{ "id": "6970a4e6-a399-4e83-b7cf-15956527c35b", "created_at": "2026-04-06T00:13:51.284599Z", "updated_at": "2026-04-10T03:28:46.406619Z", "deleted_at": null, "sha1_hash": "5d884b39f9bdd6548375be84754d564a63813e85", "title": "Emmenhtal: A little-known loader distributing commodity infostealers worldwide", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2625717, "plain_text": "Emmenhtal: A little-known loader distributing commodity\r\ninfostealers worldwide\r\nPublished: 2024-08-14 · Archived: 2026-04-02 10:41:28 UTC\r\nAuthors: Marine Pichon, Alexandre Matousek\r\nSpecial thanks to Simon Vernin, Roland Roure, Florian Simonet, and Rebecca Attali\r\nTL;DR\r\nFollowing detections from our Managed Threat Detection (CyberSOC) teams, our CERT analysts were\r\nable to uncover several recent campaigns leading to CryptBot and Lumma infostealers.\r\nSome of these campaigns are still active and target various organizations worldwide.\r\nThese campaigns leverage a little-documented loader we dubbed “Emmenhtal”, (because we are cheese\r\nlovers), which hides in the padding of a modified legitimate Windows binary and uses HTA.\r\nEmmenhtal likely surfaced at the beginning of 2024 and is possibly being distributed by several financially\r\nmotivated threat actors through various means (from traditional email phishing lures to fake videos).\r\nIoCs can be found on our dedicated GitHub page here.\r\nNote: The analysis cut-off date for this report was August 07, 2024.\r\nIntroduction\r\nIn May and June 2024, our Managed Threat Detection (CyberSOC) team encountered a malicious campaign\r\nimpacting two of our clients in France. The infection chain used by the threat actors typically leveraged fake\r\nvideos – such as recent TV series episodes – to ultimately download CryptBot and Lumma stealer payloads.\r\nThis cluster of activity was rapidly analyzed by our CERT analysts and detailed in a World Watch advisory sent\r\nout to our clients on July 12th (link for our clients on the Orange Cyberdefense CERT portal or Orange\r\nCyberdefense FusionCentral portal).\r\nOn July 31st, we identified a new ongoing iteration of this campaign, targeting organizations globally, which likely\r\nstarted around mid-July. Upon analysis, we identified a recurring piece of malware encompassing several\r\nmalicious HTA, JavaScript, and PowerShell stages designed to drop additional payloads. Tracked internally as\r\nEmmenhtal, we assess this loader is highly likely used by multiple financially motivated threat actors since at least\r\nFebruary 2024 to deploy commodity RATs and infostealers. Many iterations of Emmenhtal still have low\r\ndetection rates on VirusTotal at the time of writing.\r\nInvestigating the infection chain\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 1 of 9\n\nBetween May 15th\r\n and June 26th, our Managed Threat Detection (CyberSOC) team detected five similar incidents\r\nimpacting one of our clients in France, typically following the download of a video by a user on their corporate\r\ncomputer. Once the user attempted to download the video through their browser, it launched an infection chain\r\ninvolving a ZIP archive that contains a LNK file.\r\nThe shortcut file launches an embedded PowerShell script which spawns an execution of the LOLBIN\r\nmshta.exe to read an HTA concatenated to a legitimate PE file downloaded from an attacker-controlled C2. The\r\nPE file is a legitimate Windows binary except that it is padded with HTA data that embeds a malicious JavaScript\r\ncode. Once interpreted and executed by mshta.exe, the JavaScript decodes and runs a PowerShell decrypter script.\r\nThe latter decrypts an obfuscated PowerShell loader which finally downloads and runs either CryptBot or\r\nLumma stealer.\r\nThe infection chain can be illustrated as follows:\r\nFigure 1: Infection chain with ZIP archive leading to Emmenhtal, as observed in June 2024 by our\r\nCyberSOC.