WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution

Since December 2023 Sekoia TDR tracked a WebDAV-based infrastructure hosting weaponized .lnk files that trigger mshta.exe to fetch the Emmenhtal/PeakLight memory-only loader; this infrastructure has been used to distribute a wide set of malware (many infostealers and commodity loaders), includes extensive IOCs (URLs and IPs), shows repeated ASN hosting patterns, and is likely operated as a criminal Infrastructure-as-a-Service.