From 2515e7e1c3aa12f98e4d8c56b784e1a063f4c398 Mon Sep 17 00:00:00 2001
From: CERT Orange CyberDefense
 <5493049+cert-orangecyberdefense@users.noreply.github.com>
Date: Tue, 18 Feb 2025 14:06:23 +0100
Subject: [PATCH] Emmenhtal investigation and IOCs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In May and June 2024, our Managed Threat Detection (CyberSOC) team encountered a malicious campaign impacting two of our clients in France. The infection chain used by the threat actors typically leveraged fake videos – such as recent TV series episodes – to ultimately download CryptBot and Lumma stealer payloads.

On July 31st, we identified a new ongoing iteration of this campaign, targeting organizations globally, which likely started around mid-July. Upon analysis, we identified a recurring piece of malware encompassing several malicious HTA, JavaScript, and PowerShell stages designed to drop additional payloads. Tracked internally as Emmenhtal, we assess this loader is highly likely used by multiple financially motivated threat actors since at least February 2024 to deploy commodity RATs and infostealers.

Full report: https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide
---
 emmenhtal/iocs | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 emmenhtal/iocs

diff --git a/emmenhtal/iocs b/emmenhtal/iocs
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/emmenhtal/iocs
@@ -0,0 +1 @@
+