Amadey (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.amadey (Back to overview)

Amadey

VTCollection URLhaus

Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.

References

2025-12-08 ⋅ Swisscom B2B CSIRT ⋅ Matthieu Gras, Swisscom B2B CSIRT
Swisscom B2B CSIRT - TDR Intel Brief: Unmasking Amadey 5
Amadey

2025-08-28 ⋅ Intrinsec ⋅ David Sardinha
VAIZ, FDN3, TK-NET: A nebula of Ukrainian networks engaged in brute force and password spraying attacks
Amadey

2024-12-11 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine
Amadey Kazuar Wipbot FlyingYeti

2024-09-09 ⋅ LinkedIn (Idan Tarab) ⋅ Idan Tarab
APT CoralRaider Expands Arsenal: AmadeyBot, FTP Innovations, and Complex Domain Strategy
Amadey

2024-06-13 ⋅ Github (LambdaMamba) ⋅ Lena Yu
Implementation of a Config Decryptor for Amadey
Amadey

2024-01-30 ⋅ ANY.RUN ⋅ Lena (LambdaMamba)
CrackedCantil: A Malware Symphony Breakdown - PrivateLoader, Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP
Amadey CrackedCantil Lumma Stealer PrivateLoader RedLine Stealer RisePro SmokeLoader Socks5 Systemz Stealc STOP

2024-01-25 ⋅ JSAC 2024 ⋅ Masaki Kasuya
A Study on Long-Term Trends about Amadey C2 Infrastructure
Amadey

2023-12-02 ⋅ Medium g0njxa ⋅ amadey
Approaching stealers devs : a brief interview with Amadey
Amadey

2023-12-01 ⋅ ASEC ⋅ ASEC
Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
XRat Amadey Appleseed PEBBLEDASH

2023-11-19 ⋅ Twitter (@embee_research) ⋅ Embee_research
Combining Pivot Points to Identify Malware Infrastructure - Redline, Smokeloader and Cobalt Strike
Amadey Cobalt Strike RedLine Stealer SmokeLoader

2023-11-02 ⋅ BitSight ⋅ BitSight
Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey
Amadey PrivateLoader Socks5 Systemz

2023-09-04 ⋅ VMRay ⋅ VMRay Labs Team
Amadey: New encoding with old tricks
Amadey

2023-08-31 ⋅ Rapid7 Labs ⋅ Evan McCann, Natalie Zargarov, Thomas Elkins, Tyler McGraw
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
FAKEUPDATES Amadey HijackLoader Lumma Stealer SectopRAT

2023-08-10 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali
Amadey configuration extractor
Amadey

2023-08-10 ⋅ Github (muha2xmad) ⋅ Muhammad Hasan Ali
Amadey string decryptor
Amadey

2023-07-25 ⋅ splunk ⋅ Splunk Threat Research Team
Amadey Threat Analysis and Detections
Amadey

2023-06-08 ⋅ Twitter (@embee_research) ⋅ Embee_research
Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker

2023-05-19 ⋅ Twitter (@embee_research) ⋅ Embee_research
Analysis of Amadey Bot Infrastructure Using Shodan
Amadey

2023-05-01 ⋅ Check Point Research ⋅ Check Point Research
Chain Reaction: RokRAT's Missing Link
Amadey RokRAT

2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update Q1 2023
FluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT QakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar

2023-04-10 ⋅ Twitter (@embee_research) ⋅ Matthew
Redline Stealer - Static Analysis and C2 Extraction
Amadey RedLine Stealer

2023-01-27 ⋅ cyble ⋅ The Cyber Express
Old Bot in New Bottle: Amadey Botnet Back in Action Via Phishing Sites
Amadey

2023-01-25 ⋅ cyble ⋅ Cyble
The Rise of Amadey Bot: A Growing Concern for Internet Security
Amadey

2022-12-22 ⋅ AhnLab ⋅ Sanseo
Nitol DDoS Malware Installing Amadey Bot
Amadey Nitol

2022-11-08 ⋅ AhnLab ⋅ ASEC
LockBit 3.0 Being Distributed via Amadey Bot
Amadey Gandcrab LockBit

2022-10-17 ⋅ ASEC ⋅ ASEC
Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
Amadey

2022-09-29 ⋅ Team Cymru ⋅ S2 Research Team
Seychelles, Seychelles, on the C(2) Shore: An overview of a bulletproof hosting provider named ELITETEAM.
Amadey Raccoon RedLine Stealer SmokeLoader STOP

2022-07-29 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
SmokeLoader Malware Used to Augment Amadey Infostealer
Amadey SmokeLoader

2022-07-21 ⋅ AhnLab ⋅ ASEC
Amadey Bot Being Distributed Through SmokeLoader
Amadey SmokeLoader

2022-05-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
.NET Stubs: Sowing the Seeds of Discord (PureCrypter)
Aberebot AbstractEmu AdoBot 404 Keylogger Agent Tesla Amadey AsyncRAT Ave Maria BitRAT BluStealer Formbook LimeRAT Loki Password Stealer (PWS) Nanocore RAT Orcus RAT Quasar RAT Raccoon RedLine Stealer WhisperGate

