{
	"id": "64e127e5-e414-4930-be50-88379163c851",
	"created_at": "2026-04-06T00:19:20.313057Z",
	"updated_at": "2026-04-10T03:37:08.947621Z",
	"deleted_at": null,
	"sha1_hash": "b15bbacc7f5345eab8c44019c8e466e87adb5d6b",
	"title": "GitHub - cert-orangecyberdefense/edam: Edam dropper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33270,
	"plain_text": "GitHub - cert-orangecyberdefense/edam: Edam dropper\r\nBy Mar-Pic\r\nArchived: 2026-04-05 21:35:09 UTC\r\nWhile monitoring new Emmenhtal iterations, our World Watch team encountered samples likely associated to a\r\npolitically-aligned malicious campaign, strongly differing from usual financially motivated Emmenhtal\r\ndistributions leading to commodity infostealers. This confirms the existence of multiple Emmenhtal affiliates, as\r\nwell as a potential pro-Russian alignment for some of them.\r\nAround mid-October, an infection chain leveraged lure documents related to the 21st Gas Infrastructure Europe\r\n(GIE) conference in Munich, possibly targeting organizations in the European energy sector.\r\nThreat actors distributed LNK files (likely through spear phishing) in order to deploy the Emmenhtal loader.\r\nThese LNK launch an embedded PowerShell script which spawns an execution of the LOLBIN mshta.exe to read\r\nan HTA concatenated to a legitimate PE file downloaded from an attacker-controlled C2. The malicious HTA data\r\nlocated in the padding of this PE file corresponds to Emmenhtal‘s first stage, which is then followed by additional\r\nconsecutive Javascript and Powershell stages. The loader then downloads from two distinct C2 servers a decoy\r\nPDF as well as malicious DLL we dubbed Edam Dropper.\r\nEdam is written in C++ and its PDB path indicates it is called \"droper_dll\". It is capable of establishing\r\npersistence by setting up a Run key as Setting App which points towards its own file and then of downloading\r\nfrom another C2 a final stage using HTTP GET.\r\nIn this cluster, the C2 were hosted on compromised WordPress infrastructure based in Ukraine and Poland.\r\nSimilarly to the decoy documents, this infrastructure masqueraded as related to the 21st Gas Infrastructure Europe\r\nAnnual Conference in Munich.\r\nThe campaign we analyzed was also detailed by researchers from StrikeReady last week. It could be related to\r\nSandworm (APT44). This operation does indeed coincide with Sandworm’s reported proclivity for using\r\ncriminally sourced malware variants, as well as its longstanding interest in the European energy sector.\r\nLinks: https://www.orangecyberdefense.com/global/blog/cert-news/emmenhtal-a-little-known-loader-distributing-commodity-infostealers-worldwide https://malpedia.caad.fkie.fraunhofer.de/details/win.emmenhtal\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nSource: https://github.com/cert-orangecyberdefense/edam\r\nhttps://github.com/cert-orangecyberdefense/edam\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/cert-orangecyberdefense/edam"
	],
	"report_names": [
		"edam"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434760,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b15bbacc7f5345eab8c44019c8e466e87adb5d6b.pdf",
		"text": "https://archive.orkl.eu/b15bbacc7f5345eab8c44019c8e466e87adb5d6b.txt",
		"img": "https://archive.orkl.eu/b15bbacc7f5345eab8c44019c8e466e87adb5d6b.jpg"
	}
}