Mirrors/cert-orangecyberdefense-cti
1
0
Fork 0
mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 14:45:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update readme.md

Browse Source
This commit is contained in:
Mar-Pic
2025-03-14 09:47:22 +01:00
committed by GitHub
parent 34ec8ee5f1
commit 5389d24e61
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
emmenhtal/readme.md
+1
View File
@@ -2,6 +2,7 @@ Emmenhtal is a malicious loader likely distributed since early 2024, and first p
Emmenhtal is an obfuscated multistage payload that spawns an execution of the LOLBIN mshta.exe to read a first HTA stage that embeds a malicious JavaScript code. Once interpreted and executed, the JavaScript decodes and runs a PowerShell script. The latter decrypts an obfuscated PowerShell loader which finally downloads and runs final-stage stealers and commodity RATs. Emmenhtal is an obfuscated multistage payload that spawns an execution of the LOLBIN mshta.exe to read a first HTA stage that embeds a malicious JavaScript code. Once interpreted and executed, the JavaScript decodes and runs a PowerShell script. The latter decrypts an obfuscated PowerShell loader which finally downloads and runs final-stage stealers and commodity RATs.
Blogpost URL: https://www.orangecyberdefense.com/no/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide Blogpost URL: https://www.orangecyberdefense.com/no/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide
World Watch advisory (for our clients): https://portal.cert.orangecyberdefense.com/worldwatch/advisory/1778 World Watch advisory (for our clients): https://portal.cert.orangecyberdefense.com/worldwatch/advisory/1778
As of March 2025, our CERT has identified three versions of the loader, all actively distributed. As of March 2025, our CERT has identified three versions of the loader, all actively distributed.