MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
- In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads.
- The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.
- Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that targeted Ukrainian entities.
- The same variant of Emmenhtal identified in the SmokeLoader campaign was used by the MaaS operation to download Amadey payloads and other tooling.
In early February 2025, Talos observed a cluster of invoice payment and billing-themed phishing emails that appeared to target Ukrainian entities. These emails included compressed archive attachments (e.g., ZIP, 7Zip or RAR) containing at least one JavaScript file that used several layers of obfuscation to disguise a PowerShell downloader. The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system. Talos assessed the JavaScript downloaders to be the Emmenthal loader, based on notable similarities between the obfuscation methods observed in the collected samples and those described by Orange Cyberdefense.
During analysis of the Emmenhtal loaders collected from this phishing campaign, Talos identified additional samples on VirusTotal that were highly similar in structure, but did not appear to be part of the original activity cluster. Most notably, these samples were not delivered via email but were instead found in several public GitHub repositories. They also did not deliver SmokeLoader as a next-stage payload. Instead, the Emmenhtal samples were being used to deliver Amadey, which in turn downloaded a variety of custom payloads from certain public GitHub repositories.
Further review of the associated GitHub accounts and the files hosted within related repositories showed that they may be part of a larger MaaS operation that uses public GitHub repositories as open directories for staging custom payloads.
MaaS operation leverages GitHub public repositories
MaaS is a business model in which the operators of the service sell access to malware or pre-existing infrastructure. In the operation Talos identified, the operators utilized Amadey to download a variety of malware families from fake GitHub repositories onto infected hosts. Initial activity appeared in February 2025, around the same time as the SmokeLoader campaign.
This distribution of several disparate malware families from a single infrastructure suggests that the threat actors behind the instances of Amadey are distributing payloads for other individuals or groups. In addition, the command and control (C2) infrastructures for the secondary payloads do not overlap with that of Amadey.
Emmenhtal and Amadey
The Emmenhtal loader is a multistage downloader that has been reported by Kroll and Orange Cyberdefense. It was given the name “Emmenhtal” by Orange Cyberdefense in August 2024, though it is sometimes referred to as “PEAKLIGHT”, which is how Mandiant refers to the final stage PowerShell downloader. Orange and Talos have observed activity that appears to involve elements of the Emmenhtal loader dating back to April 2024.
Emmenhtal variants have been found embedded in other files and deployed in a standalone format. Each loader typically includes four layers — three that act as obfuscation and the final PowerShell downloader script. These layers are described in the “Emmenhtal similarities between activity clusters” section below.
Amadey (or Amadey bot) originally appeared in late 2018 on Russian-speaking hacking forums with a $500 price tag. It was initially used by various threat actors to establish botnets. Amadey has also been observed dropping other malware including Redline, Lumma, StealC and SmokeLoader.
Amadey’s primary functions are to collect system information and download secondary payloads on an infected host. However, Amadey is modular and its functionality can be expanded with an assortment of plugins. These plugins come in the form of dynamic link libraries (DLLs) that can be selected based on desired functionality, such as screenshot capabilities or credential harvesting. Despite its common use as a downloader, Amadey can pose a serious threat.
GitHub as an open directory
During Talos’ research into the MaaS operation, we uncovered three GitHub accounts being used as open directories for hosting tools, secondary payloads and Amadey plugins:
- Legendary99999
- DFfe9ewf
- Milidmdds
In addition to being an easy means of file hosting, downloading files from a GitHub repository may bypass web filtering that is not configured to block the GitHub domain. While some organizations can block GitHub in their environment to curb the use of open-source offensive tooling and other malware, many organizations with software development teams require GitHub access in some capacity. In these environments, a malicious GitHub download may be difficult to differentiate from regular web traffic.
Talos reported the accounts listed above to GitHub, who quickly took them down. Talos would like to thank the GitHub team for their cooperation and quick response time.
Legendary999999
“Legendary99999” appears to have been the most utilized account, containing over 160 repositories with randomized names. Each of these repositories contained a single file in the “Releases” section:
The files hosted on “Legendary99999” are a collection of payloads from numerous different malware families. By hosting these files in a GitHub repository, they can easily be downloaded via a URL to the “Releases” section of the repository:
https://github.com/[account_name]/[repository_name]/releases/download/[release_name]/[file_name]
Once a host was infected with Amadey, the operators of this service could choose the payload to be delivered by simply downloading the file from the URL above.
Talos also discovered other GitHub accounts that may be linked to this operator by commonality of account name, file name, repository structure and type of hosted malware (i.e., information stealers delivered via Amadey). The earliest “first seen” date on VirusTotal for files related to these repositories was Jan. 3, 2025. None of the accounts were active at the time of Talos’ review.
|
Account |
Malware Types Hosted in Repositories |
|
legend1234561111 |
Rhadamanthys, Lumma |
|
legendary69696911 |
Lumma |
|
legendary6911331 |
Redline, Lumma |
|
legendarik1111 |
Unknown |
DFfe9ewf
“DFfe9ewf” appears to have been a test account. The repositories all contained “test” within the names and no new commits have been made since February 2025, the same month as the first commit to “Legendary99999”.
While this GitHub account does not bear similarities to the other two accounts detailed in this section, files associated with the MaaS operation interacted with at least one repository associated with this account.
“DFfe9ewf” only contained six repositories, one of which was a fork of DInvoke, a tool used to invoke arbitrary unmanaged code from managed code. Attackers frequently use DInvoke to perform process injection and avoid Windows API hooks to evade detection.
