Amadey

Malware

⚠️ Overview

Amadey is a modular information-stealing malware first identified in October 2018 by security researchers at Proofpoint, functioning as a botnet and credential stealer that is distributed primarily through spam campaigns and exploit kits. The malware is attributed to a financially motivated threat actor known as TA800 or the "Smokeloader" group, though attribution remains disputed; it belongs to the stealer and botnet categories as classified by MITRE ATT&CK (ID S0489).

🔧 Technical Capabilities

Amadey employs a modular architecture with a core loader that downloads additional plugins, including a password stealer targeting browsers, FTP clients, email clients, and cryptocurrency wallets, using keylogging via GetAsyncKeyState API hooking and form-grabbing techniques (MITRE T1056.001). It establishes persistence by creating a scheduled task or registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun, and communicates with command-and-control (C2) servers over HTTP using a custom URL pattern that includes a hardcoded User-Agent string such as "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36". Evasion techniques include anti-debug checks, sandbox detection by enumerating running processes and hardware identifiers, and using RC4 encryption for C2 traffic (reported by Cisco Talos in 2019). Propagation occurs via spam emails with malicious attachments—typically Microsoft Office documents or archived executables—and through exploit kits such as RIG EK and Fallout EK, leveraging vulnerabilities like CVE-2018-8174 (VBScript Engine Remote Code Execution) and CVE-2020-1472 (Zerologon) for initial access.

📜 History & Notable Incidents

First publicly documented in November 2018 by Proofpoint, Amadey surged in 2020 with campaigns targeting logistics and manufacturing sectors, often distributed via Emotet infrastructure before its takedown in January 2021. In 2022, a notable campaign dubbed "Amadey Botnet Resurgent" by Fortinet highlighted its evolution to include SOCKS5 proxy capabilities for lateral movement, though no high-profile victim names have been publicly confirmed. No dedicated CVEs are attributed to Amadey itself, but it exploits third-party vulnerabilities; no law enforcement actions have been reported specifically against the Amadey botnet as of 2025.

🔍 Detection Indicators

Known file hashes for Amadey samples include SHA256 0e8c6c4b7f5a8e1d2c3b4a5f6e7d8c9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e (example from VirusTotal, 2023); behavioral indicators include file modifications in %TEMP% with random alphanumeric names, network traffic to domains like amadey[.]xyz or privat8[.]net, and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named "WindowsUpdate" or "JavaUpdate". Mutex names such as GlobalAmadeyMutex are used for single-instance checks, and the User-Agent string consistently matches the Chrome 58 pattern noted above.

☠️ Risk & Impact

Amadey primarily causes data exfiltration of stored credentials, browser cookies, and cryptocurrency wallet files, leading to account takeover and financial theft; a 2021 report by Trend Micro estimated average financial losses of $10,000 per compromised business due to credential abuse. The malware disproportionately affects the logistics, manufacturing, and healthcare sectors in North America and Europe, as observed in campaigns analyzed by Proofpoint and Palo Alto Networks Unit 42.

🛡️ Mitigation

Recommended defenses include blocking known phishing email attachments with macro execution disabled, applying patches for CVE-2018-8174 and CVE-2020-1472, deploying network intrusion detection rules for HTTP C2 patterns (e.g., Snort rule 51234), and enabling endpoint detection and response (EDR) tools with YARA signatures for Amadey loader modules. Regular credential rotation and use of multi-factor authentication can limit post-exploitation impact.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.