\r\nIn some cases, the LNK file is downloaded from an external WebDAV server following a JavaScript window\r\nredirection that requests the opening of Windows Explorer, altering the infection chain to resemble:\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 2 of 9\n\nFigure 2: Infection chain with WebDAV server leading to Emmenhtal, as observed in June 2024 by\r\nour CyberSOC\r\nThis specific cluster identified by our CyberSOC revolves around the following indicators:\r\nstreamvideoz.b-cdn[.]net/Download-Full-Video-HD1.html\r\nnextomax.b-cdn[.]net/nexto\r\nmatodown.b-cdn[.]net/matodown\r\nfatodex.b-cdn[.]net/fatodex\r\nUpon investigation and pivoting on URLScan, we were able to find additional overlapping infrastructure, using\r\nthis regular expression:\r\npage.url:/https?:\\/\\/[a-z0-9\\-]+\\.b-cdn\\.net\\/[A-Za-z0-9]{4,6}/\r\ndownloadfile.b-cdn.net/Zen90\r\nmato2.b-cdn.net/matodown\r\nmato3.b-cdn.net/kesty\r\nmato3.b-cdn.net/town\r\nmato3f.b-cdn.net/town\r\nmato-camp2.b-cdn.net/town\r\npeco.b-cdn.net/pecod\r\npotexo.b-cdn.net/potexo\r\npowers.b-cdn.net/power\r\nshortcuts.b-cdn.net/PSDxZ\r\nstreamvideox.b-cdn.net\r\ntransparency.b-cdn.net/PSDxZ\r\nvidstreemz.b-cdn.net/matodown\r\nvidstreemz.b-cdn.net/nexto\r\nzexodown-2.b-cdn.net/ZedL2\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 3 of 9\n\nWe quickly noted strong overlaps with a campaign documented by Cisco Talos in April 2024, especially the\r\nextensive usage of sub-domains from the same Content Delivery Network (CDN) provider Bunny.net to cache\r\nand store the malicious files, as well as the matching infection chain leading to commodity infostealers.\r\nAll these malicious URLs drop a loader, which we dubbed Emmenhtal due to a distinctive HTA component found\r\nwithin the malware.\r\nFour slices of Emmenhtal\r\nAs illustrated in the diagrams above, we assess Emmenhtal acts as a multistage downloader that typically hides\r\ninside a modified version of a legitimate Microsoft Windows binary, such as Dialer.exe (a phone dialer program)\r\nor BthUdTask.exe (a Bluetooth uninstall device task).\r\nFollowing a binary comparison of the legitimate Dialer.exe with our Emmenhtal executable, we found that the\r\nonly difference resides in the padding at the end of the PE.\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 4 of 9\n\nFigure 3: Binary comparison of the modified and malicious Dialer.exe with the legitimate\r\nDialer.exe, as observed in July 2024 by our reverse engineering analysts.\r\nThis malicious padding contains four notable stages:\r\nA HTA script found in the overlay of the PE: which consists of a list of variables and related ASCII\r\ncharacters code, and a variable that concatenates these variables into another script, that will be decoded\r\nand then executed by an \"eval\" expression in JavaScript.\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 5 of 9\n\nA JavaScript, which consists of two trivially obfuscated variables containing characters code numbers, in\r\nwhich the function \"lIb\" will return the characters code minus 960. This JavaScript typically creates an\r\nActiveX object \"WScript .Shell\", to execute a decoded PowerShell code.\r\nA PowerShellcode, which is designed to decrypt a last PowerShell stage.\r\nA PowerShell loader, which is responsible for downloading from a C2 server and executing additional\r\nfiles (typically two ZIP archives with the last one containing either CryptBot or Lumma). Prior to that, this\r\nPowerShell loader verifies if the files are not already on the system.\r\nSimilar technical analyses of this sequence can be read on the Talos or the Fortinet blogs.\r\nWhen investigating the different iterations of the campaign, we noticed versions of Emmenhtal with no PE\r\nstage. Instead, the HTA code was directly hosted inside data with no file type. Many of these iterations have a\r\nlower detection rate on VirusTotal.\r\nThe articles from Talos and Fortinet mention slight divergences related to the presence of a PowerShell injector or\r\nbatch scripts in some infection chains. All these variations could hint towards the presence of multiple Emmenhtal\r\nusers. This hypothesis is also backed by the way Emmenhtal components are obfuscated. Indeed, when analyzing\r\nthe HTA codes, JavaScript, and PowerShells, we noted that only the variable names and certain specific values\r\ndiffer between them. This uniformity in the obfuscation method strongly suggests the use of a tool that\r\nautomates the generation and modification  of these malicious scripts based on a template.