{
	"id": "317840c2-2e9c-48d5-8e99-54bb86a15788",
	"created_at": "2026-04-06T00:06:30.041817Z",
	"updated_at": "2026-04-10T13:12:25.437442Z",
	"deleted_at": null,
	"sha1_hash": "7daa71b8d599ed86ad641a782b6c5d7236ce3260",
	"title": "Tracking Emmenhtal",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1275032,
	"plain_text": "Tracking Emmenhtal\r\nPublished: 2025-03-04 · Archived: 2026-04-05 21:43:00 UTC\r\nEmmenhtal, the primary choice of loader for malware like Amadey, Danabot and Lumma Stealer, is being\r\ndistributed through shady websites using the FakeCaptcha AKA ClickFix campaigns. They have now started the\r\ncampaign with the FakeCaptcha webpages distributed through malvertising. \r\nThe malvertising campaigns are done using URLs like:\r\nhxxps://gukrathokeewhi.net/afu[.]php?zoneid=6534229\u0026var=6534229\u0026rid=e8DJqkaKU-A8kEnzk7U3FA%3D%3D\u0026rhd=\r\nThe ones in bold are part of the post-back component of the advertising related affiliate services, which basically\r\nis used for monitoring the click conversion and acts as a tracker component of the advertisement campaign. The\r\nURL structure is similar to one of the popular advertisement affiliate services called  Propeller ads as shown here,\r\nbut we are not able to find any other evidence of distribution channels beyond this point. The PHP scripts\r\nthemselves are highly obfuscated, which we believe is to bypass Adblockers, because searching the keywords\r\nfrom the webpage always ends up in some Adblocker’s Github repository. \r\nThe FAKECAPTCHA website as shown in the screenshots in Figure 1 might seem like an obvious bait, but based\r\non our telemetry it seems to be an effective one. We get ~50 hits a day, interestingly some scenarios have more\r\nthan one such detection on the same machine, meaning the end user is not alarmed enough in such cases and a\r\nnaïve one might be tempted to turn off the security application.  \r\nFigure 1: Initial lure website aka ClickFix\r\nThis variant of FakeCaptcha has been predominantly used by many malware campaigns since December 2024. We\r\nfound a pattern in the choice of domain names used in these campaigns.\r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 1 of 7\n\nFigure 2: FakeCaptcha Website\r\nThe burden of infection falls on the user for this particular step, the PowerShell command highlighted in Figure 2\r\nis copied to the clipboard and needs to be executed in the run window by the user. Usually it’s a PowerShell\r\ncommand executing hta payload using mshta. \r\nThe highlighted hex bytes in Figure 3 are the hex equivalent of ASCII in hex ( eg. [x36 x36] = 0x66 = ‘f’). We\r\nstarted hunting this payload with a yara rule with this pattern. Without the offset check we were able to find many\r\ninteresting malware which were not related to Emmenhtal, meaning this method of obfuscation is popular. \r\nFigure 3: mp4 file passed to mshta\r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 2 of 7\n\nWe wrote small and simple python code to deobfuscate the hta payload mentioned in Figure 3. The next steps\r\nconsist of multiple stages of scripts downloading/dropping and executing other scripts.\r\nThe next stage is JavaScript (JS_A) that is shown in Figure 4. \r\nFigure 4: JavaScript (JS_A)\r\nThe JavaScript is decrypted using a key as highlighted, to get a PowerShell script (PS_A. Figure 5) which\r\nuses AES decryption with a hardcoded key, to get another PowerShell script (PS_B), shown in Figure 6. \r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 3 of 7\n\nFigure 5: PowerShell Script (PS_A)\r\nFigure 6: The PowerShell script (PS_B) decrypted and executed by the PowerShell (PS_A) in\r\nFigure 5 to download another PowerShell script (PS_C) shown in Figure 7\r\nThis PowerShell script in turn downloads a 10 MB PowerShell (PS_C)script as shown in Figure 7. \r\nThe 10 MB PowerShell is highly obfuscated and usually has  around 1000 unique variables, more than 20K lines\r\nof script and oddly just one function. One could always rely on searching for strings like “).