216.73.216.174

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

· Published 17/07/2025 14:59 · Modified 17/07/2025 19:50

Export JSON

Essential information

Published
17/07/2025 14:59
Modified
17/07/2025 19:50
Tags
2025-07-17 amadey asyncrat downloader emmenhtal github lumma maas obfuscation phishing redline rhadamanthys smokeloader ukraine
Related entities
4 observables, 7 malware, 3 others

Description

A Malware-as-a-Service operation utilizing for payload delivery has been identified, with connections to a campaign targeting Ukrainian entities. The operation exploits fake accounts to host payloads and tools, bypassing web filtering. , a multistage , is used to download and other malware. The activity involves various malware families and repositories for staging custom payloads. Similarities in tactics and indicators between the campaign and activity have been observed. The operation demonstrates adaptability in delivering diverse tooling, including legitimate software like PuTTY. The threat actors employ sophisticated techniques and leverage public platforms for malware distribution.

External references