The Reveal Platform
Intel Name: Maas operation using emmenhtal and amadey linked to threats against ukrainian entities
Date of Scan: July 18, 2025
Impact: Medium
Summary: In early February 2025, a phishing campaign targeting Ukrainian entities used invoice and billing-themed emails containing compressed archives with obfuscated JavaScript files. These files deployed PowerShell downloaders to install SmokeLoader, leveraging the Emmenthal loader. Further analysis revealed similar Emmenthal samples on GitHub that were not email-delivered and instead deployed Amadey, which downloaded custom payloads from public GitHub repositories. This activity suggests a broader Malware-as-a-Service (MaaS) operation using Emmenthal and Amadey, with GitHub repositories serving as payload staging platforms.
