that a service was knocked offline on July 19, their scans also allowed them to analyze which specific services appeared to be down, using publicly available tools like Censys and the Lantern Project to identify different medical services, as well as manually checking some web-based services they could visit. They found that 202 hospitals experienced outages of services directly related to patients. Those services included staff portals used to view patient health records, fetal monitoring systems, tools for remote monitoring of patient care, secure document transfer systems that allow patients to be transferred to another hospital, “pre-hospital” information systems like the tools that can share initial test results from an ambulance to an emergency room for patients requiring time-critical treatments, and the image storage and retrieval systems that are used to make scan results available to doctors and patients.

“If a patient was having a stroke and the radiologist needed to look at a scan image quickly, it would be much harder to get it from the CT scanner to the radiologist to read,” Dameff offers as one hypothetical example.

The researchers also found that 212 hospitals had outages of “operationally relevant” systems like staff scheduling platforms, bill payment systems, and tools for managing patient wait times. In another category of “research relevant” services, the study found that 62 hospitals faced outages. The biggest fraction of outages in the researchers' findings was an “other” category that included offline services that the researchers couldn't fully identify in their scans at 287 hospitals, suggesting that some of those, too, might have been uncounted patient-relevant services.

“Nothing in this paper says that someone's stroke got misdiagnosed or there was a delay in the care of someone getting life-saving antibiotics, for instance. But there might have been,” says Dameff. “I think there's a lot of evidence of these types of disruptions. It would be hard to argue that people weren't impacted at a potentially pretty significant level.”

The study’s findings give a sprawling new sense of scope to anecdotal reports of how CrowdStrike’s outage affected medical facilities that already surfaced over the last year. WIRED reported at the time that Baylor hospital network, a major nonprofit health care system, and Quest Diagnostics were both unable to process routine bloodwork. The Boston-area hospital system Mass General Brigham reportedly had to bring 45,000 of its PCs back online, each of which required a manual fix that took 15 to 20 minutes.

In their study, researchers also tried to roughly measure the length of downtime of the hospital services affected by the CrowdStrike outage, and found that most recovered relatively quickly: About 58 percent of the hospital services were back online within six hours, and only 8 percent or so took more than 48 hours to recover.

That's a far shorter disruption than the outages from actual cyberattacks that have hit hospitals, the researchers note: Mass-spreading malware attacks like NotPetya and WannaCry in 2017 as well as the Change Healthcare ransomware attack that struck the payment provider subsidiary of United Healthcare in early 2024 all shut down scores of hospitals across the US—or in the case of WannaCry, the United Kingdom—for days or weeks in some cases. But the effects of the CrowdStrike debacle nonetheless deserve to be compared to those intentionally inflicted digital disasters for hospitals, the researchers argue.

“The duration of the downtimes is different, but the breadth, the number of hospitals affected across the entire country, the scale, the potential intensity of the disruption is similar,” says Jeffrey Tully, a pediatrician, anesthesiologist, and cybersecurity researcher who coauthored the study.

A map showing the duration of the apparent downtime of detected medical service outages in hospitals across the US.

Courtesy of UCSD and JAMA Network Open

A delay of hours, or even minutes, can increase mortality rates for heart attack and stroke patients, says Josh Corman, a cybersecurity researcher with a focus on medical cybersecurity at the Institute for Security and Technology and former CISA staffer who reviewed the UCSD study. That means that even a shorter-duration outage in patient related services across hundreds of hospitals could have concrete and seriously harmful—if hard to measure—consequences.

Aside from drawing a first estimate of the possible toll on patients' health in this single incident, the UCSD team emphasizes that the real work of their study is to show that, with the right tools, it's possible to monitor and learn from these mass medical network outages. The result may be a better sense of how to prevent—or in the case of more intentional downtime from cyberattacks and ransomware—protect hospitals from experiencing them in the future.

At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds

Cryptominer campaign runs for years using legit sites to spread malware, targeting Linux systems through known bugs and avoiding detection.

A recent investigation by VulnCheck has exposed a cryptomining campaign that has been running unnoticed for years. The threat actor behind this operation, using the Linuxsys miner, has been targeting vulnerable systems since at least 2021, maintaining a consistent strategy that relies heavily on compromised legitimate websites to distribute malware.

What makes this campaign more difficult to detect is the attacker’s use of real websites as malware delivery channels. Instead of hosting payloads on suspicious domains, they compromise third-party sites with valid SSL certificates and plant their download links there. This not only helps them bypass many security filters but also keeps their core infrastructure (like the downloader site repositorylinux.org) at a distance from the actual malware files.

