Changelog of Emissary trojan

In December 2015, Unit 42 published a blog about a cyber espionage attack using the Emissary Trojan as a payload. Emissary is related to the Elise Trojan and the Operation Lotus Blossom attack campaign, which prompted us to start collecting additional samples of Emissary.
The oldest sample we found was created in 2009, indicating this tool has been in use for almost seven years. Of note, this is three years earlier than the oldest Elise sample we have found, suggesting this group has been active longer than previously documented. In addition, Emissary appears to only be used against Taiwanese or Hong Kong based targets, all of the decoys are written in Traditional Chinese, and they use themes related to the government or military.
We also found several different versions of Emissary that had several iterative changes that show how the Trojan evolved over the years. One of the most interesting observations made during this analysis is that the amount of development effort devoted to Emissary significantly increased after we published our Operation Lotus Blossom report in June 2015, resulting in many new versions of the Emissary Trojan. In addition, we observed a TTP shift post publication with regards to their malware delivery; they started using compromised but legitimate domains to serve their malware. Interestingly, the C2 infrastructure is also somewhat different than that used by Elise.