{ "id": "73706eec-fcc6-4a5a-b109-b7cf8556bf4a", "created_at": "2026-04-06T00:06:11.92624Z", "updated_at": "2026-04-10T03:22:04.441706Z", "deleted_at": null, "sha1_hash": "1a8dd59a837affd39516969d7a705086782f3aa4", "title": "Amadey stealer plugin adds Mikrotik and Outlook harvesting", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1101790, "plain_text": "Amadey stealer plugin adds Mikrotik and Outlook harvesting\r\nBy Jason Reaves\r\nPublished: 2021-07-08 · Archived: 2026-04-05 12:43:30 UTC\r\nBy: Jason Reaves and Harold Ogden\r\nPress enter or click to view image in full size\r\nLast year Zscaler[3] wrote an article detailing a new version of Amadey “a2020 Amadey” that came with two new\r\nplugins ‘cred.dll’ and ‘scr.dll’. Recently, Amadey has been updated again to a new version “a2021 Amadey.” This\r\narticle aims to go over some interesting additions to their stealer plugin component.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4\r\nPage 1 of 4\n\n2021 Amadey Panel\r\nWith this new version comes some interesting additions to the ‘cred’ stealer plugin as they have added\r\nfunctionality for harvesting Mikrotik router data and Outlook data:\r\nOlder versions of Mikrotiks Winbox[1] would give the option to export you data to a ‘WBX’ file which would\r\nstore the usernames and passwords for your managed devices unencrypted along with a Addresses.cdb file which\r\nhttps://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4\r\nPage 2 of 4\n\nis also stored unecrypted. Freely available tools also exist to help parse these files[2] for recovering lost\r\ncredentials.\r\nAnother addition is the parsing of Outlook profiles from registry in order to harvest account data:\r\nPress enter or click to view image in full size\r\nLoaders such as Amadey continue to update their toolsets for selling on the underground and the addition of\r\nOutlook account and Mikrotik account harvesting shouldn’t surprise anyone as both can be valuable data sets for\r\ncriminal activities.\r\nhttps://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4\r\nPage 3 of 4\n\nIOCs\r\nd860bd740863e9280761ad3162d4b135d7e8cac7a9aaf302a92496e3217beb95\r\nb7eecf0ae1204a0301509d9dd1ad1a7329463ed5\r\nfa07c8de6db23c1be2ee8da97c5621f7fc006469f84e2835195fc943de43d544\r\nd8932ee7ff3b37f1f566dd70233aab7e8f388558\r\nReferences\r\n1:https://forum.mikrotik.com/viewtopic.php?t=111705\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n2:https://github.com/jabb3rd/RouterOS_Tools\r\n3:https://www.zscaler.com/blogs/security-research/latest-version-amadey-introduces-screen-capturing-and-pushes-remcos-rat\r\nSource: https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4\r\nhttps://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4\r\nPage 4 of 4\n\n https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4 \n2021 Amadey Panel \nWith this new version comes some interesting additions to the ‘cred’ stealer plugin as they have added\nfunctionality for harvesting Mikrotik router data and Outlook data: \nOlder versions of Mikrotiks Winbox[1] would give the option to export you data to a ‘WBX’ file which would\nstore the usernames and passwords for your managed devices unencrypted along with a Addresses.cdb file which\n Page 2 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4" ], "report_names": [ "amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4" ], "threat_actors": [], "ts_created_at": 1775433971, "ts_updated_at": 1775791324, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a8dd59a837affd39516969d7a705086782f3aa4.pdf", "text": "https://archive.orkl.eu/1a8dd59a837affd39516969d7a705086782f3aa4.txt", "img": "https://archive.orkl.eu/1a8dd59a837affd39516969d7a705086782f3aa4.jpg" } }