Between July 1 and July 16 this year, VulnCheck analysts spotted repeated exploit attempts from the IP address 103.193.177.152 against a canary Apache 2.4.49 instance. These attempts were tied to the CVE-2021-41773 vulnerability. While this particular vulnerability isn’t new and continues to be a popular target, the entity exploiting it stood out.

The attackers used a simple script called linux.sh, which pulls down both the configuration file and the Linuxsys binary from a list of five compromised websites. These include domains like prepstarcenter.com, wisecode.it, and dodoma.shop, all of which are otherwise ordinary-looking sites.

According to VulnCheck’s blog post shared with Hackread.com ahead of publishing on Wednesday, the list wasn’t random. This gave the attacker backup options if one site got taken down or stopped working, so the malware could still be delivered without interruption.

The miner configuration file retrieved from these sites points to hashvault.pro as the mining pool and identifies the wallet associated with the operation. That wallet has been receiving small payouts since January 2025, averaging around 0.024 XMR per day, about $8.

While $8 sounds insignificant, the operation isn’t necessarily about high revenue. The consistency and duration suggest other goals, or possibly more mining activity elsewhere that hasn’t been observed yet.

Tracing Linuxsys back in time, it first appeared in 2021 in a blog post by Hal Pomeranz, a highly respected expert in Linux and Unix digital forensics, analysing the exploitation of the same CVE. Since then, it has been tied to multiple vulnerabilities through reports by several cybersecurity firms. These include recent CVEs like 2023-22527, 2023-34960, and 2024-36401.

All of these security vulnerabilities were exploited using a n-day vulnerability exploitation, content staging on compromised web infrastructure, and persistent mining operations. An n-day vulnerability is a security bug that’s already known and usually has a fix available. The name just means the flaw has been public for a certain number of days, with ‘n’ being how many days it’s been since the issue was first made public or patched.

There’s also some evidence that the operation isn’t limited to Linux. Two Windows executables, nssm.exe and winsys.exe, were found on the same compromised hosts. While VulnCheck didn’t observe these in action, their presence suggests a broader scope than just Linux systems.

What’s kept this campaign so low-profile is likely a combination of careful targeting and deliberate avoidance of honeypots. VulnCheck notes that the attacker appears to favour high-interaction environments, meaning typical bait servers often miss this activity entirely. This cautious approach has likely helped the campaign avoid attracting too much attention despite being active for years.

VulnCheck has released Suricata and Snort rules that detect exploit attempts for all known associated CVEs. Meanwhile, indicators of compromise include IPs, URLs, and file hashes related to the attack. They also provided detection rules that security teams can use to identify DNS queries and HTTP traffic associated with the downloader and initial payload scripts.

Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware

Google has released an update for its Chrome browser to patch six security vulnerabilities including one zero-day.

Google has released an update for its Chrome browser to patch six security vulnerabilities, including one zero-day.

This update is crucial since it addresses one actively exploited vulnerability which can be abused when the user visits a malicious website. It doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The update brings the version number to 138.0.7204.157/.158 for Windows, Mac and 138.0.7204.157 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.

You can find more elaborate update instructions and the version number information in our article on how to update Chrome on every operating system.

**Technical details on the zero-day vulnerability**

Attackers can exploit the vulnerability tracked as CVE-2025-6558 by taking advantage of insufficient validation of untrusted input in Chrome’s ANGLE and GPU components. This flaw, which affects versions of Google Chrome prior to 138.0.7204.157, enables an attacker to craft a malicious HTML page and, upon convincing a user to open it, escape the browser’s security sandbox

ANGLE (Almost Native Graphics Layer Engine) is open-source software developed by Google that acts as a translator for graphics commands in browsers like Chrome. It helps your browser display complex graphics, such as 3D games or interactive web apps, and works on a wide range of computers and devices, even if they use different underlying graphics systems.

As an everyday user you may never see or even notice ANGLE directly, but it powers a huge part of the web experience. Especially 3D content in Chrome, Edge, and Firefox on Windows, Mac, and even Android.

Its universal role means that when a security issue is found in ANGLE, everybody using Chrome (and Chromium browsers) is potentially at risk.

An attacker only needs to present a target with an especially crafted HTML file, meaning they just need to lure them to a malicious website. HTML is just the code that makes up a web page.

The sandbox escape means that successful exploitation of the vulnerability not only affects the—sandboxed—browser, but can compromise the victim’s device.

Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on June 23, 2025. The TAG group focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

**We don’t just report on** **browser vulnerabilities**, Malwarebytes’ Browser Guard protects your browser against malicious websites and credit card skimmers, blocks unwanted ads, and warns you about relevant data breaches and scams.

