MalwareRansomwareUsed by 4 actors

Amadey

Amadey is a modular malware-as-a-service loader/botnet active since 2018 and sold on Russian-language or darknet forums. It is primarily used as a dropper/loader to provide initial access to compromised Windows systems and deliver second-stage payloads, including infostealers and ransomware-related malware. Multiple sources in the content describe Amadey as frequently used alongside StealC, with Amadey enabling access and payload delivery while StealC steals credentials and other sensitive data.

The malware is mainly disseminated through phishing campaigns, though reporting in the content also notes delivery via fake software updates, cracked software installers, third-party malware loaders, GitHub in earlier activity, and an exploited self-hosted GitLab instance in a documented 2025 campaign. In that campaign, Amadey downloaded additional components including a clipper plugin and the StealC infostealer from gitlab.bzctoons.net.

Amadey is described as modular and capable of more than simple payload delivery. Reported capabilities include downloading and executing follow-on malware, information stealing, credential theft, clipboard monitoring or clipper functionality, screenshot capture, data exfiltration, and remote-access/RAT-like features including VNC-based access. One source states the main bot effectively works as a RAT, with dynamically tasked payload distribution from C2. ESET reporting in the content notes modules for clipboard monitoring, credential theft, and VNC-based remote access. Europol-linked reporting also states Amadey can retrieve sensitive data from infected systems.

Technical details directly mentioned in the content include HTTP-based C2 communications, RC4-encrypted communications or data exchange, hardcoded C2 URLs, embedded build identifiers, and anti-sandbox behavior requiring a live C2 response before registration and persistence complete. In the Trellix-described December 2025 campaign, Amadey used a mutex named f936986d553273aef6eeaeef713ad28f, stored an RC4/decryption key 828065b4fbbccc7d69743a0648c2f656 and bot ID 07072f in plaintext, beaconed to 91.92.243.129/0gjSy4hf3/index.php, requested plugin clip64.dll, downloaded StealC from https://gitlab.bzctoons.net/suau/fds/-/raw/main/protected.zip, and established persistence via the scheduled task file C:\Windows\Tasks\Yfgfwb.job. Reported hashes from that campaign were d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7 for the Amadey loader Yfgfwb.exe, bae0f38f58ad93728261f09840721ebedb9669a445f40083396fdd0da38a22a7 for clip64.dll, and b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7 for the StealC payload x64_protect.exe.

The content links Amadey to broad criminal use in larger attack chains and ransomware enablement. It is characterized as an early-stage access and delivery component in the cybercrime supply chain and as infrastructure disrupted during Operation Endgame in June 2026. Microsoft, Europol, and partners reported that Amadey and StealC shared infrastructure despite being developed by separate actors, and Microsoft also cited observed use of Amadey by the Russian-affiliated actor Secret Blizzard to deploy custom malware against targets in Ukraine. Targeting is broad and global rather than sector-specific in the provided content, with infections and victim systems discussed worldwide.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Turla

Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information.

via microsoft on the issuesblogs.microsoft.com

InCrease

A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. ... SocGholish and Amadey function as loaders for introducing next-stage malware ... A C++-based modular backdoor, it's known to be active since October 2018 and advertised by a threat actor known as InCrease.

via the hacker newsthehackernews.com

Kimsuky

the group had deployed publicly available malware including gh0st RAT, QUASARRAT, and AMADEY

via industrialcyberindustrialcyber.co

WIZARD SPIDER

References https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

via splunk researchresearch.splunk.com

MITRE ATT&CK

Techniques & procedures

30 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1587.001MalwareEvidence1

L’agence européenne de police a en effet annoncé le démantèlement d’une infrastructure criminelle plus large comprenant également les dropper Amadey et SocGholish.

Initial Access

4 techniques

T1078Valid AccountsEvidence2

De buitgemaakte gegevens kunnen door criminelen gebruikt worden om zich voor te doen als het slachtoffer en er zodoende geld van te stelen, of om toegang te verkrijgen tot (bedrijfs)netwerken en daar meer slachtoffers te maken.

T1189Drive-by CompromiseEvidence1

Via onder andere downloads van software uit onbetrouwbare bronnen of via phishing mails worden slachtoffers besmet.

T1195Supply Chain CompromiseEvidence1

The most common methods included fake software updates, cracked software installers, and third-party malware loaders.

T1566PhishingEvidence5

Via onder andere downloads van software uit onbetrouwbare bronnen of via phishing mails worden slachtoffers besmet.

Execution

4 techniques

T1059.003Windows Command ShellEvidence1

The second major evolution arrived in the release of v5.03 in October 2024, which delivered a dense wave of new capabilities: hVNC with reverse connect, MSI silent installer support, RDP enabling, cmd.exe execution with SYSTEM privileges...

T1106Native APIEvidence1

T1106 Native API Amadey utilizes various Windows API functions throughout its execution.

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

the abuse of trusted platforms such as GitHub or cloud-storage services to host payloads and evade filtering

T1204.002Malicious FileEvidence1

T1204.002 User Execution: Malicious File Amadey and Stealc are distributed as a PE file to be executed by the victim.

