Amadey Loader

Malware Profile Updated a month ago

Download STIX

Preview STIX

Amadey Loader is a type of malware, a malicious software designed to infiltrate and damage computer systems. It can stealthily enter systems through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or even hold data hostage for ransom. This particular malware was identified in a folder along with GuLoader shellcodes that load and decrypt payloads, despite claims from developers that Remcos and GuLoader are legitimate software. The evidence suggests that an individual or group known as Eminem has been implicated in the deployment of several types of malware, including Amadey Loader and Formbook. The latter is a notorious info stealer, used to extract sensitive information from infected systems. There's substantial proof indicating EMINэM’s involvement in the distribution of these harmful programs, demonstrating a comprehensive case against them. Proofpoint, a cybersecurity company, has observed at least five different types of malware being delivered using similar methods, which include Lumma Stealer, Amadey Loader, and JaskaGo. Lumma Stealer is another dangerous malware that was found to be spread through weaponized YouTube channels. Therefore, it's clear that the threat landscape is diverse and includes multiple vectors for infection, necessitating robust and comprehensive security measures.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Cloudeye	1	Cloudeye, also known as GuLoader, is a sophisticated malware that has been active for over three years and continues to evolve. First spotted in late 2019, it is an advanced shellcode-based malware downloader used to distribute a range of payloads, such as information stealers, while incorporating n
Amadey	1	Amadey is a malicious software (malware) that has been found to be used in conjunction with other malware such as Remcos, GuLoader, and Formbook. Analysis of the infection chains revealed that the individual behind the sales of Remcos and GuLoader also uses Amadey and Formbook, using GuLoader as a p

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Remcos

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Lumma Stealer	Unspecified	1	Lumma Stealer is a malicious software (malware) that infiltrates systems primarily to steal personal information, disrupt operations, and exploit vulnerabilities. According to the ESET Threat Report H2 2023, Lumma Stealer gained significant traction in the second half of 2023, with its capabilities
GuLoader	Unspecified	1	GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Formbook	Unspecified	1	Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being
Lumma	Unspecified	1	Lumma is a prominent malware, particularly known as an information stealer. It is delivered through various means, including suspicious downloads, emails, and websites. In one instance observed by Palo Alto Networks’ Unit 42, Lumma was sent over Latrodectus C2 in an infection chain. In another campa
Theprotect	Unspecified	1	TheProtect is a new brand of malware, previously known as GuLoader. It is being openly sold on the websites BreakingSecurity and VgoStore, both administered by an individual operating under the alias EMINэM. TheProtect is also advertised in these platforms' respective Telegram groups. Our analysis h

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Amadey Loader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	a month ago	Cut & Paste Tactics Import Malware to Unwitting Victims
Checkpoint	10 months ago	Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos - Check Point Research