MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
NetmanageIT OpenCTI - opencti.netmanageit.com

SUMMARY :
A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage downloader, is used to download Amadey and other malware. The activity involves various malware families and GitHub repositories for staging custom payloads. Similarities in tactics and indicators between the SmokeLoader campaign and Amadey MaaS activity have been observed. The operation demonstrates adaptability in delivering diverse tooling, including legitimate software like PuTTY. The threat actors employ sophisticated obfuscation techniques and leverage public platforms for malware distribution.
OPENCTI LABELS :
phishing,ukraine,redline,lumma,amadey,downloader,obfuscation,asyncrat,rhadamanthys,github,smokeloader,maas,emmenhtal
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities