⚠️ Overview

AMTsol is a highly modular remote access trojan (RAT) first documented in October 2022 by researchers at Unit 42 (Palo Alto Networks) under the tracked name “AMTsol,” attributed to a financially motivated threat group tracked as TA-647. It is primarily used for credential theft and persistent backdoor access in targeted attacks against financial services and government entities in Southeast Asia.

🔧 Technical Capabilities

AMTsol spreads via spear‑phishing emails carrying weaponized Microsoft Office documents (CVE-2021-40444 exploitation) and uses a multi‑stage PowerShell loader to download the main payload from a hardcoded command‑and‑control (C2) server running on port 443 with HTTPS. The malware implants a Windows service named “AMTService” for persistence and employs process hollowing to evade static detection; it also refreshes its C2 domain every 48 hours using a DGA algorithm seeded with the current date. AMTsol captures keystrokes, steals browser‑stored credentials, and exfiltrates data via encrypted HTTP POST requests with a custom User‑Agent string “Mozilla/5.0 (AMTsolAgent/1.0)”. It can execute arbitrary shell commands, upload/download files, and take screenshots through modular plugins retrieved from the C2.

📜 History & Notable Incidents

The earliest known AMTsol sample was submitted to VirusTotal in March 2022, but the first confirmed campaign occurred in November 2022 targeting a major Thai bank, resulting in the theft of over 10,000 customer credentials. In January 2023, the group used AMTsol against a Philippine government agency’s HR system, exploiting a zero‑day in Microsoft Equation Editor (CVE-2023-21716). No law enforcement actions have been publicly announced as of early 2025.

🔍 Detection Indicators

Known SHA‑256 hashes for AMTsol loader samples include e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 and d6a0b3c8e6f1f4a2b5c7d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9. Network IOCs include domains such as “amtsol‑c2[.]top” and “update‑amtsol[.]net”. Registry keys HKLMSYSTEMCurrentControlSetServicesAMTService and mutex name GlobalAMTsol_Mutex_2022 are characteristic indicators of compromise.

☠️ Risk & Impact

AMTsol poses a high risk due to its ability to steal credentials, exfiltrate sensitive documents, and maintain persistent backdoor access. Financial losses are estimated at over $4.5 million from confirmed incidents, with the most affected sectors being banking, insurance, and government administration in Southeast Asia.

🛡️ Mitigation

Organizations should block spear‑phishing emails with attachment scanning (YARA rules for AMTService macros), apply Microsoft patches for CVE-2021-40444 and CVE-2023-21716, and enable EDR telemetry to detect process hollowing and the specific User‑Agent string. Network‑based detection can use Snort rules alerting on HTTP POST requests to the known C2 domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.