{
	"id": "a0658aad-6a67-4938-baa9-a8bd08110d93",
	"created_at": "2026-04-06T00:10:35.131153Z",
	"updated_at": "2026-04-10T03:21:52.74158Z",
	"deleted_at": null,
	"sha1_hash": "a623952e5b909f83d298d95ad662eb38531bb60a",
	"title": "Nitol DDoS Malware Installing Amadey Bot - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2245939,
	"plain_text": "Nitol DDoS Malware Installing Amadey Bot - ASEC\r\nBy ATCP\r\nPublished: 2022-12-11 · Archived: 2026-04-05 18:15:06 UTC\r\nThe ASEC analysis team recently discovered that a threat actor has been using Nitol DDoS Bot to install Amadey.\r\nAmadey is a downloader that has been in circulation since 2018, and besides extorting user credentials, it can also\r\nbe used for the purpose of installing additional malware.\r\nAmadey is being actively distributed again this year, and even until very recently, it has been propagating itself on\r\nwebsites disguised as cracks and keygens for normal software and installing other malware on the infected\r\nsystems.[1] Additionally, in the second half of this year, Amadey was used in attacks involving LockBit 3.0, which\r\ntargeted Korean corporate users. Amadey was distributed as attachments to spam emails and was responsible for\r\ninstalling LockBit Ransomware.[2]\r\nWhile monitoring the actively distributed Amadey Bot, the ASEC analysis team found the Nitol DDoS Bot\r\nmalware installing Amadey. Nitol is a DDoS Bot with a Denial of Service (DDoS) attack feature, and while its\r\nnumbers have decreased recently, it is a malware that has been steadily used in attacks since long ago. For\r\nexample, in 2021, there was a history of it being uploaded to a Korean forum archive, infecting many Korean\r\nusers.[3]\r\nFigure 1. The malware distribution posts that were uploaded on a Korean program-sharing website\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 1 of 9\n\nNitol Malware that installed Amadey is the same file as the malware covered in the above blog post. This tells us\r\nthat even after over a year, it is still being used in attacks up until now. This file is being shared via torrent,\r\ndisguised as cracks for Hancom and MS Office, and it is infecting many users even at the current moment. The\r\nfollowing are the names of paths where Nitol was detected.\r\n\\Hancom 2020\\crack.exe\r\n\\[Official Korean Version] Office 2007\\setup.exe\r\n\\microsoft office 2016\\setup.exe\r\n\\SketchUp Pro 2018\\crack.exe\r\nNitol Malware Analysis\r\nNitol used in the attacks was packed with Themida to hinder analysis. Nitol is a DDoS Bot that supports various\r\nforms of DDoS attacks, and the one used in the attacks has 0x50 for its settings data. When it communicates with\r\nC\u0026C servers, it stands by for 5 seconds and sets the system’s hidden files and folders to be invisible. The\r\nfollowing is the settings data for Nitol.\r\nBit Settings Feature\r\n0x01 Exclude installation process\r\n0x02 Auto-delete\r\n0x04 Check virtual environment\r\n0x08 Check sandbox environment\r\n0x10 Sleep (5 seconds)\r\n0x20 Generate dummy packet\r\n0x40 System configuration (does not display hidden files)\r\n0x80 Assign hidden properties to the malware\r\nTable 1. Nitol settings data\r\nThe virtual environment check uses the IN command to check whether it is running on a VMware virtual machine.\r\nAs for sandbox environments, it checks whether the “api_log.dll” and “SbieDll.dll” DLLs are loaded. If it\r\nconfirms that it’s in a virtual or sandbox environment, Nitol is shut down.\r\nThe dummy packet-generating option creates a random IP address and attempts to connect by matching the port\r\nnumber of an actual C\u0026C address. When this process is successful, dummy data is transmitted. These behaviors\r\nare repeated 10 times, and it is likely that this is for the purpose of hindering network behavior analysis.\r\nAs the option that excludes the installation process is not activated in this malware, an installation process runs\r\nwhen the malware is executed. The installation process includes a self-copying stage where the malware copies\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 2 of 9\n\nitself under a random 6-character name in %APPDATA%, and a persistence maintaining stage where it uses the\r\nreg command to register itself to the Run key. When the installation process is complete, it executes the malware\r\nin the copied path and connects to the C\u0026C server.\r\n\u003e “C:\\Windows\\System32\\reg.exe” ADD\r\n“HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /V “My App” /t REG_SZ /F /D\r\n“C:\\Users\\vmuser\\AppData\\Roaming\\gkqske.exe”\r\nCurrently, access to the C\u0026C server is unavailable, but once the connection is successfully established, the\r\nmalware transmits basic information about the infected system, as shown below.\r\nOffset Data\r\n+0x0000 0x00000001\r\n+0x0004 Language and country information (Locale)\r\n+0x0044 Computer name\r\n+0x00C4 Windows version\r\n+0x0104 RAM size (GB)\r\n+0x0124 CPU performance (MHz)\r\n+0x0144 “Client”\r\nTable 2. Information about the infected system to be sent to the C\u0026C server\r\nFigure 2. Past packet captured\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 3 of 9\n\nWhen Nitol sends the infected system’s information to the C\u0026C server, the server returns the command. The\r\ncommand can perform various functions including DDoS attacks, downloading files, and running updates. For\r\nreference, DDoS attacks were divided into three categories below, but the malware supports many more types of\r\nDDoS attacks.