{ "id": "43870755-c91a-4e82-b605-aac115b06f3d", "created_at": "2026-04-06T00:19:05.784567Z", "updated_at": "2026-04-10T03:36:48.018678Z", "deleted_at": null, "sha1_hash": "8ce59ee3cca87898a587155ec86498f4fc424c9c", "title": "Amadey Threat Analysis and Detections | Splunk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5305015, "plain_text": "Amadey Threat Analysis and Detections | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2023-07-25 · Archived: 2026-04-05 22:08:42 UTC\r\nThe Amadey Trojan Stealer, an active and prominent malware, first emerged on the cybersecurity landscape in\r\n2018 and has maintained a persistent botnet infrastructure ever since. Several campaigns have used this malware,\r\nlike the previous Splunk Threat Research blog related to RedLine loader, the multi-stage attack distribution article\r\nfrom McAfee in May 2023 and the campaign where it uses N-day vulnerabilities to deliver Amadey malware\r\nnoted in March 2023 by DarkTrace.\r\nThe emergence and increasing prevalence of Malware as a Service (MaaS) has become a notable trend within the\r\ncurrent cyber threat landscape. MaaS has gained popularity as a common tool in the arsenal of threat actors,\r\nenabling them to conduct and facilitate widespread cyberattack campaigns.\r\nMalware as a Service refers to a model where cybercriminals offer malware-related services or resources for rent\r\nor purchase to other malicious actors. This approach provides several advantages to both skilled and novice\r\nattackers.\r\nAmadey is among the prevalent forms of malware that utilize MaaS to deliver multiple malwares, updated copies\r\nof itself, and various Amadey plugins or attacks designed for information theft. The figure below illustrates a basic\r\ndiagram of how Amadey attempts to compromise systems and download several malwares or its plugins for data\r\ncollection and exfiltration.\r\nThis blog post provides a deep dive analysis of this threat, including:\r\n1. Amadey Anti-Sandbox\r\n2. Its Persistence mechanism\r\n3. Its Defense Evasion in terms of file and directory permission modification\r\n4. C2 communication\r\n5. Data collection\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 1 of 14\n\nIn the following section, we explore Amadey Tactics, techniques and its capabilities to compromise a targeted host\r\nor system.\r\nAnti-Sandbox\r\nThis Trojan Stealer begins its code by running a function responsible for decoding strings related to the folder\r\nname and file name that will be used to check the file path of its running process. If the running process is in\r\n %temp%\\{decrypted_folder_name}\\{decrypted_filename} e.g. (%temp\\a9e2a16078\\oneext.exe)\r\nit will continue the execution. If the file location doesn’t match, Amadey will terminate its process.\r\nThis malware uses two layers of encoding algorithms to its string to evade detection and make the static analysis\r\neven harder. The first layer of encoding is a customized encoding followed by a Base64 algorithm.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 2 of 14\n\nFigure 1 is the code screenshot of this malware comparing the file path of its running process if it is matched to\r\nthe decoded file path initialized in its code.\r\nFigure 1: File Path Comparison\r\nIt also creates a mutex using CreateMutexA() API to make sure only one instance of its malware process is\r\nrunning on the compromised or targeted host.\r\n \r\nFigure\r\n2: CreateMutexA Code\r\nPersistence\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 3 of 14\n\nSimilar to other malware strains, Amadey employs multiple persistence mechanisms to ensure its survival and\r\nautomatic execution upon system reboot. Figure 3 is the Amadey registry strings Splunk decoded that are related\r\nto its persistence mechanism.\r\nFigure 3: Registry Run Keys\r\nIn addition to leveraging the commonly targeted 'Run' and 'RunOnce' registry keys, Amadey modifies the 'startup'\r\nvalue within the 'User Shell Folders' keys, enabling it to automatically execute its malicious drop file upon system\r\nreboot.\r\nFigure 4: User Shell Folder Registry\r\nAmadey also creates scheduled tasks as part of its persistence and privilege escalation mechanism. If the\r\npermissions on the scheduled task creation are misconfigured, Amadey can take advantage of this to create a\r\nscheduled task that runs with higher privileges.\r\nFigure 5 shows a screenshot of Amadey schedule task (metado.exe) in Attack Range during our testing.