Amadey

Malware updated 22 days ago (2024-11-29T14:33:43.513Z)
Download STIX
Preview STIX
Amadey is a malicious software (malware) that has been known since 2018 and is notorious for stealing credentials from popular browsers and various Virtual Network Computing (VNC) systems. The malware, which is often sold in underground forums, uses sophisticated techniques to infect systems, including the use of GuLoader as protection against antivirus detection. It was discovered that the individual behind Remcos and GuLoader sales personally uses malware such as Amadey and Formbook. In some instances, Amadey downloads the Remcos remote access tool to the victim’s device, providing attackers with full control. The infection chains and lures used by APT37 have led to payloads of ROKRAT and Amadey, as discussed in our report. During the analysis of the ROKRAT infection chain, a similar chain leading to the deployment of Amadey was found. This commercial Remote Access Trojan (RAT) has been part of numerous security reports and is now being spread through the same campaign. Furthermore, it was found that certain CAPTCHA delivers not only Lumma but also the Amadey Trojan. Despite claims that Remcos and GuLoader are legitimate software, truly malicious payloads identified as Amadey Loader and corresponding GuLoader shellcodes that load and decrypt those payloads were found. The malware is distributed via the Amadey loader, which can be spread through phishing emails or downloads from compromised sites. In one example, Amadey loaded StealC and “AutoIt2Exe” binary from a specific URL and executed them, further demonstrating its harmful capabilities.
Description last updated: 2024-11-15T16:17:26.279Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ROKRAT is a possible alias for Amadey. RokRAT is a form of malware that has been utilized in cyber-espionage campaigns primarily targeting South Korean entities. It is typically delivered via phishing emails containing ZIP file attachments, which contain LNK files disguised as Word documents. When the LNK file is activated, a PowerShell
3
Socks5systemz is a possible alias for Amadey. Socks5Systemz is a malicious software (malware) that has been identified as a significant threat to computer systems worldwide. The malware, delivered via the PrivateLoader and Amadey loaders, functions by exploiting and damaging infected devices, often without the user's knowledge. Once inside a sy
2
Privateloader is a possible alias for Amadey. PrivateLoader is a notable malware that has been active since at least December 19, 2022. It acts as the first step in many malware schemes, often initiating an infection chain that leads to other malicious software. The malware can infiltrate systems through suspicious downloads, emails, or website
2
Azorult is a possible alias for Amadey. Azorult is a type of malware, or malicious software, that infiltrates systems to exploit and damage them, often without the user's knowledge. It has historically been one of the favored infostealers sold on the marketplace 2easy, alongside RedLine, Raccoon, Vidar, and Taurus. However, as of late Feb
2
GuLoader is a possible alias for Amadey. GuLoader is a potent malware that has been causing significant cybersecurity concerns. It operates by infecting systems through suspicious downloads, emails, or websites and then proceeds to exploit the system, often stealing personal information, disrupting operations, or holding data hostage for r
2
Formbook is a possible alias for Amadey. Formbook is a type of malware, malicious software designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Formbook has been linked with other forms o
2
Amadey Loader is a possible alias for Amadey. Amadey Loader is a notorious malware that has been identified as a significant threat to computer systems. This malicious software, designed to exploit and damage your computer or device, can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once i
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Rat
Bot
Antivirus
Botnet
Backdoor
Trojan
Proxy
Phishing
Scams
Cybercrime
Exploit
Remcos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Redline Malware is associated with Amadey. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
4
The Smokeloader Malware is associated with Amadey. SmokeLoader is a malicious software (malware) that acts as a loader for other malware, injecting malicious code into the currently running explorer process and downloading additional payloads to the system. It has been used in conjunction with Phobos ransomware by threat actors who exploit its functUnspecified
3
The Lumma Malware is associated with Amadey. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers reUnspecified
2
The KONNI Malware is associated with Amadey. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
2
The Redline Stealer Malware is associated with Amadey. The RedLine Stealer is a formidable malware that specializes in stealthily stealing credentials and sensitive information. First documented in 2020, it has since evolved to use the Windows Communication Foundation (WCF) framework and later a REST API for network communication. This malware infects sUnspecified
2
The Systembc Malware is associated with Amadey. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage fUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT37 Threat Actor is associated with Amadey. APT37, also known as RedAnt, RedEyes, ScarCruft, and Group123, is a threat actor suspected to be backed by North Korea. It has been active since at least 2012, primarily targeting South Korea across various industry verticals such as chemicals, electronics, manufacturing, aerospace, automotive, and Unspecified
3
Source Document References
Information about the Amadey Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
2 months ago
Bitdefender
2 months ago
Trend Micro
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
DARKReading
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
ESET
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago