Technical Analysis of a Novel IMEEX Framework

IMEEX is a custom 64-bit Windows remote access framework observed in samples submitted from Djibouti and Afghanistan; it performs system reconnaissance, file and process management, registry manipulation, dynamic module loading, and encrypted C2 communications (commonly over TCP/443). The report provides sample hashes, C2 domains and IPs (e.g., yurtumawat.wwwhost.us, erkinhorshiden.onedumb.com, bbsnews.sytes.net, 45.141.139.146), mutexes, Registry locations used for module tracking, Python decoding scripts, and a YARA detection rule; analysts note possible infrastructure overlap with ShadowPad but do not claim definitive attribution.