Amadey

Malware updated 10 days ago (2024-10-07T16:01:31.019Z)
Download STIX
Preview STIX
Amadey is a form of malware, a malicious software designed to exploit and damage computer systems. This particular malware is distributed via the Amadey loader, which can be disseminated through phishing emails or downloads from compromised sites. It has been observed that the individual behind the Remcos and GuLoader sales uses malware such as Amadey and Formbook for personal use and utilizes GuLoader as a protection against antivirus detection. The developers may claim that Remcos and GuLoader are legitimate software, however, our analysis revealed two truly malicious payloads identified as Amadey Loader and corresponding GuLoader shellcodes that load and decrypt these payloads. During our investigation into the ROKRAT infection chain, we discovered a similar chain leading to the deployment of Amadey, a commercial Remote Access Trojan (RAT) sold in underground forums. This malware was found to be part of various infection chains and lures used by APT37 in their recent attacks, resulting in payloads of ROKRAT and Amadey. In one instance, Amadey was found to load StealC and "AutoIt2Exe" binary from a specific URL and executed them. We also observed an emerging threat where the Socks5Systemz proxy service was delivered via PrivateLoader and Amadey. This development underscores the increasing sophistication of cybercriminal tactics. Furthermore, we identified a connection between RansomHub's new anti-EDR tactics and Amadey infrastructure, highlighting the potential for this malware to be involved in more advanced and diverse cyber threats. For further information about Bitdefender Threat Intelligence solution and how it can help protect against threats like Amadey, please visit our product page.
Description last updated: 2024-10-07T15:19:21.577Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ROKRAT is a possible alias for Amadey. RokRAT is a sophisticated malware that has been used by the cyber-espionage group ScarCruft, primarily to target South Korean media and research organizations. The malware is typically delivered via phishing emails with ZIP file attachments containing LNK files disguised as Word documents. However,
3
Formbook is a possible alias for Amadey. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms o
2
Amadey Loader is a possible alias for Amadey. Amadey Loader is a notorious malware that has been identified as a significant threat to computer systems. This malicious software, designed to exploit and damage your computer or device, can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once i
2
Socks5systemz is a possible alias for Amadey. Socks5Systemz is a malicious software (malware) that has been identified as a significant threat to computer systems worldwide. The malware, delivered via the PrivateLoader and Amadey loaders, functions by exploiting and damaging infected devices, often without the user's knowledge. Once inside a sy
2
Azorult is a possible alias for Amadey. Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
2
Privateloader is a possible alias for Amadey. PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
2
GuLoader is a possible alias for Amadey. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for r
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Antivirus
Backdoor
Botnet
Bot
Proxy
Phishing
Scams
Cybercrime
Trojan
Exploit
Remcos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Malware is associated with Amadey. RedLine is a type of malware, a malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, RedLine can steal personal information, disrupt operations, or deliver further Unspecified
4
The Smokeloader Malware is associated with Amadey. Smokeloader is a malicious software (malware) that has been utilized by threat actors, specifically Phobos actors, to embed ransomware as a hidden payload. This malware, acting as a loader for other malware, infects systems through suspicious downloads, emails, or websites, often without the victim'Unspecified
3
The KONNI Malware is associated with Amadey. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
2
The Redline Stealer Malware is associated with Amadey. RedLine Stealer is a type of malware, or malicious software, that infiltrates computer systems with the intent to exploit and cause damage. It typically gains access through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside the system, it can steal personal iUnspecified
2
The Systembc Malware is associated with Amadey. SystemBC is a type of malware that has been heavily used in cyber-attacks, often alongside other malicious software. It was observed being used with Quicksand and BlackBasta in 2023, during attacks attributed to a team deploying BlackBasta. The Play ransomware group also utilized SystemBC as part ofUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT37 Threat Actor is associated with Amadey. APT37, also known as InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima, is a threat actor suspected to be backed by North Korea. It primarily targets South Korea, but its activities have extended to Japan, Vietnam, the Middle East, and recently Cambodia, across various industry verUnspecified
3
Source Document References
Information about the Amadey Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Bitdefender
11 days ago
Trend Micro
a month ago
Securityaffairs
a month ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
DARKReading
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
ESET
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago