{ "id": "bdeecef7-42d7-429b-ac21-ecb93e31664d", "created_at": "2026-04-06T00:21:55.057089Z", "updated_at": "2026-04-10T03:37:08.60037Z", "deleted_at": null, "sha1_hash": "2ac3ff71e50fd2bce5bc08cb5c8bd5efbe8a07ad", "title": "Emansrepo Stealer: Multi-Vector Attack Chains | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4696947, "plain_text": "Emansrepo Stealer: Multi-Vector Attack Chains | FortiGuard Labs\r\nBy Pei Han Liao\r\nPublished: 2024-09-03 · Archived: 2026-04-05 21:35:16 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: The stolen information can be used for future attack\r\nSeverity Level: High\r\nIn August 2024, FortiGuard Labs observed a python infostealer we call Emansrepo that is distributed via emails\r\nthat include fake purchase orders and invoices. Emansrepo compresses data from the victim’s browsers and files\r\nin specific paths into a zip file and sends it to the attacker’s email. According to our research, this campaign has\r\nbeen ongoing since November 2023.\r\nThe attacker sent a phishing mail containing an HTML file, which was redirected to the download link for\r\nEmansrepo. This variant is packaged by PyInstaller so it can run on a computer without Python.\r\nFigure 1: Attack flow in November 2023\r\nFigure 2: The download link for Emansrepo is embedded in RTGS Invoices.html.\r\nAs time goes by, the attack flow has become increasingly complex. Below are the attack flows we found in July\r\nand August 2024:\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 1 of 14\n\nFigure 3: Attack flow in August and July 2024\r\nVarious stages are being added to the attack flow before downloading Emansrepo, and multiple mailboxes are\r\nused to receive different kinds of stolen data. This article will provide a detailed analysis of each attack chain and\r\nits behavior. We will then provide a quick summary of the next campaign.\r\nAttack Flow\r\nChain 1\r\nFigure 4: The phishing mail in chain 1 contains a fake download page\r\nThe attachment is a dropper that mimics a download page. It creates a link element that points to the data of\r\nPurchase-Order.7z and uses the click() method to “download” Purchase-Order.7z. Six seconds later, it redirects to\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 2 of 14\n\na completely unrelated website.\r\nFigure 5: Source code of the attachment\r\nPurchase-Order.exe, the file embedded in Purchase-Order.7z, is an AutoIt-compiled executable. It doesn’t include\r\nany files, and the AutoIt script determines its behavior. The script has many unused functions, frustrating its\r\nanalysis. The only meaningful code downloads preoffice.zip to the Temp folder and unzips it into %\r\nTEMP%\\PythonTemp. The zip archive contains necessary Python modules and tester.py, the malicious script for\r\ninformation stealing.\r\nFigure 6: The AutoIt script downloads the Python infostealer\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 3 of 14\n\nChain 2\r\nFigure 7: The phishing mail in chain 2\r\nThe innermost file in P.O.7z is an HTA file. Its source file is a JavaScript file that shows a hidden window named\r\nPowerShell Script Runner and downloads the PowerShell script, script.ps1, with VBScript for the next stage.\r\nFigure 8: The decryption algorithm of the JavaScript file and the result\r\nThe behavior of script.ps1 is similar to the AutoIt script in chain 1. It downloads preoffice.zip to the Temp folder\r\nand unzips it to %TEMP%\\PythonTemp, but it executes Emansrepo using run.bat.\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 4 of 14\n\nFigure 9: script.ps1 executes run.bat to run the infostealer\r\nChain 3\r\nFigure 10: The phishing mail in chain 3\r\nThe 7z file from the link in the phishing mail contains a batch file obfuscated by BatchShield.\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 5 of 14\n\nFigure 11: The obfuscated batch file\r\nAfter deobfuscation, we can see that it is not as complicated as it first seems. It simply downloads and executes\r\nscript.ps1 using PowerShell.\r\nFigure 12: The deobfuscated batch file\r\nPython Infostealer\r\nAccording to the email receiving the data, the infostealer behavior can be divided into three parts. It creates\r\nfolders to temporarily store the stolen data for each part and deletes them after sending the data to the attacker.\r\nThe stolen data is attached to the email sent to the attacker.