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 4 of 14\n\nFigure 5: Amadey Schedule tasks\r\nDefense Evasion (File And Directory Permission)\r\nAmadey employs a technique utilizing cacls.exe to modify file and directory permissions or attributes, effectively\r\nbypassing access control lists (ACLs) and gaining access to protected files. By configuring read-only access\r\npermissions specifically for the active current user on the compromised host, it prevents the user from deleting the\r\ndropped copy of itself, ensuring its persistence on the system and as part of its defense mechanism.\r\nThe code block below is a simple way to simulate this technique which also available in Atomic Red Team\r\nGitHub repo e.g. (T1546.008)\r\nFigure 6 shows the “File Access Denied” when we tried to delete the dropped copy of this Trojan Stealer during\r\ntesting.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 5 of 14\n\nFigure 6:\r\nRead Only Permission\r\nExecution\r\nAmadey exhibits the capability of remote signing PowerShell scripts, which allows for the unhindered execution\r\nof locally created scripts. This technique was observed in the Amadey campaign that disseminated the downloaded\r\nLockBit ransomware payload in the form of PowerShell code. To execute the LockBit ransomware PowerShell\r\nscript, Amadey leverages the RemoteSigned execution policy, ensuring that the script is allowed to run without\r\nrestrictions. During our analysis, we discovered that the renamed function \"mw_init_powershell_cmd()\" decodes\r\nthe command line for remote signing, as shown in Figure 7.\r\nFigure 7: Remote Signing\r\nCommand and Control\r\nAmadey will execute 2 threads to establish communication and download payloads/plugins from its command and\r\ncontrol (C2) server. This concurrent execution mechanism enables efficient data exchange and retrieval between\r\nAmadey and its C2 infrastructure.\r\nFigure 8 shows the Amadey code screenshot that collects system information on the compromised host like OS\r\nversion, user name, computer name, Domain name and if the current active user is admin or not.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 6 of 14\n\nFigure 8: System Information\r\nAmadey compiles the gathered information into a string format and proceeds to send it to its command and\r\ncontrol (C2) server. This process involves formatting the data in a structured string to ensure seamless\r\ncommunication with the C2 infrastructure. The figure 9 shows the clear text POST HTTP packet of Amadey to its\r\nC2 server to send the formatted system information of the compromised host.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 7 of 14\n\nFigure 9: HTTP POST Data\r\nThe table below outlines the description of each tag in the HTTP POST data that the Amadey Trojan Stealer\r\nattempts to send to its command and control (C2) server. This table provides a detailed breakdown of the tags and\r\ntheir respective meanings in the context of the data being sent.\r\nData Collection And Exfiltration (.DLL Plugins)\r\nAmadey attempts to download two specific .dll plugins, namely, \"clip64.dll\" and \"cred64.dll,\" onto the\r\ncompromised host. These plugins play a crucial role in collecting sensitive information. To execute these plugins,\r\nAmadey utilizes the Windows operating system's rundll32.exe utility, passing the \"Main\" export name parameter\r\nas part of the execution process.\r\nFigure 10.1: Amadey plugins\r\nFigure 10.2: Rundll32 Execution\r\nThe clip64.dll plugin plays a pivotal role in the Amadey Trojan's operations. The primary function is to gather\r\nclipboard data from the compromised host and transmit it to the designated command and control (C2) server.\r\nThis is achieved by leveraging the Windows API function GetClipboardData().\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 8 of 14\n\nFigure\r\n10.3: GetClipBoardData\r\nThe cred64.dll plugin, on the other hand, focuses on acquiring sensitive information, specifically browser\r\ncredentials. It targets a variety of browsers such as Chrome, Opera, Sputniklab, Chromium, Comodo, Vivaldi,\r\nOrbitum, CocCoc, Chedot, and CentBrowser. By accessing the user profile files associated with these browsers, as\r\nshown in Figure 11.1, the plugin aims to crack or decrypt the stored credentials within the compromised host's\r\nbrowsers.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 9 of 14\n\nFigure 11.1: Cred64.dll\r\nFigure 11.2 illustrates a simplified diagram showcasing the functionality of the cred64.dll plugin in its attempt to\r\ncrack or decrypt passwords stored within the Chrome browser. This process involves accessing specific Chrome\r\nprofile files, namely \"local state\" and \"login data.\" By interacting with these files, the plugin aims to retrieve and\r\ndecrypt the stored passwords.