Fuery
Fuery is a Windows implant written in Go 1.20.1 and obfuscated with Garble. It was observed as a payload delivered by the Amadey botnet in campaign fbf543, including a sample masquerading as volunteers.exe. Analysis describes Fuery as using a novel structural obfuscation scheme that embeds Raft consensus protocol data structures such as AppendEntries, VoteRequest, VoteResponse, LogEntry, LogIndex, NodeID, and Term, along with VP8/VP9-related structures, to disguise its custom little-endian binary command-and-control protocol and hinder static analysis. Researchers linked this obfuscation framework to a related SmokeLoader variant compiled with the same Go 1.20.1 toolchain.
Fuery communicates using raw WinSock APIs rather than high-level HTTP/TLS libraries in one analyzed sample set, and supports broad implant functionality including process injection via thread context hijacking, host reconnaissance, file-system operations, anti-analysis checks, and access to the Windows certificate store. Reported anti-analysis features include Wine detection, timer and sleep-manipulation checks, a custom exception handler, SetErrorMode, SetConsoleCtrlHandler, a zeroed PE timestamp, and stripped build paths.
Separate infrastructure analysis identified Fuery command-and-control at laf.oahgsfwklg.top (178.16.54.79), with a server stack of nginx and PHP 7.4.33 using Laravel cookies and a panel named "Monkey." In that observed infrastructure, Fuery used POST requests to single-letter endpoints /t, /s, /c, /f, and /v, which returned base64-encoded encrypted blobs or empty responses. The malware downloaded libeay32.dll and ssleay32.dll corresponding to OpenSSL 1.0.1g, which enabled SMTP exfiltration via smtp.gmail.com over TCP port 465; sandbox traffic was observed to 209.85.202.108:465. One report states the binary contained 13 hardcoded domains, but only laf.oahgsfwklg.top resolved at the time, while the others returned NXDOMAIN.
Fuery has been associated with the operator alias "ingermany" in reporting that linked Fuery and SmokeLoader infrastructure through certificates, hosting history, and WHOIS/SOA artifacts, though attribution confidence is limited. It appeared among multiple malware families distributed in the Amadey fbf543 pay-per-install campaign, indicating use in financially motivated cybercrime operations rather than a single-purpose intrusion set.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Fuery is a garble-obfuscated Go 1.20.1 implant dropped by the Amadey botnet (campaign fbf543) that uses Raft consensus protocol data structures as a novel obfuscation layer to disguise its custom binary C2 protocol.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueMITRE ATT&CK Mapping ... Initial Access Phishing / Loader delivery T1566 Dropped by Amadey botnet
Execution
1 techniqueMITRE ATT&CK Mapping ... Execution Native API T1106 LoadLibrary / GetProcAddress for all DLL resolution
Persistence
1 techniquePrivilege Escalation
3 techniquesProcess Injection via Thread Hijacking CreateToolhelp32Snapshot -> Process32FirstW/NextW -> OpenProcess -> SuspendThread -> GetThreadContext -> SetThreadContext -> ResumeThread This is the classic thread context hijacking chain (T1055.003).
MITRE ATT&CK Mapping ... Privilege Escalation Access Token Manipulation T1134 GetTokenInformation
Stealth
7 techniquesNovel Obfuscation: Raft Consensus Protocol Type Abuse ... The Go binaries use Raft consensus protocol type names as disguises for malware data structures ... to make the binary appear to be a legitimate distributed systems application during static analysis.
MITRE ATT&CK Mapping ... Defense Evasion Software Packing T1027.002 Custom identifier obfuscation framework
The PE version info populates every field with "volunteers", creating a thin disguise as a benign application. ... MITRE ATT&CK Mapping ... Match Legitimate Name T1036.005 volunteers.exe masquerade
Process Injection via Thread Hijacking CreateToolhelp32Snapshot -> Process32FirstW/NextW -> OpenProcess -> SuspendThread -> GetThreadContext -> SetThreadContext -> ResumeThread This is the classic thread context hijacking chain (T1055.003).
The compile timestamp is zeroed -- a deliberate anti-forensics measure. ... MITRE ATT&CK Mapping ... Defense Evasion Timestomp T1070.006 Zeroed PE compile timestamp
MITRE ATT&CK Mapping ... Privilege Escalation Access Token Manipulation T1134 GetTokenInformation
MITRE ATT&CK Mapping ... Defense Evasion Deobfuscate/Decode Files T1140 Runtime config construction
Discovery
6 techniquesMITRE ATT&CK Mapping ... Discovery Query Registry T1012 RegOpenKeyExW, RegEnumKeyExW
MITRE ATT&CK Mapping ... Discovery System Network Configuration T1016 GetAdaptersInfo, GetIfEntry
MITRE ATT&CK Mapping ... Discovery System Owner/User Discovery T1033 GetUserNameExW
MITRE ATT&CK Mapping ... Discovery Process Discovery T1057 CreateToolhelp32Snapshot / Process32FirstW
MITRE ATT&CK Mapping ... Discovery System Information Discovery T1082 GetSystemInfo, RtlGetNtVersionNumbers
MITRE ATT&CK Mapping ... Discovery File and Directory Discovery T1083 FindFirstFileW / FindNextFileW
Collection
1 techniqueMITRE ATT&CK Mapping ... Collection Data from Local System T1005 ReadFile, CreateFileMappingW
Command and Control
5 techniquesMITRE ATT&CK Mapping ... Command and Control Data Obfuscation T1001 Raft protocol framing
MITRE ATT&CK Mapping ... Command and Control Application Layer Protocol T1071 Custom binary protocol over raw TCP
These DLLs enable the bot to exfiltrate data via smtp.gmail.com:465
The Fuery bot downloads OpenSSL DLLs from its C2 for SMTP-based exfiltration: /fd/libeay32.dll ... /fd/ssleay32.dll
MITRE ATT&CK Mapping ... Command and Control Encrypted Channel T1573 Custom encryption (no stdlib crypto)
Exfiltration
2 techniquesMITRE ATT&CK Mapping ... Exfiltration Exfiltration Over C2 Channel T1041 TransmitFile, WSASend
These DLLs enable the bot to exfiltrate data via smtp.gmail.com:465 (observed in sandbox: TCP to 209.85.202.108:465).
Impact
1 techniqueMITRE ATT&CK Mapping ... Impact Service Stop T1489 TerminateProcess
IOCs tracked for this family
31 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Fuery is listed as one of the malware families delivered by the campaign, but the content does not further characterize its functionality.
A Go-based implant/backdoor delivered by Amadey that uses garble obfuscation and Raft protocol data structures to mask a custom binary C2 protocol. It supports raw-socket C2, DNS-based resolution, process injection via thread hijacking, reconnaissance, file operations, certificate store access, and data exfiltration.
Fuery uses single-letter POST endpoints that return base64-encoded encrypted blobs for telemetry, status, command retrieval, and file operations. It also downloads legacy OpenSSL DLLs from its C2 and uses them to exfiltrate data over Gmail SMTP on port 465.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.