Emmenhtal (Malware Family)

Emmenhtal

aka: IDATDropper, PEAKLIGHT

Emmenhtal is a malicious loader likely distributed since early 2024, and publicly detailed by Orange Cyberdefense CERT in August 2024.
Emmenhtal is an obfuscated multistage payload that spawns an execution of the LOLBIN mshta.exe to read a first HTA stage that embeds a malicious JavaScript code. Once interpreted and executed, the JavaScript decodes and runs a PowerShell script. The latter decrypts an obfuscated PowerShell loader which finally downloads and runs final-stage stealers and commodity RATs.

As of March 2025, Orange Cyberdefense CERT has identified three versions of the loader, all actively distributed.

References

2025-03-14 ⋅ Twitter (@CERTCyberdef) ⋅ Alexandre Matousek, Marine PICHON
Tweet on Emmenhtal v3
Emmenhtal Lumma Stealer Rhadamanthys

2025-03-13 ⋅ Group-IB ⋅ Group-IB
ClickFix: The Social Engineering Technique Hackers Use to Manipulate Victims
Emmenhtal Lumma Stealer

2025-02-15 ⋅ ⋅ Youtube (greenplan) ⋅ greenplan
[BINARY REFINERY] (Emmenhtal) - Deobfuscation of a custom obfuscation algorithm
Emmenhtal

2025-02-01 ⋅ ⋅ Youtube (greenplan) ⋅ greenplan
[BINARY REFINERY] (Emmenhtal) - Deobfuscation of AES encryption and writing of a Unit (PART 2)
Emmenhtal

2025-01-26 ⋅ ⋅ Youtube (greenplan) ⋅ greenplan
[BINARY REFINERY] (Emmenhtal) - Deobfuscation stage JavaScript and PowerShell
Emmenhtal

2024-12-20 ⋅ Twitter (@CERTCyberdef) ⋅ Alexandre Matousek, Marine PICHON
Tweet on Emmenhtal v2
Emmenhtal

2024-12-05 ⋅ Orange Cyberdefense ⋅ Alexandre Matousek, Marine PICHON
Edam Dropper
Edam Emmenhtal

2024-11-28 ⋅ StrikeReady ⋅ StrikeReady Labs
RU APT targeting Energy Infrastructure (Unknown unknowns, part 3)
Edam Emmenhtal

2024-09-20 ⋅ McAfee ⋅ Aayush Tyagi, Yashvi Shah
Behind the CAPTCHA: A Clever Gateway of Malware
Emmenhtal Lumma Stealer

2024-08-22 ⋅ Mandiant ⋅ Aaron Lee, Praveeth DSouza
PEAKLIGHT: Decoding the Stealthy Memory-Only Malware
CryptBot Emmenhtal HijackLoader Lumma Stealer

2024-08-14 ⋅ Orange Cyberdefense ⋅ Alexandre Matousek, Marine PICHON, Simon Vernin
Emmenhtal: a little-known loader distributing commodity infostealers worldwide
Emmenhtal

2024-06-24 ⋅ Kroll ⋅ Dave Truman
Novel Technique Combination Used In IDATLOADER Distribution
Emmenhtal HijackLoader

Yara Rules

[TLP:WHITE] win_Emmenhtal_w0 (20240814 | No description)

rule win_Emmenhtal_w0 {
    meta: 
        author = "cert-orangecyberdefense"
        source = "https://raw.githubusercontent.com/cert-orangecyberdefense/emmenhtal/main/yara%20Emmenhtal"
        date = "2024-08-14"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.emmenhtal"
        malpedia_rule_date = "20240814"
        malpedia_hash = ""
        malpedia_version = "20240814"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = " = String.fromCharCode("
        $s2 = ";var "
        $s3 = "eval("
        $s4 = "</script>"
        $s5 = "<HTA:APPLICATION CAPTION = \"no\" WINDOWSTATE = \"minimize\" SHOWINTASKBAR = \"no\" >"
    condition:
        all of them
}

Download all Yara Rules

Emmenhtal Propose Change

References

Yara Rules

Emmenhtal