 Chrome fixes 6 security vulnerabilities. Get the update now! 

Cisco Talos uncovered a stealthy Malware-as-a-Service (MaaS) operation that used fake GitHub accounts to distribute a variety of dangerous payloads and evade security defenses.

Thursday, July 17, 2025 06:00

*   In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads. 
*   The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.  
*   Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities. 
*   The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling.

In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails that appeared to target Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system. Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense.  

During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure, but did not appear to be part of the original activity cluster. Most notably, these samples were not delivered via email but were instead found in several public GitHub repositories. They also did not deliver SmokeLoader as a next-stage payload. Instead, the Emmenhtal samples were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories.

Further review of the associated GitHub accounts and the files hosted within related repositories showed that they may be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.

**MaaS operation leverages GitHub public repositories **

MaaS is a business model in which the operators of the service sell access to malware or pre-existing infrastructure. In the operation Talos identified, the operators utilized Amadey to download a variety of malware families from fake GitHub repositories onto infected hosts. Initial activity appeared in February 2025, around the same time as the SmokeLoader campaign. 

This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey. 

**Emmenhtal and Amadey **

The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT”, which is how Mandiant refers to the final stage PowerShell downloader. Orange and Talos have observed activity that appears to involve elements of the Emmenhtal loader dating back to April 2024.  

Emmenhtal variants have been found embedded in other files and deployed in a standalone format. Each loader typically includes four layers — three that act as obfuscation and the final PowerShell downloader script. These layers are described in the “Emmenhtal similarities between activity clusters” section below.  

Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader. 

Amadey’s primary functions are to collect system information and download secondary payloads on an infected host. However, Amadey is modular and its functionality can be expanded with an assortment of plugins. These plugins come in the form of dynamic link libraries (DLLs) that can be selected based on desired functionality, such as screenshot capabilities or credential harvesting. Despite its common use as a downloader, Amadey can pose a serious threat. 

**GitHub as an open directory **

During Talos’ research into the MaaS operation, we uncovered three GitHub accounts being used as open directories for hosting tools, secondary payloads and Amadey plugins: 

*   Legendary99999 
*   DFfe9ewf 
*   Milidmdds 

In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass web filtering that is not configured to block the GitHub domain. While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic. 

Talos reported the accounts listed above to GitHub, who quickly took them down. Talos would like to thank the GitHub team for their cooperation and quick response time.

****Legendary999999** **

“Legendary99999” appears to have been the most utilized account, containing over 160 repositories with randomized names. Each of these repositories contained a single file in the “Releases” section:

Figure 1. Legendary99999 GitHub account overview.

The files hosted on “Legendary99999” are a collection of payloads from numerous different malware families. By hosting these files in a GitHub repository, they can easily be downloaded via a URL to the “Releases” section of the repository:

https://github.com/\[account\_name\]/\[repository\_name\]/releases/download/\[release\_name\]/\[file\_name\]

Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered by simply downloading the file from the URL above. 

Talos also discovered other GitHub accounts that may be linked to this operator by commonality of account name, file name, repository structure and type of hosted malware (i.e., information stealers delivered via Amadey). The earliest “first seen” date on VirusTotal for files related to these repositories was Jan. 3, 2025. None of the accounts were active at the time of Talos’ review.

Malware Types Hosted in Repositories 

****DFfe9ewf****

“DFfe9ewf” appears to have been a test account. The repositories all contained “test” within the names and no new commits have been made since February 2025, the same month as the first commit to “Legendary99999”.

Figure 2. DFfe9ewf GitHub account overview.

While this GitHub account does not bear similarities to the other two accounts detailed in this section, files associated with the MaaS operation interacted with at least one repository associated with this account.

“DFfe9ewf” only contained six repositories, one of which was a fork of DInvoke, a tool used to invoke arbitrary unmanaged code from managed code. Attackers frequently use DInvoke to perform process injection and avoid Windows API hooks to evade detection.

The repository “test3” contains a legitimate Selenium WebDriver file, as well as versions for Microsoft Edge and Google Chrome (ChromeDriver). A WebDriver is a powerful development tool that is intended for automating the testing of web-based applications by remotely and programmatically controlling the target browser. However, they can be used in a malicious context on a victim's machine to remotely perform a variety of tasks, such as retrieving payloads from malicious URLs or accessing local browser data. 

While WebDrivers are helpful for many developers, they can pose a serious security risk when abused. Security considerations for using WebDriver can be found here, in the documentation for ChromeDriver.

****Milidmdds****

The third repository, named “Milidmdds”, contained 10 repositories with similar random names to those in “Legendary99999”. This account contained several malicious scripts that ultimately download a payload to the infected host.

