Amadey Botnet
Original Issue Date:-
July 02, 2026
Virus Type:- Botnet/ Loader
Severity:-
Medium
It is reported that Amadey is a Windows-based malware family that functions primarily as a botnet malware and malware loader, enabling threat actors to establish an initial foothold on compromised systems and deliver additional malicious payloads. First identified in 2018, Amadey has evolved into a versatile threat capable of system reconnaissance, payload delivery, credential theft and remote command execution. The malware collects information about the infected host, including operating system details, installed security software, hardware configuration and user privileges, before communicating with attacker-controlled Command-and-Control (C2) servers. Recent campaigns have shown Amadey being used to distribute information-stealing malware such as Stealc, highlighting its continued role as an initial access malware in multi-stage intrusion campaigns.
Infection Mechanism:
Amadey is commonly distributed through phishing emails, malicious attachments, trojanized software, exploit kits and compromised or self-hosted GitLab repositories containing malicious executables disguised as legitimate applications or updates. Once executed, the malware establishes persistence on the infected system and initiates communication with its Command-and-Control (C2) server over HTTP to register the compromised host and receive further instructions. It performs system profiling by collecting information such as the operating system version, computer name, user privileges, installed security products and hardware details before downloading and executing additional payloads. Recent campaigns have demonstrated the use of Amadey to retrieve and deploy secondary malware, including credential stealers, while leveraging legitimate services and obfuscated execution techniques to evade detection and prolong its presence within victim environments.
Countermeasures:
- Keep software and OS up-to-date so that attackers may not take advantages of or exploit known vulnerabilities.
- Keep updated Antivirus/Antimalware software to detect any threat before it infects the system/network. Always scan the external drives/removable devices before use. Leverage anti-phishing solutions that help protect credentials and against malicious file downloads.
- Avoid downloading cracked software, software activators or fake key generator programs. Always use genuine software.
- It is also important to keep web filtering tools updated.
- Change default login credentials as they are readily available with attackers.
- Use limited privilege user on the computer or allow administrative access to systems with special administrative accounts for administrators.
- Avoid downloading files from untrusted websites.
- Maintain appropriate Firewall policies to block malicious traffic entering the system/network. Enable a personal firewall on workstation.
- Block the IP addresses of known malicious sites to prevent devices from being able to access them. Activate intelligent website blacklisting to block known bad websites.
- Block websites hosting JavaScript miners both at the gateway and the endpoints.
- Go beyond intrusion detection to protect servers with runtime memory protection for critical applications and server workloads, ensuring a defense against actors who already have a grip on your server.
- Disable Autorun and Autoplay policies.
- Consider using application whitelists to prevent unknown executables from launching autonomously.
- Delete the system changes made by the malware such as files created/ registry entries /services etc.
- Monitor traffic generated from client machines to the domains and IP address mentioned in Installation section.
- Disable unnecessary services on agency workstations and servers
References:
- https://www.binaryanalys.is/posts/amadey/
- https://www.trellix.com/en-in/blogs/research/amadey-exploiting-self-hosted-gitlab-to-distribute-stealc/
- https://www.picussecurity.com/resource/blog/amadey-malware-explained-how-the-windows-botnet-loader-and-rat-work
- https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html