A clever threat campaign is abusing GitHub repositories to distribute malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. A malicious GitHub user opens a new
Our TDR team has been investigating the WebDAV infrastructure used to distribute the Emmenhtal loader. Here are some key insights:
Following detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were able to uncover several recent campaigns leading to CryptBot and Lumma infostealers.
Some of these campaigns are still active and target various organizations worldwide.
These campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese lovers), which hides in the padding of a modified legitimate Windows binary and uses HTA.
Emmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially motivated threat actors through various means (from traditional email phishing lures to fake videos).
IoCs can be found on our dedicated GitHub page here.
Note: The analysis cut-off date for this report was August 07, 2024.
Australian police say they have infiltrated Ghost, an encrypted global communications app developed for criminals, leading to dozens of arrests.
