Emissary

Emissary is a malicious software (malware) known for its damaging and exploitative characteristics. The malware operates as a Trojan, named Emissary, that infiltrates systems through suspicious downloads, emails, or websites without the user's knowledge. Once inside a system, it can disrupt operations, steal personal information, or even hold data hostage for ransom. This Trojan runs within the Internet Explorer process and communicates with a command and control (C2) server by sending network beacons. The C2 server provides commands to the Trojan in the form of a three-digit numeric string, which the Emissary Trojan decrypts and compares to a list of commands within its command handler. The payload of the Emissary attack is unique in its use of a seed value of 1024 in its algorithm, differentiating it from similar malware like Elise, which uses a seed value of 2012. This Trojan is associated with the EMISSARY PANDA threat group, identified as originating from China. In testing scenarios conducted by SE Labs, the tactics, techniques, and procedures (TTPs) of Emissary were emulated alongside other formidable adversary groups such as Russia-nexus Turla, North Korea-nexus Kimsuky, and another China-nexus group, Ke3chang. In one instance, threat actors attempted to exploit CVE-2014-6332 to install a new version of the Emissary Trojan, specifically version 5.3. The Emissary Trojan is related to the Elise malware used in Operation Lotus Blossom, an attack campaign on targets in Southeast Asia. This Trojan provides backdoor access to compromised systems, allowing threat actors to manipulate the system at their will. Its command handler function supports six commands, enabling a broad range of disruptive activities.