The repository “test3” contains a legitimate Selenium WebDriver file, as well as versions for Microsoft Edge and Google Chrome (ChromeDriver). A WebDriver is a powerful development tool that is intended for automating the testing of web-based applications by remotely and programmatically controlling the target browser. However, they can be used in a malicious context on a victim’s machine to remotely perform a variety of tasks, such as retrieving payloads from malicious URLs or accessing local browser data.
While WebDrivers are helpful for many developers, they can pose a serious security risk when abused. Security considerations for using WebDriver can be found here, in the documentation for ChromeDriver.
Milidmdds
The third repository, named “Milidmdds”, contained 10 repositories with similar random names to those in “Legendary99999”. This account contained several malicious scripts that ultimately download a payload to the infected host.
Emmenhtal similarities between activity clusters
Our research revealed similarities in TTPs and indicators between the SmokeLoader campaign and the Amadey MaaS activity. Three of the JavaScript files hosted by the “Milidmdds” GitHub account are nearly identical to the Emmenthal scripts used in the SmokeLoader campaign. Aside from randomized variable and function names, and different download targets in the final PowerShell script, much of the code is the same between all samples. These loader files found in the various “Milidmdds” repositories were called:
- Work.js
- Workhmv.js
- Putikatest.js
Although we did not observe the use of these scripts in the wild, it is likely they were intended for delivery through phishing emails or for embedding in malicious files in a manner similar to the SmokeLoader activity.
The similarities between the Emmenhtal loaders used in the phishing campaign targeting Ukrainian entities (noted as Sample 1) and those in the “Milidmdds” repositories (noted as Sample 2, Sample 3 and Sample 4) are shown below.
The first obfuscation layer used by the Emmenhtal samples defines a series of two-letter variables mapped to a two- or three-digit numeric value. These variables apply to a long string of comma-separated values defined in a variable with a random name, such as “qiXSF”.
Figure 4. First layer of obfuscation, Sample 1 (left) vs, Sample 2 (right).
Once this initial script has been executed, a second script is revealed that uses the ActiveXObject function to execute an encoded PowerShell command with WScript.Shell:
Figure 5. Second layer of obfuscation, Sample 1 (left) vs. Sample 2 (right).
The third layer is a PowerShell command that contains an AES-encrypted binary large object (blob).
Figure 6. Initial PowerShell command, Sample 1 (left) vs. Sample 2 (right).
The blob contains an additional AES-encrypted PowerShell script that is decrypted and executed by the initial script. This final script initiates the download of the next stage from a hard-coded IP address. In the phishing campaign targeting Ukrainian entities, this final payload would be SmokeLoader and a decoy PDF. The Emmenhtal loader files found in the public GitHub repositories noted previously were found to download a variety of files, including:
- Amadey
- A legitimate copy of PuTTY.exe
- AsyncRAT
The presence of a legitimate copy of PuTTY in the list of files delivered by the Emmenhtal loaders found in the public GitHub repositories demonstrates the adaptability of the MaaS operation to deliver whatever tooling is required by its customers.
Examples of the final decrypted PowerShell downloader are shown below.
Figure 7. Final PowerShell script, Sample 1 (left, SmokeLoader download) vs. Sample 2 (right, Amadey download).
Figure 8. Final PowerShell script, PuTTY download (left) vs. AsyncRAT download (right).
Related Emmenhtal variants
MP4 file variants
During research of both activity clusters noted in this article, Talos identified Emmenhtal samples masquerading as MP4 files. Two URLs link to .mp4 files hosted on pivqmane[.]com:
- pivqmane[.]com/testonload[.]mp4/
- pivqmane[.]com/doc/fb[.]mp4
Although the two .mp4 files hosted here had been removed, the abuse of this file format highlights another similarity between the MaaS operation and the SmokeLoader campaign. This observation also aligns with a statement made by Orange Cyberdefense that certain Emmenhtal variants masquerade as MP3 or MP4 files.
Purpose-built variant: “Checkbalance.py”
Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”. While this sample did not use initial obfuscation layers like the samples previously discussed, the later PowerShell stages were nearly identical to those shown above. This variant could represent an evolution of the Emmenhtal loader or, more likely, was a purpose-built variant developed for a specific campaign.
In its initial state, the script masquerades as a simple tool that enumerates the contents of Zerion cryptocurrency accounts. However, the script also includes a large lambda function containing a Base64-encoded and compressed blob that executes at runtime. The user is then presented with an error message in Cyrillic, “Аккаунт кончились”. Curiously, this message isn’t grammatically correct since “Аккаунт” is singular and “кончились” is plural. However, given the context of the message, the author may have meant “no more accounts” or “end of accounts,” approximately.
The lambda function then runs a second Python script, which uses the subprocess.run method to execute an encoded PowerShell command. The resulting PowerShell is nearly identical to the JavaScript variants discussed previously.
The final PowerShell command downloads the Amadey payload from the IP address “185[.]215[.]113[.]16” as a file labeled “amnew.exe”. The resulting PowerShell script found in “checkbalance.py” is identical to the one derived from the Sample 2 (“work.js”) file, which was also found in the “Milidmdds” repository.
After execution, this payload contacts “hxxp://185[.]215[.]113[.]43/Zu7JuNko/index.php”, a known Amadey C2 address.
Coverage
Ways our customers can detect and block this threat are listed below.
Indicators of compromise (IOCs)
IOCs for this threat can be found on our GitHub repository here.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private applications no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protection measures with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Talos Blog – Read More
