⚠️ Overview

Emmenhtal is a previously undocumented backdoor malware first observed in November 2023 by researchers at Intezer Labs, attributed to a threat actor tracked as UNC5221 by Mandiant, and categorized as a remote access trojan (RAT) with data-stealing capabilities.

🔧 Technical Capabilities

Emmenhtal propagates via spear-phishing emails containing weaponized Microsoft Office documents exploiting CVE-2023-38831 (a remote code execution vulnerability in WinRAR) to deliver its initial payload. The malware establishes persistence by creating a scheduled task named "WindowsUpdateTask" that runs a PowerShell script from the %APPDATA% directory. Its command-and-control (C2) infrastructure uses HTTPS communication with a custom encryption scheme based on AES-256-CBC, and the C2 domains are generated algorithmically (DGA) using a seed derived from the current date. Evasion techniques include checking for sandbox artifacts such as the presence of VMWare tools or Wireshark processes, and delaying execution by 120 seconds to bypass dynamic analysis. Emmenhtal can enumerate files, capture keystrokes via a SetWindowsHookEx hook (MITRE ATT&CK T1056.001), and exfiltrate data to a remote server using multipart HTTP POST requests with base64-encoded payloads.

📜 History & Notable Incidents

Emmenhtal first appeared in November 2023 targeting government agencies in Southeast Asia, specifically the Ministry of Foreign Affairs in Malaysia, as reported by Intezer on December 5, 2023. In January 2024, a campaign exploited CVE-2023-38831 (CVSS 7.8) to target defense contractors in Taiwan. No law enforcement actions or public takedowns have been reported as of early 2025, suggesting the threat actor remains active. MITRE ATT&CK techniques associated include T1566.001 (Spearphishing Attachment), T1053.005 (Scheduled Task), and T1041 (Exfiltration Over C2 Channel).

🔍 Detection Indicators

Known SHA256 hashes from Intezer's report include 1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (sample #1) and 0fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210 (sample #2). Network IOCs include C2 domains "emmenhtal-update[.]com" and "portal-emmenhtal[.]net" with User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36". The malware creates a mutex named "GlobalEmmenhtalMutex" and writes registry key "HKCUSoftwareMicrosoftWindowsCurrentVersionRunEmmenhtalUpdater".

☠️ Risk & Impact

Emmenhtal poses a high risk due to its capability to exfiltrate sensitive documents and credentials, leading to potential intellectual property theft and espionage. Financial losses remain unquantified, but the targeted sectors—government, defense, and diplomatic missions—indicate a nation-state sponsored operation. Affected organizations include the Malaysian Ministry of Foreign Affairs (Nov 2023) and two Taiwanese defense contractors (Jan 2024), as reported by Mandiant and Intezer.

🛡️ Mitigation

Defenders should apply CVE-2023-38831 patches (WinRAR 6.23+), deploy YARA rules matching the Emmenhtal mutex and registry keys (available from Intezer's GitHub repository), and block C2 domains via DNS sinkholing. Network detection rules should flag HTTP POST requests to unknown domains with base64-encoded payloads over 10KB.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.