{
	"id": "df29a4a5-2415-4a9c-9554-0e0f7704938b",
	"created_at": "2026-04-06T00:10:53.625759Z",
	"updated_at": "2026-04-10T13:11:30.68126Z",
	"deleted_at": null,
	"sha1_hash": "0de8912c0ca84aafdc5233e6edbf5bf9804938ea",
	"title": "LockBit 3.0 Being Distributed via Amadey Bot - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2690968,
	"plain_text": "LockBit 3.0 Being Distributed via Amadey Bot - ASEC\r\nBy ATCP\r\nPublished: 2022-10-30 · Archived: 2026-04-05 16:50:47 UTC\r\nThe ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a\r\nmalware that was first discovered in 2018, is capable of stealing information and installing additional malware by\r\nreceiving commands from the attacker. Like other malware strains, it is being sold in illegal forums and still being\r\nused by various attackers.\r\nIt was used in the past to install ransomware by attackers of GandCrab or to install FlawedAmmyy by the TA505\r\ngroup which is infamous for Clop ransomware. Recently, it was distributed under the disguise of a popular Korean\r\nmessenger app.\r\nAmadey Bot Disguised as a Famous Korean Messenger Program Being Distributed\r\nAmadey Bot, the malware that is used to install LockBit, is being distributed through two methods: one using a\r\nmalicious Word document file, and the other using an executable that takes the disguise of the Word file icon.\r\nDistribution Case 1. Malicious Word File\r\nThe following is a malicious Word document named “Sia_Sim.docx.” It was uploaded to VirusTotal. As an\r\nexternal Word file, it downloads a Word file that contains a malicious VBA macro from the following URL when\r\nrun.\r\nFigure 1. External URL\r\nThe text body contains an image that prompts the user to click “Enable Content” to enable the VBA macro.\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 1 of 7\n\nWhen the user clicks “Enable Content,” the downloaded VBA macro (the one that installs the malicious LNK file)\r\nis executed. The LNK file is created in the “C:\\Users\\Public\\skeml.lnk” pathway and is executed via the following\r\ncommand.\r\n\u003e rundll32 url.dll,OpenURL C:\\Users\\Public\\skeml.lnk\r\nThe LNK file is a downloader that runs powershell command to download and run Amadey.\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 2 of 7\n\nDistribution Case 2. Executable Disguised as Word File\r\nThere is also a case where the malware was found as “Resume.exe.” The e-mail used in the attack has not been\r\nconfirmed yet, but the file was run as “Resume.exe.” It was also disguised as an innocuous Word file icon and\r\ncreated by a compression program. Judging from its characteristics above, it appears that Amadey was installed\r\nvia an e-mail attachment. Next is an executable collected on October 27, 2022.\r\nAmadey Bot\r\nGiven that both Amadeys above used the same C\u0026C server and download URL, it appears that the attacker has\r\nbeen distributing Amadey Bots in two ways. Amadey that is run through the process above copies itself into the\r\nTemp directory, registers to the task scheduler and allows it to run even after a reboot.\r\n\u003e “c:\\windows\\system32\\schtasks.exe” /create /sc minute /mo 1 /tn rovwer.exe /tr\r\n“c:\\users[username]\\appdata\\local\\temp\\0d467a63d9\\rovwer.exe” /f\r\nAfterward, it connects to the C\u0026C server, sends default information of the infected system, and receives\r\ncommands. The blog previously introduced Amadey’s features and details, including the types of infected PC’s\r\ninformation the malware sends to the C\u0026C server, and info-stealing plugins.\r\nAmadey Bot Being Distributed Through SmokeLoader\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 3 of 7\n\nAmadey receives three commands from the C\u0026C server, and they are all commands that download and execute\r\nmalware from the external source. “cc.ps1” and “dd.ps1” are LockBits in powershell form, and “LBB.exe” is\r\nLockBit in exe form. They are each created in directory names shown in the C\u0026C server’s response,\r\nretrospectively.