Emissary
Emissary is a remote access implant/trojan associated with the China-linked Lotus Blossom threat group and has been observed alongside the Elise backdoor. It has been described as a similar remote access implant to Elise and was often executed through legitimate Windows binaries such as rundll32. Reported capabilities include configuring itself as a service, creating a remote shell and executing specified commands, interacting with services via the net start command, executing ipconfig /all for network configuration discovery, and executing net localgroup administrators for privilege/group enumeration. Emissary uses HTTP or HTTPS for command-and-control communications. Some variants encrypt C2 traffic using various XOR operations, and one documented variant receives a 36-character GUID in the C2 server response that is then used as an encryption key for subsequent communications. For persistence, variants have used rundll32.exe in Registry values. Emissary has also been observed injecting its DLL into a newly spawned Internet Explorer process. High-confidence behavioral indicators mentioned in the content include use of rundll32.exe for persistence/execution, HTTP/HTTPS C2, XOR-encrypted C2 data, a GUID-derived C2 encryption key, DLL injection into Internet Explorer, and execution of net start, ipconfig /all, and net localgroup administrators.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...to deploy another trojan related to Elise codenamed Emissary.
CVE-2018-0802 and CVE-2017-11882: Critical memory corruption vulnerabilities in the legacy Microsoft Office Equation Editor (EQNEDT32.EXE) used extensively during “Spring Dragon” campaigns...
CVE-2018-0802 and CVE-2017-11882: Critical memory corruption vulnerabilities in the legacy Microsoft Office Equation Editor (EQNEDT32.EXE) used extensively during “Spring Dragon” campaigns to deliver Elise and Emissary Trojan payloads...
...spear-phishing campaigns exploiting Microsoft Office vulnerabilities like CVE-2012-0158... / CVE-2012-0158: A foundational vulnerability in Microsoft Office ActiveX controls used for several years...
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...to deploy another trojan related to Elise codenamed Emissary.
Techniques & procedures
21 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
“The group also conducted watering hole attacks by compromising trusted regional websites.” / “Spring Dragon… deployed watering hole techniques, compromising regional websites…”
Execution
2 techniques
Execution
The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.
Persistence
2 techniques
Persistence
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
5 techniques
Stealth
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Discovery
5 techniques
Discovery
"actors used the following command ... to obtain information about services: net start"; "APT1 used the commands net start and tasklist to get a listing of the services on the system"; "OilRig has used sc query on a victim to gather information about services"; "Indrik Spider has used the win32_service WMI class to retrieve a list of services"
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
4 techniques
Command and Control
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
"3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode..."; "APT33 has used AES for encryption of command and control traffic."; "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode)."; "Duqu ... data stream can be encrypted with AES-CBC."; "PoisonIvy uses the Camellia cipher to encrypt communications."
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Trojan/backdoor referenced as delivered by Lotus Blossom via invitation-themed phishing lures (historical reporting).
Remote access implant used alongside Elise; executed via legitimate Windows binaries (e.g., rundll32) indicating LOLBin tradecraft and tool refinement.
A trojan related to Elise, deployed via spear-phishing and exploiting Microsoft Windows OLE flaw.
Software changes: ... Emissary
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.