A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage downloader, is used to download Amadey and other malware. The activity involves various malware families and GitHub repositories for staging custom payloads. Similarities in tactics and indicators between the SmokeLoader campaign and Amadey MaaS activity have been observed. The operation demonstrates adaptability in delivering diverse tooling, including legitimate software like PuTTY. The threat actors employ sophisticated obfuscation techniques and leverage public platforms for malware distribution. Author: AlienVault
Related Tags:
emmenhtal
T1102.002
T1588.001
T1573.001
T1204.001
T1132.001
downloader
Obfuscation
rhadamanthys
Associated Indicators:
35C1EB5FF8913C4CA4FEB712E05354772146247BDB4B337868C687730F201023
718BE762E8BD513283CD5E21634DC65BD160E47121716FD058DAF5F3BE42728A
21CF7DA02E01B3C2317178395EFF873E50AB9B8F27A23FFED37B2EFFF8FD6B90
0334CD1B8AB17203179DA1AE77C1FAD97DDF794CC63A6048ACA664956D10B2CA
50C5D24005F477410C633AF5D2DD90E6BCB8F116
73EFC19941B9341F7735A616888B4F306B4815EB
8975046C5CDBAB0E36AA9CCAD61B05A898810079
E1D65DAAF338663006014F7D86EEA5AEBF142134
22892B8303FA56F4B584A04C09D508D8