\r\nPart 1 – User information and text files\r\nIn part 1, the Python stealer collects login data, credit card information, web history, download history, autofill,\r\nand text files (less than 0.2 MB) from the Desktop, Document, and Downloads folders.\r\nSender minesmtp8714@maternamedical[.]top\r\nReceiver minestealer8412@maternamedical[.]top\r\nTarget\r\nBrowsers\r\namigo, torch, kometa, orbitum, cent-browser, 7star, sputnik, vivaldi, google-chrome-sxs, google-chrome, epic-privacy-browser, microsoft-edge, uran,\r\nyandex, brave, iridium\r\nFolder and\r\nfiles\r\n%TEMP%\\Browsers:\r\nText files (less than 0.2 MB) copied from Desktop, Document,\r\nDownloads\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 6 of 14\n\n%TEMP%\\Browsers\\{browser name}:\r\nSaved_Passwords.txt, Saved_Credit_Cards.txt, Browser_History.txt,\r\nDownload_History.txt, Autofill_Data.txt\r\nAttachment Zip file of %TEMP%\\Browsers  folder\r\nPart 1 includes the initial features of Emansrepo since there is only code for part 1 in the November 2023 variant\r\n(e346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5). It’s worth noting that emans841\r\nreport has been used as the divider in Saved_Passwords.txt since the December 2023 variant\r\n(ae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a). Because of this, we call it\r\nEmansrepo.\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 7 of 14\n\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 8 of 14\n\nFigure 13: The content of Saved_Passwords.txt\r\nThe variant used in November 2023 uses Prysmax Premium as the divider.\r\nBy comparing the variant in November 2023 with the first edition of the Prysmax stealer shared on GitHub, we\r\nfind they contain many similar functions, though the Emansrepo stealer had fewer features. However, as parts 2\r\nand 3 were added to Emansrepo, it has become quite different from the Prysmax stealer.\r\nFigure 14: Left: Variant in November 2023. Right: First edition of Prysmax Stealer on GitHub\r\nPart2 – PDF files, extensions, crypto wallets, and game platform\r\nPart 2 copies PDF files (less than 0.1 MB) from the Desktop, Document, Downloads, and Recents folders and\r\ncompresses folders of browser extensions, crypto wallets, and game platforms into zip files.\r\nSender extensionsmtp@maternamedical[.]top\r\nReceiver filelogs@maternamedical[.]top\r\nTarget Browsers\r\nOpera, Chrome, Brave, Vivaldi, Yandex, Edge\r\nCrypto wallet\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 9 of 14\n\nAtomic Wallet, Guarda, Zcash, Armory, Bytecoin, Exodus, Binance, Electrum,\r\nCoinomi, jaxx\r\nGame platform\r\nSteam, Riot Games\r\nBrowser extension\r\nMetaMask, BNB Chain Wallet, Coinbase Wallet, Ronin Wallet, Trust Wallet,\r\nVenom Wallet, Sui Wallet, Martian Aptos \u0026 Sui Wallet, TronLink, Petra Aptos\r\nWallet, Pontem Crypto Wallet, Fewcha Move Wallet, Math Wallet, Coin98\r\nWallet, Authenticator, Exodus Web3 Wallet, Phantom, Core | Crypto Wallet \u0026\r\nNFT, TokenPocket - Web3 \u0026 Nostr Wallet, SafePal Extension Wallet, Solflare\r\nWallet, Kaikas, iWallet, Yoroi, Guarda, Jaxx Liberty, Wombat, Oxygen -\r\nAtomic Crypto Wallet, MEW CX, GuildWallet, Saturn Wallet, Station Wallet,\r\nHarmony, EVER Wallet, KardiaChain Wallet, Pali Wallet, BOLT X, Liquality\r\nWallet, XDEFI Wallet, Nami, MultiversX Wallet, Temple - Tezos Wallet,\r\nXMR.PT\r\nFolder and\r\nfiles in temp\r\nfolder\r\n%TEMP%\\pdf_temps:\r\nPDF files (less than 0.1 MB) copied from Desktop, Document,\r\nDownloads and Recents folder\r\n{extension ID}.zip\r\n{data folder}.zip\r\nAttachment All files in pdf_temp\r\nPart 3 – Cookies\r\nPart 3 copies cookie files and zips it into {process_name}_cookies.zip.\r\nSender cookiesmtp@maternamedical[.]top\r\nReceiver cooklielogs@maternamedical[.]top\r\nTarget Browsers\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 10 of 14\n\nChrome, msedge, brave, opera, 360se, 360browser, yandex,\r\nUCBrowser, QQBrowser\r\nFolder and files in\r\ntemp folder\r\n%TEMP%\\cookies_data:\r\n{process_name}_cookies.zip\r\nZip file Zip files in cookies_data\r\nNew Campaign\r\nWe recently found another attack campaign using the Remcos malware, which we believe is related to the same\r\nattacker because of the phishing email.\r\nFigure 15: Left: the email for the Python infostealer. Right: The email for Remcos.