\r\n– %TEMP%\\1000018041\\dd.ps1\r\n– %TEMP%\\1000019041\\cc.ps1\r\n– %TEMP%\\1000020001\\LBB.exe\r\nLockBit 3.0\r\nOnce the download is complete, the malware runs LockBit. The powershell files are initially obfuscated, and are\r\nstructured to be executed after being unobfuscated in the memory.\r\nIf the file Amadey downloaded is a powershell form, the following command is used.\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 4 of 7\n\n\u003e “c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe” -executionpolicy remotesigned -file\r\n“c:\\users[username]\\appdata\\local\\temp\\1000018041\\dd.ps1”\r\nLockbits that are installed via Amadey have been distributed in Korea since 2022, and the team has posted various\r\narticles that analyzed the ransomware. The recently confirmed version is LockBit 3.0 which is distributed using\r\nkeywords such as job application and copyright. Judging from the themes, it appears that the attack is targeting\r\ncompanies.\r\nLockBit Ransomware Being Distributed Using Resume and Copyright-related Emails (Posted in\r\nFebruary 2022)\r\nLockBit Ransomware Disguised as Copyright Claim E-mail Being Distributed (Posted in June 2022)\r\nNSIS Type LockBit 3.0 Ransomware Disguised as Job Application Emails Being Distributed (Posted\r\nin September 2022)\r\nLockBit 3.0 Ransomware Distributed via Word Documents (Posted in September 2022)\r\nLockbit ransomware infects files that exist in the user’s environment, changes the desktop as seen below, and\r\nnotifies the user. It then creates a ransom note in each folder, stating that all data in the system has been encrypted\r\nand stolen, and threatening the user that the data will be decrypted and leaked on the Internet if they refuse to pay\r\nmoney.\r\nAs LockBit ransomware is being distributed through various methods, user caution is advised. Users should\r\nupdate the applications and V3 they use to the latest version and refrain from opening document files from\r\nunknown sources.\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 5 of 7\n\n[File Detection]\r\n– Downloader/DOC.External (2022.10.31.02)\r\n– Downloader/DOC.Generic (2022.10.31.02)\r\n– Trojan/LNK.Runner (2022.10.31.02)\r\n– Malware/Win.Generic.R531852 (2022.10.27.03)\r\n– Trojan/Win.Delf.R452782 (2021.11.24.02)\r\n– Ransomware/Win.LockBit.R506767 (2022.07.27.01)\r\n– Ransomware/PowerShell.Lockbit.S1945 (2022.10.29.00)\r\n[AMSI Detection]\r\n– Ransomware/PowerShell.Lockbit.SA1945 (2022.10.29.00)\r\n[Behavior Detection]\r\n– Ransom/MDP.Decoy.M1171\r\n– Ransom/MDP.Event.M1875\r\n– Ransom/MDP.Behavior.M1946\r\nMD5\r\n1690f558aa93267b8bcd14c1d5b9ce34\r\n5e54923e6dc9508ae25fb6148d5b2e55\r\nad444dcdadfe5ba7901ec58be714cf57\r\nbf331800dbb46bb32a8ac89e4543cafa\r\nf9ab1c6ad6e788686509d5abedfd1001\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//188[.]34[.]187[.]110/LBB[.]exe\r\nhttp[:]//188[.]34[.]187[.]110/cc[.]ps1\r\nhttp[:]//188[.]34[.]187[.]110/dd[.]ps1\r\nhttp[:]//62[.]204[.]41[.]25/3g4mn5s/Plugins/cred[.]dll\r\nhttp[:]//62[.]204[.]41[.]25/3g4mn5s/index[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/41450/\r\nhttps://asec.ahnlab.com/en/41450/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/41450/"
	],
	"report_names": [
		"41450"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434253,
	"ts_updated_at": 1775826690,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0de8912c0ca84aafdc5233e6edbf5bf9804938ea.pdf",
		"text": "https://archive.orkl.eu/0de8912c0ca84aafdc5233e6edbf5bf9804938ea.txt",
		"img": "https://archive.orkl.eu/0de8912c0ca84aafdc5233e6edbf5bf9804938ea.jpg"
	}
}