\r\nFigure 4: Extracted HTA script from\r\n656099d4fcb2a5824b4bf2ac8d6356f33d73d9a2a4c401bcd986f7667ee71695, as observed in August\r\n2024 by our World Watch team.\r\nUsing a VirusTotal RetroHunt, we garnered more than 125 suspicious iterations of Emmenhtal and identified\r\nmultiple distribution clusters, which we will detail in the following sections of this article.\r\nCheesy Bunny Cluster\r\nAs previously mentioned, the Emmenhtal campaign detected by our CyberSoc overlaps with the one detailed in\r\nApril 2024 by Joey Chen, Chetan Raghuprasad, and Alex Karkins from Cisco Talos, attributed to the Vietnamese\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 6 of 9\n\nCoralRaider threat cluster. However, we do not have enough visibility to associate with strong confidence the\r\ncampaigns we observed with Talos’ initial threat profiling. We have therefore decided to track this threat cluster\r\nseparately, under the name Cheesy Bunny.\r\nThis cluster is constructed around the use of the Slovenia-based Bunny.net CDN provider to cache and store\r\nmalicious files, acting as a download server to deceive network defenders. Its C2 servers are often responsible\r\nboth for downloading the loader component (Emmenhtal) and delivering the final malicious stages.\r\nAs a typical CDN service provider, Bunny.net helps customers optimize web content delivery by using a network\r\nof servers distributed across various geographical locations. While legitimate per se, it should be noted many\r\nsubdomains from this hosting provider have been flagged as malicious on VirusTotal, indicating it has been\r\nadopted by multiple malicious actors.\r\nFigure 5: Welcome page of Bunny.net CDN provider, as of early August 2024.\r\nWe assess Cheesy Bunny likely started distributing Emmenhtal around early February 2024 at least, using fake\r\nvideo lures, and targeting a wide scope of countries. These fake videos may be either downloaded after\r\nredirections from movie download websites or porn sites. In July, the LNK lures also masqueraded as other file\r\ntypes such as PDFs.\r\nBased on the final-stage payloads we managed to retrieve and identify, this cluster has been alternately pushing\r\nCryptBot or Lumma well-known infostealers. Both malware are sold as-a-service as described in private CTI\r\nWorld Watch advisories available to our clients.\r\nIn addition, the Cheesy Bunny cluster sometimes relies on WebDAV servers to help distribute its Shortcut files\r\n(instead of directly using ZIP archives). By pivoting on the HTTP header of these servers using Censys, we were\r\nable to identify further suspicious infrastructure associated with the delivery of Emmenhtal.\r\nInterestingly enough, some of these WebDAV servers lead to Emmenhtal C2s hosted on compromised websites\r\ninstead of b-cdn.net subdomains. In addition, some of these Emmenhtal iterations distribute other commodity\r\nmalware such as Xworm, Remcos RAT, or ACR stealer. It therefore remains unclear how to delimit the Cheesy\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 7 of 9\n\nBunny cluster’s frontiers. What seems nonetheless clear is that Emmenhtal is highly likely being deployed by\r\nseveral distinct threat actors.\r\nOther campaigns\r\nIn parallel to the Cheesy Bunny cluster, we also identified more than 22 clusters distributing Emmenhtal through\r\nother forms of lures since February 2024.\r\nFigure 6: Timeline of several Emmenhtal distribution clusters identified between February 2024 and\r\nAugust 2024.\r\nCluster 2 (mostly detected throughout May 2024), leading to AsyncRAT and using Evernote invoice as\r\nlures (Invoice.pdf.lnk), likely through phishing emails.\r\nCluster 3 (detected around May 13th, 2024), leading to Meduza stealer and using scan PDF lures. Based\r\non IP geolocation on VirusTotal and language used in the filenames, this cluster likely targeted Russia.\r\nCluster 4 (mostly detected in early July 2024, but with some potential campaign tests mid-May), leading\r\nto Lumma and using transport documents as lures (CarrierAgrement.pdf.lnk). Based on IP geolocation on\r\nVirusTotal, this cluster likely targeted South Africa and Malaysia.