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 10 of 14\n\nFigure 11.2: Decrypt Chrome Password\r\nThe versatility and adaptability of Amadey are deeply concerning, demonstrated by its widespread utilization of\r\nMaaS, anti-sandbox techniques, persistence mechanisms, defense evasion, and advanced data collection\r\ncapabilities. This Trojan is emblematic of the evolving threats that are pervasive today, using innovative\r\ntechniques to evade detection and inflict damage. As our detailed investigation shows, Amadey effectively\r\nbypasses access control lists, executes remote signed PowerShell scripts, collects system information, and\r\ncommunicates with its C2 server to achieve its malicious objectives.\r\nAdditionally, it's worth highlighting the critical role of its .dll plugins in data exfiltration. The \"clip64.dll\" and\r\n\"cred64.dll\" plugins serve as crucial tools in collecting sensitive data from compromised hosts, further underlining\r\nthe multifaceted nature of this threat.\r\nIn the subsequent section, we provide the IOCs related to Amadey, followed by the curated detections from\r\nSplunk. This further equips security analysts to detect and combat this ever-persistent threat.\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 11 of 14\n\nIOC\r\nDetections\r\nThe Splunk Threat Research Team has curated relevant detections and tagged them to the Amadey Trojan Stealer\r\nAnalytic Story to help security analysts detect adversaries leveraging the Amadey malware.\r\nThis release used and considered the relevant data endpoint telemetry sources such as:\r\nProcess Execution \u0026 Command Line Logging\r\nWindows Security Event ID 4663, Sysmon, or any Common Information Model compliant EDR\r\ntechnology\r\nWindows Security Event Log\r\nWindows System Event Log\r\nWindows PowerShell Script Block Logging\r\nAs an example, the analytic Windows Files and Dirs Access Rights Modification Via Icacls identifies a\r\npotential adversary that changes the security permission of a specific file or directory.\r\n| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoin\r\n where Processes.process_name IN( \"icacls.exe\", \"cacls.exe\",\"xcacls.exe\")\r\n AND Processes.process IN (\"*:R*\", \"*:W*\", \"*:F*\", \"*:C*\",, \"*:N*\",\"*/P*\", \"*/E*\") by Processes.parent_process_\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nFigure 12: File and Directory Permission Modification\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 12 of 14\n\nThe Registry Keys Used For Persistence analytic was updated to detect the registry modification of Amadey to\r\n“User Shell Folders” for its persistence mechanism.\r\nFigure 13: Persistence\r\nOverall, the Amadey Trojan Stealer analytic story introduces 11 detections across MITRE ATT\u0026CK techniques.\r\nPlaybooks\r\nNon-hunting detections associated with this analytic story create entries in the Splunk Enterprise Security risk\r\nindex by default and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. Additionally,\r\nthe Automated Enrichment playbook pack also works well with the output of any of these analytics.\r\nWhy Should You Care?\r\nThis blog enables security analysts, blue teamers and Splunk customers to identify Amadey Trojan Stealer\r\nmalware by helping the community discover Amadey tactics, techniques and procedures that are being used by\r\nseveral threat actors and adversaries. By understanding its behaviors, we were able to generate telemetry and\r\ndatasets to develop and test Splunk detections designed to defend and respond against this threat.\r\nLearn More\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 13 of 14\n\nYou can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security\r\nEssentials also has all these detections available via push update.\r\nFor a full list of security content, check out the release notes on Splunk Docs.\r\nFeedback\r\nAny feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the\r\nSlack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on\r\nSlack.\r\nContributors\r\nWe would like to thank Teoderick Contreras for authoring this post and the entire Splunk Threat Research Team\r\nfor their contributions: Michael Haag, Mauricio Velazco, Lou Stella, Bhavin Patel, Rod Soto, Eric McGinnis, and\r\nPatrick Bareiss.\r\nSource: https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nhttps://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.splunk.com/en_us/blog/security/amadey-threat-analysis-and-detections.html" ], "report_names": [ "amadey-threat-analysis-and-detections.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8ce59ee3cca87898a587155ec86498f4fc424c9c.pdf", "text": "https://archive.orkl.eu/8ce59ee3cca87898a587155ec86498f4fc424c9c.txt", "img": "https://archive.orkl.eu/8ce59ee3cca87898a587155ec86498f4fc424c9c.jpg" } }