Elastic Security Labs has uncovered a sophisticated malware familyβdubbed SHELBYβthat combines GitHub-based C2 infrastructure, anti-analysis techniques, and stealthy persistence to compromise enterprise systems. This malware is at the heart of a targeted intrusion campaign (tracked as REF8685) that has been active in the Middle East, with evidence of tailored spear phishing and infrastructure linked to high-profile regional organizations.
βThe SHELBY malware family abuses GitHub for command-and-control, stealing data and retrieving commands,β the report states. βThe attackerβs C2 design has a critical flaw: anyone with the PAT token can control infected machines.β
The REF8685 campaign came to light through a phishing email sent from within an Iraq-based telecommunications providerβsuggesting that either endpoint or mail server compromise occurred. The email, disguised as an internal discussion on network issues, included a ZIP archive named details.zip, which contained:
A decoy network log in plain textA malicious executable: JPerf-3.0.0.exeOnce launched, the binary executed SHELBYLOADER, a malicious DLL that used reflection to decrypt and load another DLL named SHELBYC2βa stealthy backdoorβdirectly into memory, sidestepping disk-based detection entirely.
SHELBYβs core innovation is its use of private GitHub repositories as a command-and-control (C2) hub. Using Personal Access Tokens (PATs) embedded in the malware binary, infected hosts authenticate to GitHub and interact with attacker-controlled repos by:
Uploading system fingerprinting dataReceiving encrypted payloads and commandsSending heartbeats via timestamped commitsThe infection chain begins with a request to retrieve a decryption key via a GitHub file (License.txt), used to unlock the AES-encrypted backdoor.
However, Elastic analysts found this clever system had a major flaw: βIt enables any victim to weaponize the embedded PAT and take control of all active infectionsβ¦ any third party could access infection-related data or take over the infections entirely.β
SHELBYLOADER implements seven sandbox detection techniques, including:
WMI Queries for virtualization indicatorsProcess enumeration (e.g., vmtools, vboxservice)File system checks for VM driver filesDisk size analysisParent process checksSleep time deviation detectionVideo controller name checksOnly after these checks pass does the malware download its next-stage payloadβan evasion technique that ensures only non-sandboxed, real environments get fully infected.
SHELBY malware can perform various malicious activities, including:
Stealing data from infected machines.Executing arbitrary commands.Establishing persistence on infected systems.Evading detection using anti-sandbox techniques.While the SHELBY malware family may be in early developmentβevidenced by dead code, limited obfuscation, and low detection ratesβits deployment in the wild is anything but amateur.
Elastic Security Labs warns: βUsing this malware, whether by an authorized red team or a malicious actor, would constitute malpractice.β
By relying on mainstream infrastructure like GitHub and embedding secrets directly into binaries, the attackers have exposed their operations to takeover by anyone with the right tools.