2022-04-20 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 1. Registry run keys. C++ example.
Agent Tesla Amadey BlackEnergy Cobian RAT COZYDUKE Emotet Empire Downloader Kimsuky

2022-03-31 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot

2021-11-02 ⋅ Minerva ⋅ Natalie Zargarov
Underminer Exploit Kit: The More You Check The More Evasive You Become
Amadey Oski Stealer RedLine Stealer UnderminerEK

2021-08-12 ⋅ Cisco Talos ⋅ Vanja Svajcer
Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
Amadey Raccoon ServHelper

2021-07-08 ⋅ Medium walmartglobaltech ⋅ Harold Ogden, Jason Reaves
Amadey stealer plugin adds Mikrotik and Outlook harvesting
Amadey

2021-04-12 ⋅ PTSecurity ⋅ PTSecurity
PaaS, or how hackers evade antivirus software
Amadey Bunitu Cerber Dridex ISFB KPOT Stealer Mailto Nemty Phobos Pony Predator The Thief QakBot Raccoon RTM SmokeLoader Zloader

2021-03-31 ⋅ InfoSec Handlers Diary Blog ⋅ Xavier Mertens
Quick Analysis of a Modular InfoStealer
Amadey

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-02-09 ⋅ Max Kersten's Blog ⋅ Max Kersten
Ghidra script to decrypt strings in Amadey 1.09
Amadey

2021-02-01 ⋅ ⋅ Microstep Intelligence Bureau ⋅ Microstep online research response team
Analysis of the attack activity organized by Konni APT using the topic of North Korean epidemic materials as bait
Amadey

2021-01-18 ⋅ Medium csis-techblog ⋅ Benoît Ancel
GCleaner — Garbage Provider Since 2019
Amadey Ficker Stealer Raccoon RedLine Stealer SmokeLoader STOP

2020-06-22 ⋅ ⋅ CERT-FR ⋅ CERT-FR
Évolution De Lactivité du Groupe Cybercriminel TA505
Amadey AndroMut Bart Clop Dridex FlawedGrace Gandcrab Get2 GlobeImposter Jaff Locky Marap Philadephia Ransom QuantLoader Scarab Ransomware SDBbot ServHelper Silence tRat TrickBot

2020-05-20 ⋅ Zscaler ⋅ Amandeep Kumar, Rohit Chaturvedi
Latest Version of Amadey Introduces Screen Capturing and Pushes the Remcos RAT
Amadey Remcos

2020-03-26 ⋅ Telekom ⋅ Thomas Barabosch
TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer
Amadey Azorult Clop FlawedGrace Get2 SDBbot Silence TinyMet TA505

2020-02-28 ⋅ Financial Security Institute ⋅ Financial Security Institute
Profiling of TA505 Threat Group That Continues to Attack the Financial Sector
Amadey Clop FlawedAmmyy Rapid Ransom SDBbot TinyMet

2020-02-05 ⋅ Cybereason ⋅ Assaf Dahan, Lior Rochberger
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware
Amadey Azorult Predator The Thief STOP Vidar

2020-01-08 ⋅ Blackberry ⋅ Masaki Kasuya
Threat Spotlight: Amadey Bot Targets Non-Russian Users
Amadey

2019-04-27 ⋅ nao_sec ⋅ nao_sec
Analyzing Amadey
Amadey

2019-02-13 ⋅ KrabsOnSecurity ⋅ Mr. Krabs
Analyzing Amadey – a simple native malware
Amadey

2018-11-14 ⋅ Twitter (@0xffff0800) ⋅ 0xffff0800
Tweet on Amadey C2
Amadey

2018-11-13 ⋅ Twitter (@ViriBack) ⋅ Dee
Tweet on Amadey Malware
Amadey

Yara Rules

[TLP:WHITE] win_amadey_auto (20251219 | Detects win.amadey.)

rule win_amadey_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.amadey."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 5b 8be5 5d c3 5f c6040e00 8bc6 }
            // n = 7, score = 900
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   5f                   | pop                 edi
            //   c6040e00             | mov                 byte ptr [esi + ecx], 0
            //   8bc6                 | mov                 eax, esi

        $sequence_1 = { 57 ff15???????? 85c0 75d9 bb01000000 }
            // n = 5, score = 900
            //   57                   | push                edi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   75d9                 | jne                 0xffffffdb
            //   bb01000000           | mov                 ebx, 1

        $sequence_2 = { 68???????? eb42 e8???????? 83f801 7431 e8???????? }
            // n = 6, score = 900
            //   68????????           |                     
            //   eb42                 | jmp                 0x44
            //   e8????????           |                     
            //   83f801               | cmp                 eax, 1
            //   7431                 | je                  0x33
            //   e8????????           |                     

        $sequence_3 = { 83ec18 8bcc 68???????? e8???????? 8d4db4 }
            // n = 5, score = 900
            //   83ec18               | sub                 esp, 0x18
            //   8bcc                 | mov                 ecx, esp
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]

