MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
In April 2025 Cisco Talos identified a Malware-as-a-Service (MaaS) operation that utilized Amadey to deliver payloads.
The MaaS operators used fake GitHub accounts to host payloads, tools and Amadey plug-ins, likely as an attempt to bypass web filtering and for ease of use.
Several operator tactics, techniques and procedures (TTPs) overlap with a SmokeLoader phishing campaign, identified in early 2025, that ta...