cert-orangecyberdefense-cti

mirror of https://github.com/cert-orangecyberdefense/cti synced 2026-06-08 14:45:26 +00:00

Author	SHA1	Message	Date
Mar-Pic	fc54b3d94e	Create iocs (March 2025) - Emmenhtalv3	2025-03-12 18:24:32 +01:00
Mar-Pic	8d64efe406	Create proxy_download_susp_lnk_webdav_user_agent.yml	2025-02-18 15:59:32 +01:00
Mar-Pic	9754be959c	Create proc_creation_win_rundll32_webdav_client_execution_lnk.yml	2025-02-18 15:59:14 +01:00
Mar-Pic	b886097035	Create proc_creation_win_powershell_aes_decrypt.yml	2025-02-18 15:58:54 +01:00
Mar-Pic	86de9de4ab	Create yara emmenhtal	2025-02-18 15:58:19 +01:00
Mar-Pic	f8653616ec	Create yara emmenhtalv2	2025-02-18 15:58:00 +01:00
Mar-Pic	55f4a45dec	Create iocs (December 2024) - Emmenhtalv2	2025-02-18 15:57:23 +01:00
Mar-Pic	b9bcc63bb6	Create iocs (November 2024)	2025-02-18 15:57:05 +01:00
Mar-Pic	5bd68e727f	Update and rename iocs to iocs (August 2024)	2025-02-18 15:56:43 +01:00
CERT Orange CyberDefense	2515e7e1c3	Emmenhtal investigation and IOCs In May and June 2024, our Managed Threat Detection (CyberSOC) team encountered a malicious campaign impacting two of our clients in France. The infection chain used by the threat actors typically leveraged fake videos – such as recent TV series episodes – to ultimately download CryptBot and Lumma stealer payloads. On July 31st, we identified a new ongoing iteration of this campaign, targeting organizations globally, which likely started around mid-July. Upon analysis, we identified a recurring piece of malware encompassing several malicious HTA, JavaScript, and PowerShell stages designed to drop additional payloads. Tracked internally as Emmenhtal, we assess this loader is highly likely used by multiple financially motivated threat actors since at least February 2024 to deploy commodity RATs and infostealers. Full report: https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide	2025-02-18 14:06:23 +01:00

10 Commits