Smoked out - Emmenhtal spreads SmokeLoader malware www.gdatasoftware.com/blog/2025…

We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal (sic! - this spelling refers to the HTA component of this loader, hence slightly unorthodox spelling “EmmenHTAl) also referred to by Google as Peaklight.

This loader has been active since early 2024 and is primarily used by financially motivated threat actors to distribute commodity infostealers such as CryptBot and Lumma. In this campaign, we have observed that Emmenhtal Loader has been chained together with SmokeLoader malware, allowing threat actors to leverage its modular capabilities for deploying additional malware dynamically.

The infection chain starts with an email claiming to confirm that a payment has been made. Attached to the email is a 7z archive file, named deceptively as ‘Платiжна_iнструкция.7z’ (translated as “Payment_instruction”) to trick victims into extracting and opening its contents.