• An unknown threat cluster has been targeting at least between June and October 2024 European organizations, notably in the healthcare sector.
• Tracked as Green Nailao by Orange Cyberdefense CERT, the campaign relied on DLL search-order hijacking to deploy ShadowPad and PlugX – two implants often associated with China-nexus targeted intrusions.
• The ShadowPad variant our reverse-engineering team analyzed is highly obfuscated and uses Windows services and registry keys to persist on the system in the event of a reboot.
• In several Incident Response engagements, we observed the consecutive deployment of a previously undocumented ransomware payload.
• The campaign was enabled by the exploitation of CVE-2024-24919 (link for our World Watch and Vulnerability Intelligence customers) on vulnerable Check Point Security Gateways.
  IoCs and Yara rules can be found on our dedicated GitHub page here.

• Following detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were able to uncover several recent campaigns leading to CryptBot and Lumma infostealers.

• Some of these campaigns are still active and target various organizations worldwide.

• These campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese lovers), which hides in the padding of a modified legitimate Windows binary and uses HTA.

• Emmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially motivated threat actors through various means (from traditional email phishing lures to fake videos).

• IoCs can be found on our dedicated GitHub page here.
  Note: The analysis cut-off date for this report was August 07, 2024.

Analysts from Sekoia.io and Orange Cyberdefense delve into the phenomenon of RESIP, explore the actual market landscape, which is composed of multiple shady providers, and explain how cyber threat actors abuse or even directly provide such services.