Cyber Security News

Warning: New Emansrepo Malware Uses HTML Files to Target Windows Users

Emansrepo, a Python infostealer, is distributed via phishing emails containing fake purchase orders and invoices, where the attacker initially sent a phishing email with an HTML file redirecting to the Emansrepo download link. 

In recent months, the attack flow has become more complex, involving multiple stages and mailboxes.

The stolen data is compressed into a zip file and sent to the attacker’s email, which poses a significant threat to Microsoft Windows users as the stolen information can be used for future attacks.

The download link for Emansrepo is embedded in RTGS Invoices.html.

The phishing emails in all three chains use archive files (7z) to deliver malicious payloads, where Chain 1 uses a dropper disguised as a download page that triggers a fake download and redirects the user and then downloads a preconfigured Python information stealer.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Chain 2 employs a nested HTA file with a JavaScript core that decrypts and downloads a PowerShell script, similar to the AutoIt script in Chain 1, which downloads the same Python stealer but executes it through a batch file. 

While Chain 3 leverages a BatchShield-obfuscated batch file that downloads and runs a PowerShell script, ultimately leading to the information-stealing Python program. 

The obfuscated batch file

The Emansrepo is a Python infostealer that targets user information, text files, PDFs, browser extensions, crypto wallets, game platform data, and cookies by stealing data in three parts:

Part 1 targets user information and text files (less than 0.2 MB) from the Desktop, Document, and Downloads folders.

It also steals login data, credit card information, web history, download history, and autofill data from various browsers.

Part 2 targets PDF files (less than 0.1 MB) from Desktop, Document, Downloads, and Recents folders and compresses folders of browser extensions, crypto wallets, and game platforms into zip files, while Part 3 targets cookies from browsers and zips them into {process_name}_cookies.zip. 

The content of Saved_Passwords.txt

The recent discovery of a new Remcos malware campaign using a phishing email with a malicious DBatLoader attachment highlights a similar attack pattern to the previously identified Python infostealer. 

Both campaigns share identical email content but employ distinct malware distribution methods.

While the Python infostealer involved a more complex attack flow, the Remcos campaign relies on a simpler approach, where the malicious attachment directly downloads and decrypts the Remcos payload, which is further protected by a packer.

Left: the email for the Python infostealer. Right: The email for Remcos.

Emansrepo, a persistent threat actor, has been actively targeting organizations since November.

Its attack methods are constantly evolving, utilizing a variety of techniques and malware. 

According to FortiGuard, given the dynamic nature of these attacks, it’s crucial for organizations to remain vigilant about cybersecurity.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

20 hours ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

23 hours ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

24 hours ago

PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack

A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…

24 hours ago

Beware! Fake Unpaid Tolls Messages Used in Phishing Attack to Steal Login Credentials

A surge in phishing text messages claiming unpaid tolls has been linked to a massive…

24 hours ago

State Bar of Texas Confirms Data Breach, Begins Notifying Affected Consumers

The State Bar of Texas has confirmed a data breach following the detection of unauthorized…

24 hours ago