What is Amadey?
Amadey (S1025) is a modular botnet and downloader. It operates as Malware-as-a-Service (MaaS). Since 2018, criminals have used it to gain a foothold on victim machines. It acts as a gateway to deploy worse threats, such as RedLine infostealer or LockBit ransomware.
Amadey malware is designed for versatility. A lightweight core component surveys the infected system. It captures the OS version, antivirus status, and username. Then it contacts its Command and Control (C2) server. It fetches plugins like cred64.dll to steal browser credentials. It uses clip64.dll to swap crypto wallet addresses in the clipboard. It spreads via phishing, exploit kits, or bundled with cracked software.
How to Defend Against Amadey?
Defending against Amadey requires stopping the initial delivery and detecting the unique behaviors of its loader and plugins.
- Patch N-day vulnerabilities. Amadey uses exploit kits. It targets known security gaps in unpatched software.
- Monitor registry persistence. Check User Shell Folders or Startup keys. Amadey uses these to launch automatically at reboot.
- Deploy endpoint detection. Flag suspicious DLLs in AppData folders. Look specifically for clip64.dll and cred64.dll. Watch for process injection into legitimate files.
- Use network detection (NDR). Use tools like Lumu Defender. Identify HTTP POST beacons. Amadey often uses .php URIs to exfiltrate data.
- Integrate threat intelligence. Use platforms like Lumu Maltiverse. Block access to the malicious domains and IPs hosting Amadey’s payloads.