\r\nFigure 3. User-Agent used in DDoS attacks\r\nCommand Feature\r\n0x0002 DDoS Attack #1\r\n0x0003 DDoS Attack #2\r\n0x0004 DDoS Attack #3\r\n0x0005 Stop DDoS attack\r\n0x0006 Auto-delete\r\n0x0010 Download and run payload (SW_HIDE)\r\n0x0011 Download and run payload (SW_SHOW)\r\n0x0012 Update\r\n0x0013 Web page access via Internet Explorer (Hidden)\r\n0x0014 Web page access via Internet Explorer (IE popup)\r\n0x0016 Destroy MBR\r\nTable 3. Commands that can be performed by Nitol\r\nOut of the commands, there is one that receives a URL from the C\u0026C server and connects to the corresponding\r\nweb page using Internet Explorer. The command can be configured to access the web page unknown to the user or\r\nhave Internet Explorer pop up to have users be aware.\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 4 of 9\n\nFigure 4. Accessing web page using IE\r\nAdditionally, there is also a command that changes MBR to incapacitate the system after a reboot. When the\r\nsystem is restarted after the following data is written on MBR, it shows the string “Game Over” as shown below\r\nand makes the system unable to reboot.\r\nFigure 5. MBR destruction routine\r\nFigure 6. After rebooting\r\nNitol supports a command that downloads additional payloads, and this command was used to install Amadey\r\nBot. The following are ASD (AhnLab Smart Defense) infrastructure logs that show Nitol having downloaded\r\nAmadey from an external address.\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 5 of 9\n\nFigure 7. Nitol installing Amadey Bot\r\nInstalling Additional Payloads Using Amadey (Amadey Bot, njRAT)\r\nAfter being installed by Nitol, Amadey Bot attempts to connect to C\u0026C servers. When this process is successful,\r\nAmadey downloads a plugin responsible for extorting information to collect information from the infected system\r\nand send them to the C\u0026C server. Besides account credentials, Amadey also takes periodic screenshots and sends\r\nthem to the C\u0026C server. The following blog post goes into a detailed analysis of Amadey.\r\n– https://asec.ahnlab.com/en/36634/\r\nFigure 8. Amadey’s network traffic\r\nAn examination of the current version of Amadey shows that it receives a command from the C\u0026C server to\r\ninstall additional payloads, and accordingly, it downloads and installs a total of 4 files. These files are Amadey,\r\nNitol, and a downloader, The Nitol mentioned above is Type A, but Amadey also installs Nitol Type B.\r\nTeamViewerSetupx64.exe : Amadey\r\nTeamViewer_Desktop.exe : Nitol Type A\r\nexplorer.exe : Nitol Type B\r\nServiceManager.exe : Downloader (Dotnet Packer)\r\nThe top-level list of the addresses where the malware are downloaded from is unavailable, but it can be assumed\r\nthat there are various other malware strains aside from those mentioned.\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 6 of 9\n\nFigure 9. Download page\r\nThe malware installed by the threat actor mimic original programs, with names such as TeamViewer, Explorer,\r\nand AnyDesk. The threat actor not only disguises the filename but also the icons to resemble the original programs\r\nwhen distributing the malware.\r\nFigure 10. Icons of malware used in attacks\r\nTorrent is the main platform used in malware propagation alongside file-sharing sites. When installing cracks or\r\nkeygen files of commercial software using torrents, there is a risk of being infected with malware disguised as\r\nthese programs. When Nitol is installed, the user PC acts as a DDoS Bot and can be used in DDoS attacks. In\r\naddition, it can also be used for installing additional malware such as Amadey. As for Amadey, it stays in the\r\ninfected system to not only extort user credentials but also install additional malware.\r\nUsers should apply the latest patch for OS and programs such as Internet browsers, and update V3 to the latest\r\nversion to prevent malware infection in advance.\r\nFile Detection\r\n– Backdoor/Win.Nitol.C4533062 (2021.06.24.01)\r\n– Trojan/Win.Generic.R539958 (2022.12.09.01)\r\n– Downloader/Win.Amadey.C5329944 (2022.12.12.01)\r\n– Downloader/Win.MSIL.C5329945 (2022.12.12.01)\r\n– Downloader/Win.Amadey.C5329946 (2022.12.12.01)\r\nBehavior Detection\r\n– Malware/MDP.Behavior.M3108\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 7 of 9\n\nReference\r\n[1] [ASEC Blog] Amadey Bot Being Distributed Through SmokeLoader\r\n[2] [ASEC Blog] LockBit 3.0 Being Distributed via Amadey Bot\r\n[3] [ASEC Blog] Nitol Malware Being Distributed in Forum Archive\r\nMD5\r\n0c9df67f152a727b0832aa4e7f079a71\r\n3038c7bb0f593df3f52f0644c894c7ba\r\n852011cf885e76c0441dd52fdd280db7\r\nd332cf184ac8335d2c3581a48ee0ad87\r\ne79b48eefa43aa34f360f68618992236\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//45[.]89[.]255[.]250[:]30303/\r\nhttp[:]//45[.]89[.]255[.]250[:]40404/\r\nhttp[:]//45[.]89[.]255[.]250[:]50505/\r\nhttp[:]//45[.]89[.]255[.]250[:]8080/AnyDesk[.]exe\r\nhttp[:]//45[.]89[.]255[.]250[:]8080/Kwvwz[.]png\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 8 of 9\n\nSource: https://asec.ahnlab.com/en/44504/\r\nhttps://asec.ahnlab.com/en/44504/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/44504/"
	],
	"report_names": [
		"44504"
	],
	"threat_actors": [],
	"ts_created_at": 1775434235,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a623952e5b909f83d298d95ad662eb38531bb60a.pdf",
		"text": "https://archive.orkl.eu/a623952e5b909f83d298d95ad662eb38531bb60a.txt",
		"img": "https://archive.orkl.eu/a623952e5b909f83d298d95ad662eb38531bb60a.jpg"
	}
}