Amadey

Amadey is a modular malware loader/botnet sold as a malware-as-a-service offering and advertised on darknet forums by the account InCrease since October 2018. Its primary purpose is to distribute additional malware to compromised systems, and reported modules also include clipboard monitoring, credential theft, VNC-based remote access, and later hVNC, MSI silent installer support, RDP enabling, SYSTEM-level cmd.exe execution, and support for encrypted payloads. ESET reported that Amadey operates under a pay-per-rebuild model in which affiliates buy a license and pay for each new build, and that affiliates run their own self-hosted administration panels and infrastructure rather than relying on centrally managed C2, resulting in a fragmented ecosystem. ESET identified 53 unique Amadey clusters and noted that one cluster accounted for nearly 34% of processed Amadey samples and appeared to operate a pay-per-install model, often delivering multiple Lumma Stealer samples from different affiliates to the same victim. Amadey has been tracked globally, with detections reported especially in India, Turkey, Egypt, Mexico, and Spain. Delivery methods observed in telemetry include fake software updates, cracked software installers, and third-party malware loaders. Technically, Amadey samples contain at least one hardcoded C&C URL, support up to three entries, embed an RC4 key used for C&C encryption, and include an sd value transmitted during the initial handshake that likely represents a build identifier. It communicates over HTTP POST in a three-stage lifecycle of initial beacon, registration, and tasking. ESET reported a complete codebase rewrite in August 2020 with version 1.99.5, and version 5.03 released in October 2024. Recent reporting tied Amadey to campaign fbf543, an active botnet operation that distributed more than 100 samples across 23 malware families in 10 days and over 50 payloads in four days. In that campaign, Amadey deployed legitimate, signed remote management and monitoring tools from ConnectWise, DattoRMM, Atera, GoToResolve, and N-able as persistent backdoors by abusing normal vendor provisioning workflows and pre-configuring installers to connect to attacker-controlled relay infrastructure. The same campaign also delivered malware including Vidar, StealC, LummaStealer, Rhadamanthys, RemcosRAT, ValleyRAT, XWorm, QuasarRAT, AsyncRAT, DarkVisionRAT, SmokeLoader, SantaStealer, RustyStealer, SalatStealer, Fuery, and a VOLK/XMRig-based cryptominer. Breakglass Intelligence assessed the fbf543 operator profile as consistent with an Initial Access Broker or ransomware affiliate playbook. Amadey was also one of the malware families targeted in Operation Endgame, a coordinated disruption effort involving Microsoft Digital Crimes Unit, ESET, BitSight, Lumen, Mitsui Bussan Secure Directions, and law enforcement partners. The operation targeted all known affiliate-operated infrastructure for Amadey and Stealc and affected about 50 domains and nearly 200 active IP-based command-and-control servers.