EXECUTIVE SUMMARY
The campaign is operated by a financially motivated criminal group that offers the Amadey botnet and Stealc infostealer as Malware‐as‐Service. Both families are marketed to third‐party distributors who purchase access and generate custom builds. Targets include enterprise and consumer environments across Europe, Asia, and the Americas, with a noticeable concentration in India, Turkey, and Mexico. Primary objectives focus on harvesting credentials, cryptocurrency wallet data, and other sensitive files while also delivering additional payloads that enable remote control or ransomware deployment.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is operated by a financially motivated criminal group that offers the Amadey botnet and Stealc infostealer as Malware‐as‐Service. Both families are marketed to third‐party distributors who purchase access and generate custom builds. Targets include enterprise and consumer environments across Europe, Asia, and the Americas, with a noticeable concentration in India, Turkey, and Mexico. Primary objectives focus on harvesting credentials, cryptocurrency wallet data, and other sensitive files while also delivering additional payloads that enable remote control or ransomware deployment.[emaillocker id="1283"]
Initial infection is typically achieved through trojanized software updates, cracked installers, or third‐party loaders that drop a disguised executable onto the host. Once executed, the payload establishes persistence by creating registry run keys and may inject code into legitimate processes. Encrypted communications using RC4 allow the sample to beacon a command‐and‐control server, receive task lists, and download secondary modules. These modules can exfiltrate harvested credentials, capture browser cookies, or install remote‐access tools, while the attacker retains ongoing control through periodic check‐ins and dynamic build identifiers.
The campaign is significant because the modular architecture lets affiliates rapidly rotate infrastructure, making blacklist‐based defenses quickly obsolete. Encrypted traffic and custom build identifiers hinder network‐based detection, while the ability to load additional payloads complicates endpoint remediation. Organisations should apply timely patches to vulnerable software, enforce strict application allow‐lists, and monitor outbound HTTP traffic for anomalous patterns. Regular offline backups, robust credential hygiene, and multi‐factor authentication further reduce the impact of credential theft. Deploying advanced endpoint protection that can detect suspicious process injection and registry modifications adds another critical layer of defence.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Defense Evasion | T1218.001 | System Binary Proxy Execution | Compiled HTML File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1136.001 | Create Account | Local Account |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Credential Access | T1552.002 | Unsecured Credentials | Credentials in Registry |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Collection | T1113 | Screen Capture | — |
| Command and Control | T1573.002 | Encrypted Channel | Asymmetric Cryptography |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/