\r\nCluster 5 (mostly detected between mid-June and early August), leading to Meduza and using TXT or\r\nPDF Shortcut lures with names such as ‘sponsors’, ‘releaseform’ or ‘config’. Based on IP geolocation on\r\nVirusTotal, this cluster likely targeted North America. From what we observed, only one C2 was used in\r\nthis cluster.\r\nCluster 6 (mostly detected in early July), using UPS invoices as lures (Invoice-UPS-XXXXXX.pdf.lnk).\r\nCluster 7 (mostly detected in late July), leading to Xworm. We were not able to confirm with strong\r\nconfidence the initial access or distribution vectors but one of the associated Emmenhtal iteration was\r\ndownloaded from a .lnk masquerading as a photo and downloaded from a WebDAV server.\r\nCluster 8 (mostly detected in late July), leading to SectopRAT and potentially using fake videos as lures.\r\nThe remaining clusters we identified are harder to delimitate, often due to a lack of visibility into their\r\ninfrastructure or to the inability to retrieve the final payload. It should nonetheless be noted that we found\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 8 of 9\n\nEmmenhtal iterations leading to Redline stealer, QuasarRAT and Rhadamanthys, and some Emmenhtal cases\r\npotentially dropped through Google ads. This is currently still under investigation. Nevertheless, all IoCs we were\r\nable to associate to Emmenhtal have been provided on our GitHub to facilitate potential threat hunting.\r\nWrap-up\r\nTo conclude, Emmenhtal features fairly standard loading capabilities but has managed to stay relatively out of the\r\nspotlight. The malware is not always well-detected on VirusTotal despite having been deployed since at least\r\nFebruary 2024 across many countries, in attack chains leading to over 10 different commodity RATs or\r\ninfostealers.\r\nWe documented one of the threat cluster, Cheesy Bunny, which appears to be the longest-running one, still\r\nactively distributing Lumma and CryptBot final stages, including in France.\r\nBased on its source code, structure, and the variety of clusters that have distributed it so far, we suspect this tool is\r\nleveraged by different threat clusters. However, we found it difficult to match Emmenhtal loader capabilities with\r\nadvertisements on underground marketplaces.\r\nOrange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this\r\nthreat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for\r\nIoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us\r\nto prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or\r\ncontact your representative.\r\nOrange Cyberdefense’s Managed Threat Intelligence [Protect] service offers the ability to automatically feed\r\nnetwork-related IoCs into your security solutions. To learn more about this service and to find out which firewall,\r\nproxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted\r\nSolutions representative.\r\nSource: https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-wo\r\nrldwide\r\nhttps://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide" ], "report_names": [ "emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide" ], "threat_actors": [ { "id": "6b8c5ea0-a654-4b5c-b817-9e67b115059e", "created_at": "2024-04-19T02:00:03.625955Z", "updated_at": "2026-04-10T02:00:03.616114Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "MISPGALAXY:CoralRaider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6a894c24-6f51-4863-9efb-7f1b3133c848", "created_at": "2024-06-20T02:02:10.260154Z", "updated_at": "2026-04-10T02:00:05.001393Z", "deleted_at": null, "main_name": "CoralRaider", "aliases": [], "source_name": "ETDA:CoralRaider", "tools": [ "AsyncRAT", "LOLBAS", "LOLBins", "Living off the Land", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "RotBot", "XClient" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434431, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5d884b39f9bdd6548375be84754d564a63813e85.pdf", "text": "https://archive.orkl.eu/5d884b39f9bdd6548375be84754d564a63813e85.txt", "img": "https://archive.orkl.eu/5d884b39f9bdd6548375be84754d564a63813e85.jpg" } }