Figure 3. Milidmdds GitHub account overview.

**Emmenhtal similarities between activity clusters **

Our research revealed similarities in TTPs and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign. Aside from randomized variable and function names, and different download targets in the final PowerShell script, much of the code is the same between all samples. These loader files found in the various “Milidmdds” repositories were called: 

*   Work.js 
*   Workhmv.js 
*   Putikatest.js 

Although we did not observe the use of these scripts in the wild, it is likely they were intended for delivery through phishing emails or for embedding in malicious files in a manner similar to the SmokeLoader activity. 

The similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian entities (noted as Sample 1) and those in the “Milidmdds” repositories (noted as Sample 2, Sample 3 and Sample 4) are shown below. 

The first obfuscation layer used by the Emmenhtal samples defines a series of two-letter variables mapped to a two- or three-digit numeric value. These variables apply to a long string of comma-separated values defined in a variable with a random name, such as “qiXSF”.

Figure 4. First layer of obfuscation, Sample 1 (left) vs, Sample 2 (right).

Once this initial script has been executed, a second script is revealed that uses the ActiveXObject function to execute an encoded PowerShell command with WScript.Shell:

Figure 5. Second layer of obfuscation, Sample 1 (left) vs. Sample 2 (right).

The third layer is a PowerShell command that contains an AES-encrypted binary large object (blob).

Figure 6. Initial PowerShell command, Sample 1 (left) vs. Sample 2 (right).

The blob contains an additional AES-encrypted PowerShell script that is decrypted and executed by the initial script. This final script initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian entities, this final payload would be SmokeLoader and a decoy PDF. The Emmenhtal loader files found in the public GitHub repositories noted previously were found to download a variety of files, including: 

*   Amadey 
*   A legitimate copy of PuTTY.exe 
*   AsyncRAT 

The presence of a legitimate copy of PuTTY in the list of files delivered by the Emmenhtal loaders found in the public GitHub repositories demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.

Examples of the final decrypted PowerShell downloader are shown below.

Figure 7. Final PowerShell script, Sample 1 (left, SmokeLoader download) vs. Sample 2 (right, Amadey download).

Figure 8. Final PowerShell script, PuTTY download (left) vs. AsyncRAT download (right).

**MP4 file variants **

During research of both activity clusters noted in this article, Talos identified Emmenhtal samples masquerading as MP4 files. Two URLs link to .mp4 files hosted on pivqmane\[.\]com: 

*   pivqmane\[.\]com/testonload\[.\]mp4/ 
*   pivqmane\[.\]com/doc/fb\[.\]mp4 

Although the two .mp4 files hosted here had been removed, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation also aligns with a statement made by Orange Cyberdefense that certain Emmenhtal variants masquerade as MP3 or MP4 files.

**Purpose-built variant: “Checkbalance.py” **

Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”. While this sample did not use initial obfuscation layers like the samples previously discussed, the later PowerShell stages were nearly identical to those shown above. This variant could represent an evolution of the Emmenhtal loader or, more likely, was a purpose-built variant developed for a specific campaign. 

In its initial state, the script masquerades as a simple tool that enumerates the contents of Zerion cryptocurrency accounts. However, the script also includes a large lambda function containing a Base64-encoded and compressed blob that executes at runtime. The user is then presented with an error message in Cyrillic, “Аккаунт кончились”. Curiously, this message isn’t grammatically correct since “Аккаунт” is singular and “кончились” is plural. However, given the context of the message, the author may have meant “no more accounts” or “end of accounts,” approximately.

Figure 9. Checkbalance.py.

The lambda function then runs a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell is nearly identical to the JavaScript variants discussed previously.

Figure 10. Initial PowerShell command, Checkbalance.py.

The final PowerShell command downloads the Amadey payload from the IP address “185\[.\]215\[.\]113\[.\]16” as a file labeled “amnew.exe”.  The resulting PowerShell script found in “checkbalance.py” is identical to the one derived from the Sample 2 (“work.js”) file, which was also found in the “Milidmdds” repository. 

After execution, this payload contacts “hxxp://185\[.\]215\[.\]113\[.\]43/Zu7JuNko/index.php”, a known Amadey C2 address.

Figure 11. Final PowerShell script, Checkbalance.py.

**Coverage  **

Ways our customers can detect and block this threat are listed below.  

**Indicators of compromise (IOCs) **

IOCs for this threat can be found on our GitHub repository here. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private applications no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protection measures with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

Cybersecurity researchers have disclosed what they say is a "critical design flaw" in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025.
"The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely," Semperis said in a report shared with

Tag

#windows