The Shelby Strategy

April 1, 2025, 5:58 p.m.

Description

The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.

External References

https://www.elastic.co/security-labs/the-shelby-strategy
https://otx.alienvault.com/pulse/67ebfcac2fcbc0b80399f243
Tags
obfuscation
phishing
c2
telecommunications
github
iraq
uae
2025-04-01
shelbyloader
shelby
sandbox-detection
shelbyc2

Date

  • Created: April 1, 2025, 2:48 p.m.
  • Published: April 1, 2025, 2:48 p.m.
  • Modified: April 1, 2025, 5:58 p.m.

Attack Patterns

  • SHELBYC2
  • SHELBYLOADER
  • REF8685

Additional Informations

  • Transportation
  • Telecommunications
  • Iraq
  • United Arab Emirates