Elastic Security Labs has uncovered a sophisticated malware campaign targeting Iraq’s telecommunications sector, utilizing a new malware family called SHELBY that abuses GitHub for command-and-control (C2) operations. This campaign, tracked as REF8685, represents a significant evolution in attacker tradecraft by leveraging legitimate developer platforms for malicious purposes1.
Executive Summary
The SHELBY malware family consists of two primary components: SHELBYLOADER and SHELBYC2, which work in tandem to establish persistence, evade detection, and exfiltrate data through GitHub repositories. Attackers delivered the malware via phishing emails containing a malicious ZIP archive (“Details.zip”) with a trojanized performance testing tool (“JPerf-3.0.0.exe”)2.
- Campaign Scope: Primarily targets Iraqi telecom sector with secondary victims in UAE freight logistics
- Infection Vector: Phishing emails (MITRE ATT&CK T1566) with weaponized Inno Setup installers
- C2 Mechanism: GitHub API with embedded Personal Access Tokens (PATs) for command retrieval
- Detection Rates: Extremely low (3/62 for SHELBYC2, 5/62 for SHELBYLOADER on VirusTotal)
Technical Analysis
The malware establishes persistence by writing to %AppData%\Local\Microsoft\HTTPApi, dropping two DLLs: HTTPApi.dll (SHELBYC2 backdoor) and HTTPService.dll (SHELBYLOADER)1. The GitHub C2 communication occurs through API requests containing hardcoded PAT tokens (format ghp_...), with commands retrieved from Command.txt or Broadcast.txt files in attacker-controlled repositories.
Sandbox evasion techniques include WMI queries for VM artifacts (Win32_ComputerSystem), process enumeration for security tools (vmtoolsd, xenservice), disk size checks (<50GB triggers evasion), and sleep timing analysis to detect accelerated execution environments3.
Infrastructure and Attribution
The campaign utilizes multiple infrastructure components:
| Type | Value | Purpose |
|---|---|---|
| Domain | arthurshelby.click | DNS-based C2 fallback |
| IP | 2.56.126.151 | Stark Industries AS44477 hosting |
| GitHub | arthurshellby, johnshelllby | Now-terminated C2 accounts |
Elastic’s researchers note the malware contains unused code segments suggesting active development, including dynamic payload loading capabilities and reflective DLL injection techniques1. The targeting of telecommunications infrastructure and DNS-based keying methods suggest potential state-aligned involvement.
Detection and Mitigation
Elastic Security Labs has released YARA rules for detection:
rule Windows_Trojan_ShelbyLoader {
strings: $a0 = "[WARN] Unusual parent process"
condition: all of ($a*)
}Recommended mitigation steps include:
- Block network traffic to
arthurshelby.clickand associated IPs - Monitor GitHub API traffic for anomalous PAT usage patterns
- Implement MFA for all GitHub personal access tokens
- Audit third-party code dependencies for repository confusion risks
Conclusion
The SHELBY campaign demonstrates attackers’ increasing abuse of legitimate developer tools and platforms. By leveraging GitHub’s infrastructure, attackers gain access to reliable, trusted hosting while complicating detection efforts. This incident underscores the need for enhanced monitoring of development tool usage within enterprise environments and highlights the blurred lines between legitimate and malicious use of cloud services.
References
- “The SHELBY Strategy: GitHub-Abusing Malware in Targeted Attacks,” Elastic Security Labs, Mar. 25, 2025.
- “SHELBY Malware Steals Data by Abusing GitHub,” GBHackers, Mar. 28, 2025.
- “SHELBY Malware Campaign Expands Beyond Iraqi Telecom Targets,” CybersecurityNews, Mar. 28, 2025.
