Emissary uses HTTP or HTTPS for C2.^[1]

Variants ofEmissary have added Run Registry keys to establish persistence.^[2]

Emissary has the capability to create a remote shell and execute specified commands.^[1]

Emissary is capable of configuring itself as a service.^[2]

The C2 server response to a beacon sent by a variant ofEmissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants ofEmissary use various XOR operations to encrypt C2 data.^[1]

Emissary has the capability to executegpresult.^[2]

Emissary has the capability to download files from the C2 server.^[1]

A variant ofEmissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.^[2]

Variants ofEmissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.^[1][2]

Emissary has the capability to execute the commandnet localgroup administrators.^[2]

Emissary injects its DLL file into a newly spawned Internet Explorer process.^[1]

Variants ofEmissary have used rundll32.exe in Registry values added to establish persistence.^[2]

Emissary has the capability to execute ver and systeminfo commands.^[2]

Emissary has the capability to execute the commandipconfig /all.^[2]

Emissary has the capability to execute the commandnet start to interact with services.^[2]

Lotus Blossom has usedEmissary.^[1][2]