(”,“::” and “function”\r\nwhile analysing such huge obfuscated scripts. The function is executed using a script block smuggling technique\r\nin order to bypass AMSI. \r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 4 of 7\n\nFigure 7: Downloaded PowerShell (PS_C)\r\nAgain another PowerShell script (PS_D) is extracted from the script shown in Figure 7. This extracted script\r\ncontains a functionality to bypass AMSI and to load a base64 encoded PE file. The loading of the PE file is the\r\nPowerShell loading of DotNET into memory via reflection. The part for bypassing AMSI is a direct copy from a\r\nGitHub repository. The GitHub repository has an AI generated code from a blog post of the original author who\r\ndiscovered this AMSI bypass technique. The original author has  not shared the complete code in the blog. Malek\r\nTabib, a cybersecurity enthusiast,  beat us to this  discovery and has done an excellent analysis on the same topic\r\nin his blog post. Decoding and loading of the base64 encoded PE file also seems to be generated using AI\r\nprompts. The comments in the code, highlighted in Figure 8, are a dead giveaway. The AMSI bypass doesn’t seem\r\nto work in this case as we were able to track the code in the AMSI buffer.\r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 5 of 7\n\nFigure 8: AI generated AMSI bypass PowerShell (PS_D)\r\nFigure 9: AI generated PE file loader (PS_D)\r\nThe final script (PS_D) drops a DotNET file, in most of the scenarios, drops Lumma stealer. The Lumma\r\nStealer’s stager decrypts and executes an AES encrypted DLL from its resource. The DotNET DLL file is\r\nthe Lumma Stealer, there are multiple quality blogs about the current variant of the Lumma Stealer, hence\r\nwe are not covering that in this blog. \r\nHunting/Detecting Emmenhtal\r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 6 of 7\n\nWe were not able to get many sources of the FakeCaptcha site as they were redirected from the malvertising\r\ncampaigns. The URL shared in the beginning of the blog would not always redirect to the FakeCaptcha site.\r\nHowever, the FakeCaptcha site could be hunted using some of the strings used for copying malicious commands\r\nto clipboard. The rule would be for detecting the script part within the HTML page. \r\nWe found an interesting pattern about the hosting infrastructure for the second part of the kill chain. \r\nMost of the domains used for this step had the tld “.shop” and the A records , part of the Domain Name\r\nSystem (DNS), were 104.21.*.* or 172.67.*.*.  \r\nThe whois domain registrar name was always namecheap.com (for .shop tld we were able to find domain\r\nnames for 0.99$) and the nameserver was cloudflare.com and the registrant country was Iceland. \r\nNow they have also used domains from aliyuncs.com and in two instances of GitHub. The predominant extension\r\nwas ‘.mp4’, there were  also some extensions like ‘.hta’,‘.txt’,’.eml’ and ’.mp3’. \r\nThe URL used in Figure 6 stage, also contains the “.shop” domain and the URLs in this stage always have random\r\nsubdomain names. We have shared a couple of yara rules useful for hunting here. \r\nWe believe there might be an increase in the kill chain length of this particular delivery system. Due to the nature\r\nof the kill chain, any of the PowerShell components of the kill chain could be easily replaced, extended or even\r\nexchanged. The attempt to use the AI generated code is evidence that we would be seeing serious attempts to pivot\r\nto the kill chain flow. For distribution, malvertising affiliates are the key focus area. The infrastructure used in the\r\ncampaign seems to be very flexible and its prevalence shows that it is inexpensive and effective. \r\nWith simple OSINT capabilities the security products would be able to thwart this kill chain. The traditional\r\nAdblockers might be effective in cases where the initial lure originated from shady websites. Also Web\r\nCategorization capabilities, like the one available in K7 security Products, could be an effective tool in defending\r\nagainst such malware. \r\nWe have shared the IOC’s here.\r\nSource: https://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nhttps://labs.k7computing.com/index.php/tracking-emmenhtal/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/tracking-emmenhtal/"
	],
	"report_names": [
		"tracking-emmenhtal"
	],
	"threat_actors": [],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7daa71b8d599ed86ad641a782b6c5d7236ce3260.pdf",
		"text": "https://archive.orkl.eu/7daa71b8d599ed86ad641a782b6c5d7236ce3260.txt",
		"img": "https://archive.orkl.eu/7daa71b8d599ed86ad641a782b6c5d7236ce3260.jpg"
	}
}