\r\nAs the above screenshot shows, these attacks have the same content but use different methods to distribute\r\nmalware. The attack flow for Remcos is much simpler. The attacker just sends phishing emails with a malicious\r\nattachment. The attachment is a DBatLoader, which downloads and decrypts data for the payload. The payload is\r\na Remcos protected by a packer.\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 11 of 14\n\nFigure 16: Attack flow of new Remcos campaign\r\nConclusion\r\nEmansrepo has been active since at least last November, and the attack method is continuously evolving. The\r\nattack vectors and malware are ever-changing and pervasive, so it’s vital for organizations to maintain\r\ncybersecurity awareness. FortiGuard will continue monitoring these attack campaigns and providing appropriate\r\nprotections as required.\r\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nW32/Kryptik.EB!tr\r\nJS/Agent.FEI!tr\r\nBAT/Downloader.2C22!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date\r\nprotections are already protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the embedded link object inside the\r\nExcel document.\r\nTo stay informed of new and emerging threats, you can sign up to receive future alerts.\r\nWe also suggest our readers go through the free Fortinet Cybersecurity Fundamentals (FCF) training, a module on\r\nInternet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nAddress\r\nhxxps://bafybeigm3wrvmyw5de667rzdgdnct2fvwumyf6zyzybzh3tqvv5jhlx2ta[.]ipfs[.]dweb[.]link/wetrankfr[.]zip\r\nhxxps://bafybeifhhbimsau6a6x4m2ghdmzer5c3ixfztpocqqudlo4oyzer224q4y[.]ipfs[.]w3s[.]link/myscr649612[.]js\r\nhttps://estanciaferreira[.]com[.]br/wp-includes/TIANJIN-DOC-05082024-xls[.]7z\r\nhxxps://dasmake[.]top/reader/timer[.]php\r\nhxxps://hedam[.]shop/simple/Enquiry.7z\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 12 of 14\n\n191[.]101[.]130[.]185\r\n192[.]236[.]232[.]35\r\nEmail address\r\nstealsmtp@dasmake[.]xyz\r\nhanbox@dasmake[.]xyz\r\npublicsmtp@dasmake[.]xyz\r\npublicbox@dasmake[.]xyz\r\nminesmtp8714@dasmake[.]xyz\r\nminestealer8412@dasmake.xyz\r\nminesmtp8714@maternamedical[.]top\r\nminestealer8412@maternamedical[.]top\r\nextensionsmtp@maternamedical[.]top\r\nfilelogs@maternamedical[.]top\r\ncookiesmtp@maternamedical[.]top\r\ncooklielogs@maternamedical[.]top\r\nPhishing mail\r\na6c2df5df1253f50bd49e7083fef6cdac544d97db4a6c9c30d7852c4fd651921\r\n9e5580d7c3c22e37b589ec8eea2dae423c8e63f8f666c83edabecf70a0948b99\r\n9bd3b8d9ac6ad680b0d0e39b82a439feedd87b9af580f37fa3d80d2c252fef8c\r\n915bad0e2dbe0a18423c046f84d0ff7232fff4e5ba255cc710783f6e4929ab32\r\n64e5c9e7b8dfb8ca8ca73895aa51e585fa7e5414f0e1d10659d3a83b9f770333\r\nb343cce5381b8633b3fd3da56698f60db70c75422e120235a00517d519e37d8d\r\n32bcbce53bfee33112b447340e7114d6d46be4ccf1a5391ad685431afdc8fb86\r\nDelivery\r\nbee8da411e71547ac765a5e63e177b59582df438432cc3b540b57a6f1a56dd16\r\n70ba3d67b476e98419ecbbbb5d81efcb5a07f55a92c96e7b9207176746e3b7a6\r\na2fa6790035c7af64146158f1ed20cb54f4589783e1f260a5d8e4f30b81df70d\r\n4cd8c9fa7f5e2484b73ed9c7be55aa859969c3f21ca2834610102231d337841d\r\n6670e5c7521966e82d091e7adff4e16335f03f2e2740b653adcc9bfe35c7bf9b\r\ndd656953a6844dd9585f05545a513c4e8c2ded13e06cdb67a0e58eda7575a7a4\r\n9866934dd2b4e411cdabaa7a96a63f153921a6489f01b0b40d7febed48b02c22\r\nMalware\r\ne346f6b36569d7b8c52a55403a6b78ae0ed15c0aaae4011490404bdb04ff28e5\r\n8e43c97e5bc62211b3673dee13e376a1f5026502ebe9fd9f7f455dc17c253b7f\r\nae2a5a02d0ef173b1d38a26c5a88b796f4ee2e8f36ee00931c468cd496fb2b5a\r\n7a9826be22b6d977d6a0e5179f84d8e88b279fe6d9df8f6c93ebc40a6ba70f06\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 13 of 14\n\n18459be33cd4f59081098435a0fbaa649f301f985647a75d21b7fc337378e59b\r\n6e7313b6aa37a00b602e620a25a0b71a74503ea967f1814c6c7b8b192535a043\r\n222dd76c461e70c3cb330bacfcf465751b07331c4f8a4415c09f4cd7c4e6fcd9\r\n6e7313b6aa37a00b602e620a25a0b71a74503ea967f1814c6c7b8b192535a043\r\nSource: https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nhttps://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/emansrepo-stealer-multi-vector-attack-chains" ], "report_names": [ "emansrepo-stealer-multi-vector-attack-chains" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434915, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2ac3ff71e50fd2bce5bc08cb5c8bd5efbe8a07ad.pdf", "text": "https://archive.orkl.eu/2ac3ff71e50fd2bce5bc08cb5c8bd5efbe8a07ad.txt", "img": "https://archive.orkl.eu/2ac3ff71e50fd2bce5bc08cb5c8bd5efbe8a07ad.jpg" } }