Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Emmenhtal

89
Global rank
54
Month rank
50 infographic chevron week
Week rank
0
IOCs

First identified in 2024, Emmenhtal operates by embedding itself within modified legitimate Windows binaries, often using HTA (HTML Application) files to execute malicious scripts. It has been linked to the distribution of malware such as CryptBot and Lumma Stealer. Emmenhtal is typically disseminated through phishing campaigns, including fake video downloads and deceptive email attachments.

Loader
Type
Unknown
Origin
1 June, 2024
First seen
31 October, 2025
Last seen

How to analyze Emmenhtal with ANY.RUN

Type
Unknown
Origin
1 June, 2024
First seen
31 October, 2025
Last seen

IOCs

IP addresses
101.99.94.234
91.92.243.198
57.128.129.22
212.28.178.113
142.11.195.90
193.143.1.46
154.216.18.99
62.133.61.56
154.216.18.97
51.89.199.99
179.43.167.210
196.251.116.154
93.113.25.151
141.98.6.14
144.126.134.25
193.24.123.97
45.137.99.210
62.146.227.231
51.89.158.77
147.45.50.250
Domains
reply-youtube.com
8fhd2idhacas.click
8fnuawbfuac.click
downloadstep.com
8eh18dhq9wd.click
downloadsbeta.com
8hdfiqowchq.click
8nioqhxciwoqc.click
pivqmane.com
continuedownloader.com
desbullariamos.sa.com
zexodown-2.b-cdn.net
transparency.b-cdn.net
potexo.b-cdn.net
shortcuts.b-cdn.net
anti-bot1.b-cdn.net
vidstreemz.b-cdn.net
nextomax.b-cdn.net
mato3f.b-cdn.net
bot-check3.b-cdn.net
Last Seen at
Last Seen at

Recent blog posts

post image
What is a Malware Sandbox? Everything SOC Ana...
watchers 401
comments 0
post image
Major Cyber Attacks in October 2025: Phishing...
watchers 2939
comments 0
post image
5 SOC Challenges and How Threat Intelligence...
watchers 487
comments 0

What is Emmenhtal malware?

Emmenhtal is a loader malware first observed in early 2024, designed to deploy infostealers and remote access trojans (RATs) on compromised systems. Usually distributed through phishing campaigns involving fake downloads or deceptive email attachments, Emmenhtal embeds itself within modified legitimate Windows binaries.

Its key functionality includes executing malicious scripts via HTA (HTML Application) files and facilitating the distribution of malware such as CryptBot and Lumma Stealer.

According to research conducted by ANY.RUN, Emmenhtal utilizes LOLBAS (Living Off the Land Binaries and Scripts) to deliver malware as part of its campaigns.

The malware has been found distributing threats such as Arechclient2, Lumma Stealer, HijackLoader, and Amadey, with each sample relying heavily on malicious scripts. These scripts can be analyzed in-depth using ANY.RUN’s Script Tracer.

Simply upload the malicious sample inside the sandbox and observe its behavior in real time, without causing harm to your system. Analysis of Emmenhtal inside ANY.RUN sandbox Emmenhtal loader observed inside ANY.RUN sandbox

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Emmenhtal malware technical details

The primary functionalities and features of Emmenhtal loader include:

  • Utilizes legitimate Windows tools like Forfiles, HelpPane, and PowerShell to evade detection and execute payloads.
  • Employs a multi-stage process with AES-encrypted scripts to decrypt and execute the final malware payload.
  • Known to distribute various malware, including Arechclient2, Lumma Stealer, HijackLoader, and Amadey.
  • Heavily obfuscates scripts and payloads, employing AES encryption to avoid detection by security systems.
  • Typically distributed through phishing campaigns, fake downloads, and deceptive email attachments.
  • Relies heavily on malicious scripts for payload execution and persistence.
  • Ensures it remains on the system post-infection by integrating persistence mechanisms.
  • Functions as a flexible loader, adaptable to deliver a range of malware types.
  • Frequently launches payloads disguised as legitimate binaries, such as Updater.exe, to blend in with normal system activity.
  • Believed to be used by multiple financially motivated threat actors in global campaigns.

Emmenthal loader execution process

To see how Emmenthal operates, let’s upload its sample into ANY.RUN’s Interactive Sandbox.

Emmenhtal heavily relies on Living Off The Land (LOLBAS) techniques to deliver malware as part of its campaigns. The malware uses various execution methods. In our case, a .lnk file was crafted to appear as a PDF document, but in reality, it pointed to malicious scripts hosted on a remote server. These shortcuts execute scripts and initiate further actions without immediately raising security alerts.

