Amadey
Amadey is a botnet and malware distribution operation observed in active campaigns including campaign tag fbf543. In the provided reporting, Amadey functioned as a delivery and staging platform for a broad set of commodity malware and post-compromise tooling, including Vidar, StealC, SmokeLoader, LummaStealer, Rhadamanthys, RemcosRAT, ValleyRAT, XWorm, QuasarRAT, AsyncRAT, DarkVisionRAT, SantaStealer, RustyStealer, SalatStealer, Fuery, VOLK CryptoMiner, HijackLoader, GCleaner, and a CoinMiner signed with a stolen AnyDesk certificate. A prominent Amadey campaign, tagged fbf543, abused legitimate remote management and monitoring tools from ConnectWise, DattoRMM, Atera, GoToResolve, and N-able as persistent backdoors. The binaries were described as stock, validly signed vendor installers rather than trojanized software; the malicious element was pre-configuration to connect to attacker-controlled relay infrastructure. The campaign used multiple RMM tools simultaneously for redundant persistence and also used NirCmd to silently execute commands and install additional payloads. Social-engineering filenames included ZoomInstaller.EXE, Documentt.exe, CateredFitCorp.exe, and turnerlabels.EXE. Reporting assessed the operator profile for this campaign as consistent with an Initial Access Broker or ransomware affiliate. The fbf543 infrastructure included an Amadey staging server at 158.94.211.222 that distributed more than 100 samples across 23 malware families in 10 days, and more than 50 payloads over four days from March 6 to March 9, 2026. Associated infrastructure included relay.gatewayssupply.net:8041, itfreedom.help:8041, and 91.92.243.111:8041, as well as abused ConnectWise cloud relay instances and identified instance IDs. The same campaign also delivered Fuery, a garble-obfuscated Go implant with raw WinSock-based C2, process injection via thread hijacking, reconnaissance, anti-analysis, and file-operation capabilities, and VOLK CryptoMiner, a Rust-based multi-layer loader that ultimately deployed XMRig 6.25.0 and used persistence via the "System Security Purview" service and the mutex "SLIM_ACTIVE." The content also links Amadey distribution channels to broader criminal ecosystem overlap. Breakglass Intelligence reported that WaterHydra/evilgrou-tech used Amadey distribution channels, and that the Amadey staging server associated with fbf543 was hosted on AS202412 OMEGATECH with upstream transit through AS51396 PFCLOUD. No additional aliases or sub-groups beyond the name Amadey are directly supported in the provided content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a multi-stage botnet campaign that delivers stealers, RATs, and legitimate RMM tools for persistent access, with likely monetization through access sales, ransomware affiliate activity, or cryptomining.
Botnet/BaaS staging operation distributing numerous commodity malware families for multiple customers through a shared upstream provider also linked to evilgrou-tech infrastructure.
Modular Windows botnet used as malware-as-a-service to deliver Fuery and VOLK CryptoMiner in campaign fbf543.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.