Persistence

2 techniques

T1078Valid AccountsEvidence2

T1547Boot or Logon Autostart ExecutionEvidence1

it only writes persistence once the server acknowledges its registration. Both are anti-sandbox gates

Privilege Escalation

2 techniques

T1078Valid AccountsEvidence2

T1547Boot or Logon Autostart ExecutionEvidence1

it only writes persistence once the server acknowledges its registration. Both are anti-sandbox gates

Stealth

7 techniques

T1027Obfuscated Files or InformationEvidence2

The malware stores all critical strings in the .rdata section in encrypted form... Amadey uses a modified Base64 algorithm for string decryption with a custom character set.

T1027.015CompressionEvidence1

T1027.015 Obfuscated Files or Information: Compression Amadey can download, decompress, and execute payloads delivered in ZIP archives.

T1078Valid AccountsEvidence2

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

the abuse of trusted platforms such as GitHub or cloud-storage services to host payloads and evade filtering

T1140Deobfuscate/Decode Files or InformationEvidence1

T1140 Deobfuscate/Decode Files or Information Amadey and Stealc encrypt their strings, network traffic, and downloaded payloads.

T1218.007MsiexecEvidence1

T1218.007 Signed Binary Proxy Execution: Msiexec Amadey can download and execute an additional payload distributed in an MSI package.

T1218.011Rundll32Evidence1

rundll32.exe - Loads the clip64.dll plugin for additional functionality

Credential Access

2 techniques

T1555Credentials from Password StoresEvidence1

Amadey était en effet utilisé par des pirates pour déployer ensuite StealC, chargé lui de collecter des données sensibles, d’identifiants à des informations financières.

T1649Steal or Forge Authentication CertificatesEvidence1

Vervolgens worden ongemerkt gevoelige gegevens zoals inlognamen, wachtwoorden, cryptowallets en systeeminformatie van de computer van het slachtoffer gestolen en doorgestuurd naar de crimineel.

Discovery

6 techniques

T1012Query RegistryEvidence1

T1012 Query Registry Amadey reads various data from the registry, such as data to harvest, Windows version, and keyboard layout.

T1033System Owner/User DiscoveryEvidence1

Registration – the bot transmits RC4-encrypted system information encoded as a flat key-value string. This data includes the operating system version, username, PC name...

T1057Process DiscoveryEvidence1

T1057 Process Discovery Amadey’s credential stealer plugin enumerates running processes to identify targeted applications. Stealc also enumerates running processes during its initial execution stage.

T1082System Information DiscoveryEvidence3

Amadey was seen last year "abusing GitHub as it collected system information from infected devices and installed customized payloads."

T1083File and Directory DiscoveryEvidence1

Stealc includes a configurable file grabber that allows affiliates to specify custom patterns defining files to exfiltrate from compromised machines.

T1518.001Security Software DiscoveryEvidence1

T1518.001 Software Discovery: Security Software Discovery Amadey checks the system for a set of security products and reports those installed to its C&C server.

Collection

2 techniques

T1005Data from Local SystemEvidence1

Amadey – a malware dropper/loader that was mainly disseminated through phishing campaigns... The malware also had information stealer capabilities and could therefore retrieve sensitive data.

T1113Screen CaptureEvidence2

The following example shows Amadey uploading a screenshot of the infected system.

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence4

law enforcement leveraged the RICO Act ... to dismantle over 200 command hubs controlling malicious software networks.

T1090ProxyEvidence1

the panel can then task it... open a VNC or reverse-proxy session... We've also documented Amadey pushing proxy malware like Socks5Systemz

T1105Ingress Tool TransferEvidence9

En décembre, ces derniers signalaient une nouvelle campagne d’Amadey « exploitant une instance GitLab auto-hébergée compromise pour diffuser le voleur d'informations StealC »

Exfiltration

2 techniques

T1020Automated ExfiltrationEvidence1

T1020 Automated Exfiltration Amadey and Stealc exfiltrate collected data to their C&Cs fully automatically without operator interaction.

T1041Exfiltration Over C2 ChannelEvidence1

Vervolgens worden ongemerkt gevoelige gegevens zoals inlognamen, wachtwoorden, cryptowallets en systeeminformatie van de computer van het slachtoffer gestolen en doorgestuurd naar de crimineel.

INDICATORS OF COMPROMISE

IOCs tracked for this family

772 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

101 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

63 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

608 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in app3 days ago

ACTIVITY FEED

Recent activity

137 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

137 SOURCESView more in app

zdnetNews

Jun 26, 2026

Comment l’IA a permis de mettre en lumière les liens entre Amadey ...

Malware used by attackers to deploy StealC in later stages. Microsoft and other researchers linked it to the same criminal infrastructure as StealC.

techrepublic com securityNews

Jun 25, 2026

Europol, Microsoft Hit Malware Network Behind 27M Stolen Logins, 140,000 Infected Computers

Malware used to provide initial access to victim systems and enable installation of additional payloads.

scworldNews

Jun 25, 2026

StealC infrastructure takedown assisted by AI analysis, C2 infiltration | news | SC Media

A MaaS loader used to deliver StealC and operating on shared infrastructure identified during the takedown.

itproNews

Jun 25, 2026

‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislation | IT Pro

A dropper/loader primarily spread through phishing campaigns that delivers additional malware to compromised systems and retrieves sensitive data.

+133 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching772

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution4

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping30

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.