Ssh.exe displayed inside ANY.RUN sandbox Ssh.exe displayed in ANY.RUN sandbox

The malware employs both PowerShell and Windows Management Instrumentation (WMI) commands to gather detailed information about the victim’s system. This includes language settings, antivirus products, operating system versions, and hardware specifications. Such reconnaissance enables attackers to tailor subsequent attacks and enhances their credibility when sending additional malicious emails within the targeted organization.

Ultimately, a final PowerShell script serves as the Emmenhtal loader. It launches a payload, often Updater.exe, but in our example R-Viewer.exe, along with a binary file that has a generated (random) name as its argument. After this process completes, the system is effectively compromised. During our analysis, we observed Emmenhtal delivering several malware families, including Arechclient2, Lumma, Hijackloader, and Amadey, each making extensive use of malicious scripting techniques.

Execution Chain:

  1. The .lnk file initiates SSH.
  2. SSH starts PowerShell.
  3. PowerShell launches Mshta with the AES-encrypted first-stage payload.
  4. Mshta decrypts and executes the downloaded payload.
  5. PowerShell executes an AES-encrypted command to decrypt and run Emmenhtal.

Process tree observed inside ANY.RUN sandbox Process tree observed inside ANY.RUN sandbox

Emmenhtal loader distribution methods

Emmenhtal loader employs several distribution methods:

  • Phishing campaigns: Emmenhtal is often disseminated through phishing emails containing malicious attachments or links that lead to the download of the loader.
  • Fake downloads: Users are tricked into downloading Emmenhtal by disguising it as legitimate software or video files, commonly hosted on compromised websites or through deceptive ads.
  • Compromised legitimate files: It is delivered through modified Windows binaries to appear legitimate.
  • Script-based delivery: Uses HTA (HTML Application) files and other scripts to execute malicious payloads.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Gathering Threat Intelligence on Emmenhtal Malware

To stay informed about Emmenhtal and collect relevant intel, use Threat Intelligence Lookup.

This service grants access to an extensive database with insights from millions of malware analysis sessions conducted in the ANY.RUN sandbox. With over 40 customizable search parameters, users can pinpoint data on threats, including IPs, domains, file names, and process artifacts.

Search results for Emmenhtal in Threat Intelligence Lookup Search results for Emmenhtal in Threat Intelligence Lookup

For example, you can search for Emmenhtal by its name or related artifacts. A query like threatName:"Emmenhtal" will retrieve all associated samples and sandbox results relevant to this loader malware.

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

Emmenhtal is a dangerous loader malware due to its use of LOLBAS tactics, heavy obfuscation, and ability to deliver multiple malware types. To combat such threats, integrating tools like ANY.RUN can help proactively analyze suspicious files and URLs before they cause damage.

ANY.RUN is an interactive malware analysis platform that offers real-time insights into malicious activity. Its features include visualized execution chains, script tracing, support for analyzing Windows and Linux-based threats, and much more.

Sign up for a free ANY.RUN account and start analyzing threats with confidence!

HAVE A LOOK AT

ACR Stealer screenshot
ACR Stealer is a modern information-stealing malware designed to harvest sensitive data from infected devices. Like other infostealers, it targets credentials, financial details, browser data, and files, enabling cybercriminals to monetize stolen information through direct fraud or underground market sales.
Read More
UpCrypter screenshot
UpCrypter
upcrypter
UpCrypter is a sophisticated malware loader that functions as a delivery mechanism for remote access tools. Distributed through global phishing campaigns targeting Windows systems, this actively maintained tool serves as the central framework for deploying various RATs including PureHVNC, DCRat, and Babylon RAT, enabling attackers to establish persistent remote control over compromised systems.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Grandoreiro screenshot
Grandoreiro
grandoreiro
Grandoreiro is a Latin American banking trojan first observed in 2016. It targets mostly Spanish-speaking countries, such as Brazil, Spain, Mexico and Peru. This malware is operated as a Malware-as-a-Service (MaaS), which makes it easily accessible for cybercriminals. Besides, it uses advanced techniques to evade detection.
Read More
Crocodilus screenshot
Crocodilus
crocodilus
Crocodilus is a highly sophisticated Android banking Trojan that emerged in March 2025, designed for full device takeover. Disguised as legitimate apps, it steals banking credentials, cryptocurrency wallet data, and enables remote control, rapidly evolving into a global threat targeting financial users across Europe, South America, and Asia.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More