OTX Bot<p>The Shelby Strategy</p><p>The SHELBY malware family exploits GitHub for command-and-control operations, employing sophisticated techniques to evade detection. The malware consists of a loader (SHELBYLOADER) and a backdoor (SHELBYC2), both obfuscated using Obfuscar. SHELBYLOADER employs various sandbox detection methods and uses GitHub for initial registration and key retrieval. SHELBYC2 communicates with the attacker's infrastructure using GitHub API, allowing for file uploads, downloads, and command execution. The campaign targets Iraqi telecommunications and potentially UAE airports, utilizing highly targeted phishing emails. Despite its sophistication, the malware's design has a critical flaw: anyone with the embedded Personal Access Token can control infected machines, exposing a significant security vulnerability.</p><p>Pulse ID: 67ebfcac2fcbc0b80399f243<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67ebfcac2fcbc0b80399f243" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67ebf</span><span class="invisible">cac2fcbc0b80399f243</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-04-01 14:48:12</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BackDoor</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Email</span></a> <a href="https://social.raytec.co/tags/GitHub" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GitHub</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Mac" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Mac</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/RAT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>RAT</span></a> <a href="https://social.raytec.co/tags/Telecom" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Telecom</span></a> <a href="https://social.raytec.co/tags/Telecommunication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Telecommunication</span></a> <a href="https://social.raytec.co/tags/UAE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UAE</span></a> <a href="https://social.raytec.co/tags/Vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerability</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AlienVault</span></a></p>