        $sequence_4 = { 8a0402 88040f 41 8b7dfc 8d4201 }
            // n = 5, score = 900
            //   8a0402               | mov                 al, byte ptr [edx + eax]
            //   88040f               | mov                 byte ptr [edi + ecx], al
            //   41                   | inc                 ecx
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   8d4201               | lea                 eax, [edx + 1]

        $sequence_5 = { 68???????? e8???????? 8d4dcc e8???????? 83c418 }
            // n = 5, score = 900
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_6 = { 0f434d20 40 50 52 6a02 6a00 51 }
            // n = 7, score = 900
            //   0f434d20             | cmovae              ecx, dword ptr [ebp + 0x20]
            //   40                   | inc                 eax
            //   50                   | push                eax
            //   52                   | push                edx
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   51                   | push                ecx

        $sequence_7 = { 83f811 7413 e8???????? 83f812 7409 6a01 68???????? }
            // n = 7, score = 900
            //   83f811               | cmp                 eax, 0x11
            //   7413                 | je                  0x15
            //   e8????????           |                     
            //   83f812               | cmp                 eax, 0x12
            //   7409                 | je                  0xb
            //   6a01                 | push                1
            //   68????????           |                     

        $sequence_8 = { 68???????? e8???????? 8d4d98 e8???????? 83c418 }
            // n = 5, score = 800
            //   68????????           |                     
            //   e8????????           |                     
            //   8d4d98               | lea                 ecx, [ebp - 0x68]
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18

        $sequence_9 = { 8b8d78feffff 42 8bc1 81fa00100000 7214 }
            // n = 5, score = 800
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7214                 | jb                  0x16

        $sequence_10 = { 83fa10 722f 8b8d78feffff 42 }
            // n = 4, score = 800
            //   83fa10               | cmp                 edx, 0x10
            //   722f                 | jb                  0x31
            //   8b8d78feffff         | mov                 ecx, dword ptr [ebp - 0x188]
            //   42                   | inc                 edx

        $sequence_11 = { 8b85f49fffff 40 89442404 8d85f8bfffff 890424 e8???????? }
            // n = 6, score = 700
            //   8b85f49fffff         | mov                 eax, dword ptr [ebp - 0x600c]
            //   40                   | inc                 eax
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   8d85f8bfffff         | lea                 eax, [ebp - 0x4008]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     

        $sequence_12 = { 8d55c8 89442404 891424 e8???????? 85c0 7523 }
            // n = 6, score = 700
            //   8d55c8               | lea                 edx, [ebp - 0x38]
            //   89442404             | mov                 dword ptr [esp + 4], eax
            //   891424               | mov                 dword ptr [esp], edx
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   7523                 | jne                 0x25

        $sequence_13 = { c745fc05000000 c70424???????? e8???????? 890424 e8???????? 84c0 }
            // n = 6, score = 700
            //   c745fc05000000       | mov                 dword ptr [ebp - 4], 5
            //   c70424????????       |                     
            //   e8????????           |                     
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   84c0                 | test                al, al

        $sequence_14 = { 8d85d8fdffff 890424 e8???????? e8???????? 89442404 }
            // n = 5, score = 700
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   89442404             | mov                 dword ptr [esp + 4], eax

        $sequence_15 = { 89e5 b828200000 e8???????? 817d08???????? 0f84be000000 }
            // n = 5, score = 700
            //   89e5                 | mov                 ebp, esp
            //   b828200000           | mov                 eax, 0x2028
            //   e8????????           |                     
            //   817d08????????       |                     
            //   0f84be000000         | je                  0xc4

        $sequence_16 = { e8???????? 8b45dc 890424 e8???????? 83ec04 }
            // n = 5, score = 700
            //   e8????????           |                     
            //   8b45dc               | mov                 eax, dword ptr [ebp - 0x24]
            //   890424               | mov                 dword ptr [esp], eax
            //   e8????????           |                     
            //   83ec04               | sub                 esp, 4

        $sequence_17 = { c745fc0c000000 8b45fc c9 c3 }
            // n = 4, score = 700
            //   c745fc0c000000       | mov                 dword ptr [ebp - 4], 0xc
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c9                   | leave               
            //   c3                   | ret                 

        $sequence_18 = { 55 89e5 81ec48040000 e8???????? 89c2 c744241c00020000 8d85f8fbffff }
            // n = 7, score = 700
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   81ec48040000         | sub                 esp, 0x448
            //   e8????????           |                     
            //   89c2                 | mov                 edx, eax
            //   c744241c00020000     | mov                 dword ptr [esp + 0x1c], 0x200
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]

        $sequence_19 = { 56 57 8b3d???????? 83ec18 }
            // n = 4, score = 700
            //   56                   | push                esi
            //   57                   | push                edi
            //   8b3d????????         |                     
            //   83ec18               | sub                 esp, 0x18

        $sequence_20 = { 722f 8b8d60feffff 42 8bc1 }
            // n = 4, score = 600
            //   722f                 | jb                  0x31
            //   8b8d60feffff         | mov                 ecx, dword ptr [ebp - 0x1a0]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx

    condition:
        7 of them and filesize < 908288
}

Download all Yara Rules

Amadey Propose Change

References

Yara Rules

Amadey