Campagna MaaS usa Emmenhtal e Amadey per colpire entità ucraine via GitHub. Talos rivela tattiche e IOC per la mitigazione.
#Amadey #CiscoTalos #Emmenhtal #github #MaaS #SmokeLoader #ucraina
www.matricedigitale.it/2025/07/17/o...
In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.
We identified thousands of sites compromised with ClearFake distributing these malware.
🆕New version of #Emmenhtal loader actively distributed worldwide since early March, leading to #Lumma or #Rhadamanthys stealers.
Very low AV detection on VT for now.
Similarly to V2, Emmenhtal V3 masquerades as #mp3 or #mp4 files, including relaxation songs.🧘♀️
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
In this post I take a deep dive into a fake CAPTCHA on a compromised website, and the multistage fileless loader that delivered the Lumma Stealer malware if visitors followed its instructions.
#Google #reCAPTCHA #WordPress #PowerShell #Malware #Emmenhtal #Infostealer #LummaStealer
Tracking #Lumma & #Emmenhtal #loader through weeks targeting LATAM - #threat #malware
📍🏴
💥🇨🇴🇲🇽🇦🇷🌎
⛓️ #Link | Mal domain > Fake CAPTCHA | ZIP/RAR > Encoded PS | mshta (HTA) > download next > Obfuscated script exec > File | ZIP dropped > Injection over file > #LummaStealer
While monitoring recent #Emmenhtal iterations, we observed a distinct politically-aligned cluster 🇪🇺, strongly differing from usual financially motivated Emmenhtal distribs.
This cluster drops another malware we dubbed #Edam Dropper🧀
github.com/cert-orangec...
Targets: European #energy sector🔋
