A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage downloader, is used to download Amadey and other malware. The activity involves various malware families and GitHub repositories for staging custom payloads. Similarities in tactics and indicators between the SmokeLoader campaign and Amadey MaaS activity have been observed. The operation demonstrates adaptability in delivering diverse tooling, including legitimate software like PuTTY. The threat actors employ sophisticated obfuscation techniques and leverage public platforms for malware distribution. Author: AlienVault
Related Tags:
emmenhtal
T1102.002
T1588.001
T1573.001
T1204.001
T1132.001
downloader
Obfuscation
rhadamanthys
Associated Indicators:
subprocess.run