Sunday, May 25, 2025
Homecyber securitySHELBY Malware Steals Data by Abusing GitHub as Command-and-Control Server

SHELBY Malware Steals Data by Abusing GitHub as Command-and-Control Server

Published on

SIEM as a Service

Follow Us on Google News

Elastic Security Labs has uncovered a sophisticated malware campaign, dubbed REF8685, targeting the Iraqi telecommunications sector.

The campaign utilizes a novel malware family called SHELBY, which abuses GitHub for command-and-control (C2) operations, data exfiltration, and command retrieval.

Novel Malware Family Targets Iraqi Telecommunications Sector

The SHELBY malware family consists of two main components: SHELBYLOADER and SHELBYC2.

- Advertisement - Google News
SHELBY Malware

SHELBYLOADER & SHELBYC2 Execution Chain

The attack chain begins with a phishing email containing a malicious attachment (details.zip) that, when executed, installs several files in the %AppData%\Local\Microsoft\HTTPApi directory.

These files include HTTPApi.dll (SHELBYC2) and HTTPService.dll (SHELBYLOADER).

SHELBYLOADER employs various sandbox detection techniques to evade analysis, including WMI queries, process enumeration, file system checks, and disk size analysis.

Once executed, it establishes persistence by adding an entry to the Windows Registry and generates a unique identifier for the infected machine based on system-specific information.

Innovative C2 Infrastructure Leverages GitHub API

The malware’s C2 infrastructure is built around GitHub’s API, using a private repository and a Personal Access Token (PAT) embedded within the binary.

This allows the malware to authenticate and perform actions on the repository without using standard Git tools.

SHELBYC2, the backdoor component, is loaded into memory using reflection after being decrypted with an AES key derived from a file downloaded from the C2 server.

It supports various commands, including file download, upload, and the ability to reflectively load additional .NET binaries.

SHELBY Malware
Powershell execution command

While innovative, the C2 design has a critical flaw: anyone with access to the PAT can potentially control infected machines or access sensitive data, exposing victims to additional risks.

The REF8685 campaign demonstrates sophisticated social engineering tactics, leveraging compromised internal email accounts to craft highly convincing phishing lures.

The attackers have also targeted other entities in the region, including an international airport in the United Arab Emirates.

Elastic Security Labs has released YARA rules to help detect SHELBY malware variants.

As the malware shows signs of ongoing development, including unused code and dynamic payload loading capabilities, future updates may address current vulnerabilities and expand its functionality.

This campaign highlights the evolving tactics of threat actors and the importance of robust email security, employee training, and continuous monitoring of network activities to defend against such advanced persistent threats.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...