commit 2515e7e1c3aa12f98e4d8c56b784e1a063f4c398
Author: CERT Orange CyberDefense <5493049+cert-orangecyberdefense@users.noreply.github.com>
Date:   Tue Feb 18 14:06:23 2025 +0100

    Emmenhtal investigation and IOCs
    
    In May and June 2024, our Managed Threat Detection (CyberSOC) team encountered a malicious campaign impacting two of our clients in France. The infection chain used by the threat actors typically leveraged fake videos – such as recent TV series episodes – to ultimately download CryptBot and Lumma stealer payloads.
    
    On July 31st, we identified a new ongoing iteration of this campaign, targeting organizations globally, which likely started around mid-July. Upon analysis, we identified a recurring piece of malware encompassing several malicious HTA, JavaScript, and PowerShell stages designed to drop additional payloads. Tracked internally as Emmenhtal, we assess this loader is highly likely used by multiple financially motivated threat actors since at least February 2024 to deploy commodity RATs and infostealers.
    
    Full report: https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide

diff --git a/emmenhtal/iocs b/emmenhtal/iocs
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/emmenhtal/iocs
@@ -0,0 +1 @@
+