The Shelby Strategy

Elastic Security Labs analyzed a targeted phishing campaign (REF8685) delivering the SHELBY malware family that uses GitHub (and a DNS variant) for command-and-control and AES-based payload decryption; the loader performs extensive sandbox checks, establishes persistence, and reflectively loads a low-detection backdoor that can exfiltrate data and execute operator commands. The report includes IOCs (file hashes, domains, IPs), YARA rules, and notes operational risks such as embedded GitHub PATs that could allow third parties to hijack infected hosts.