{
	"id": "998f1da8-0ae5-4934-b1f8-0260c1bb5bb0",
	"created_at": "2026-04-06T01:29:29.157928Z",
	"updated_at": "2026-04-10T03:21:49.328061Z",
	"deleted_at": null,
	"sha1_hash": "a0ea10d7d60ace7932a2ab5f38d10d99c7f7aa0d",
	"title": "Amadey Botnet Back in Action Via Phishing Sites",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1243003,
	"plain_text": "Amadey Botnet Back in Action Via Phishing Sites\r\nBy thecyberexpress\r\nPublished: 2023-01-27 · Archived: 2026-04-06 00:22:00 UTC\r\nAn old botnet called Amadey that was discovered in 2018 has been found to be actively used to attack systems.\r\nResearchers at the Cyble Research and Intelligence Labs (CRIL) found gamers being victimized by phishing\r\nwebsites under the guise of offering gaming hacks and cheats.\r\nThis info-stealing trojan can copy login details from several browsers and has been found to have infected devices\r\nin attacks launched by the LockBit ransomware group in 2022. The increase in its use was observed in the last 3\r\nmonths of 2022.\r\nAmadey Botnet\r\nThe increased use of the Amadey bot (Image: Cyble)\r\nIt can work on browsers including Chrome, Chedot, Microsoft Edge, CentBrowser, SputnikLab, and Opera\r\nSoftware among others. It also impacts cryptocurrencies including Bitcoin, Monero, Ethereum, and Litecoin.\r\nAttack vector using the Amadey bot\r\nCybercriminals are using fraudulent websites with malicious links camouflaged as cheats for the multiplayer\r\nshooting video game Valorant. It asks users to download a .rar file from\r\nhxxps[:]//valorantcheatsboss[.]com/upload/boss/Bossmenu%20Setup[.]rar which starts the attack with capabilities\r\nincluding system reconnaissance, changing permissions, changing crypto transaction recipients, and adding more\r\nmalware. The .rar file has a Seil.exe file that infects the system with the Amadey bot.\r\nhttps://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/\r\nPage 1 of 3\n\nAmadey Botnet\r\nSample of a fraudulent gaming website used to infect devices (Image: Cyble)\r\nThe above image offers several cheats however, misspells the word ‘powerful’ as powerfil which acts as a\r\nreminder that often fraudulent websites and phishing emails are not proofread. Amadey bot downloads other\r\nmalware families including Redline and Manuscript.\r\nTechnical details of the Amadey bot attack\r\nCRIL researchers examined a found sample hash (SHA256),\r\nb00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65, a 32-bit VC++ compiled executable\r\nfile and made the following observations:\r\nThe Amadey bot creates a duplicate of itself and saves it in the %Temp% folder. It then gets executed using\r\nthe ShellExecuteA() API.\r\nFollowing this, it creates a mutex to make sure only one instance of the bot is running in the system at one\r\npoint. The mutex name was c1ec479e5342a25940592acf24703eb2\r\nIt maintains persistence using the startup value in\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\r\nregistry key. With this, the malware executes every minute because it gets configured in the Task\r\nScheduler.\r\nAt this stage, the bot collects the machine’s username and changes the permissions granted to the file\r\nnbveek.exe and folder 4b9a106e76. It gets the permission to read, write, and execute files using the\r\ncommand: /k echo Y|CACLS “nbveek.exe” /P “User Name:N”\u0026\u0026CACLS “nbveek.exe” /P “User\r\nName:R” /E\u0026\u0026echo Y|CACLS “..\\4b9a106e76” /P “User Name:N”\u0026\u0026CACLS “..\\4b9a106e76” /P\r\n“User Name:R” /E\u0026\u0026Exit\r\nNow information collection begins which is sent to the cybercriminal’s command and control (C\u0026C)\r\nserver using a POST request with specific field names. It includes id for collecting the victim’s ID, vs for\r\nthe version number of the bot, ar for the admin privilege status, etc.\r\nTwo DLL files – cred64.dll and clip64.dll are downloaded and saved in %appdata%. These modules that\r\nsteal credentials are executed using rundll32.exe. Cred64.dll is a 64-bit Microsoft Visual C/C++ DLL\r\nexecutable and is programmed to steal browser data and setting details.\r\nIt further steals the crypto wallet data from the directories including %appdata%\\Armory\\. It was found to\r\nbe capable of terminating the crypto wallet client process if it was denied access to sensitive data. The\r\ncopied data was sent to hxxp[:]//62[.]204[.]41[.]242/9vZbns/index[.]php\r\ndll was a 32-bit VC++ compiled DLL file. It was a clipper module stealing cryptocurrency transaction data\r\nfrom the clipboard. It would replace the recipient’s wallet address from it to itself so the amount reaches\r\nthem instead of the intended account.\r\nhttps://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/\r\nPage 2 of 3\n\nAmadey bot changing the clipboard data impacting the cryptocurrency transaction (Image: Cyble)\r\nAmadey is being sold for about $500 on Russian-speaking hacker forums according to a report by malpedia.\r\nAmadey uses an infected system as a botnet and can launch a distributed denial of service attack on other systems.\r\nSource: https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/\r\nhttps://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thecyberexpress.com/amadey-botnet-back-via-phishing-sites/"
	],
	"report_names": [
		"amadey-botnet-back-via-phishing-sites"
	],
	"threat_actors": [],
	"ts_created_at": 1775438969,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0ea10d7d60ace7932a2ab5f38d10d99c7f7aa0d.pdf",
		"text": "https://archive.orkl.eu/a0ea10d7d60ace7932a2ab5f38d10d99c7f7aa0d.txt",
		"img": "https://archive.orkl.eu/a0ea10d7d60ace7932a2ab5f38d10d99c7f7aa0d.jpg"
	}
}