{ "id": "bb22a4b2-aab9-47ff-9191-4cd81b1eced2", "created_at": "2026-04-06T00:13:03.856214Z", "updated_at": "2026-04-10T03:36:36.992946Z", "deleted_at": null, "sha1_hash": "eae50649b4e17bddd0e55909d78404e635ca0866", "title": "Leaked Source Code Turned Into FlawedAmmyy Malware | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 794296, "plain_text": "Leaked Source Code Turned Into FlawedAmmyy Malware |\r\nProofpoint US\r\nBy March 07, 2018 Proofpoint Staff\r\nPublished: 2018-03-07 · Archived: 2026-04-05 18:57:43 UTC\r\nOverview\r\nProofpoint researchers have discovered a previously undocumented remote access Trojan (RAT) called\r\nFlawedAmmyy that has been used since the beginning of 2016 in both highly targeted email attacks as well as\r\nmassive, multi-million message campaigns. Narrow attacks targeted the Automotive industry among others, while\r\nthe large malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for\r\nmany large-scale attacks since at least 2014.\r\nDelivery Analysis\r\nMarch 5, 2018\r\nFlawedAmmyy Admin appeared most recently as the payload in massive email campaigns on March 5 and 6,\r\n2018. The messages in these campaigns contained zipped .url attachments and both the messages and the delivery\r\nsuggest they were sent by threat actor TA505, known for sending  large-scale Dridex, Locky, and GlobeImposter\r\ncampaigns, among others, over the last four years.\r\nFor example, on March 5, the messages were sent from addresses spoofing the recipient’s own domain with\r\nsubjects such as “Receipt No 1234567” (random digits, and first word could also be “Bill” or “Invoice”) and\r\nmatching attachments \"Receipt 1234567.zip\". The attachments were ZIP archives containing \".url\" files with\r\nnames such as \"B123456789012.url\". Again, these were apparently random digits (Figure 1).\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 1 of 10\n\nFigure 1: Sample email from March 5, 2018, Ammyy Admin malware campaign\r\nFigure 2: Contents of the .url file\r\nThe .url files are interpreted by Microsoft Windows as “Internet Shortcut” files [1], examples of which can be\r\nfound in the “Favorites” folder on Windows operating systems. This type of file can be created manually [2]; they\r\nare intended to serve as links to internet sites, launching the default  browser automatically. However, in this case\r\nthe attacker specified the URL to be a “file://” network share instead of the typical http:// link. As a result, the\r\nsystem downloads and executes a JavaScript file over the SMB protocol rather than launching a web browser if\r\nthe user clicks “Open” on the warning dialog shown in Figure 3.\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 2 of 10\n\n`\r\nFigure 3: Warning dialog displayed after double-clicking the .url file\r\nThis JavaScript in turn downloads Quant Loader, which, in this case, fetched the FlawedAmmyy RAT as the final\r\npayload. The use of “.url” files and SMB protocol downloads is unusual, and this is the first time we have seen\r\nthese methods combined.\r\nMarch 1, 2018\r\nThe FlawedAmmyy RAT previously appeared on March 1 in a narrowly targeted attack. Emails contained an\r\nattachment 0103_022.doc (Figure 4), which used macros to download the FlawedAmmyy malware directly. This\r\nsample used the same command and control (C\u0026C) address as the sample from the massive campaign on March\r\n5.\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 3 of 10\n\nFigure 4: Screenshot of the document attachment from March 1, 2018, FlawedAmmyy campaign\r\nJanuary 16, 2018\r\nWe also observed this RAT in a narrowly targeted attack that included the automotive industry. Emails contained\r\nthe attachment 16.01.2018.doc which used macros to download the FlawedAmmyy RAT directly.\r\nMalware Analysis\r\nFlawedAmmyy is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software. As\r\nsuch FlawedAmmyy contains the functionality of the leaked version, including:\r\nRemote Desktop control\r\nFile system manager\r\nProxy support\r\nAudio Chat\r\nFigure 5: Strings from the analyzed January 16 sample contain references to the leaked Ammyy Admin Version 3\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 4 of 10\n\nFigure 6: Snippet of Ammyy Admin Version 3 source code, file TrMain.cpp\r\nThe FlawedAmmyy C\u0026C protocol occurs over port 443 with HTTP. In the initial handshake, sent by the client to\r\nthe server, the first byte is always “=”, followed by 35 obfuscated and SEAL-encrypted bytes. After a server\r\nresponse (0x2d00), the infected client sends the second packet. This packet has a 5-byte header that includes the\r\nlength of the rest of the packet (0x78). The body of this packet contains cleartext key-value pairs:\r\nFigure 7: Screenshot of FlawedAmmyy C\u0026C protocol from Wireshark\r\nTable 1: Explanation of the key-value pairs sent by the infected client in the second packet\r\nParameter Explanation Example Value\r\nid\r\n8 digit number, the first digit always being ‘5’ and the remaining 7\r\nchosen at random on initialization of the malware\r\n53466221\r\nos Operating system 7 SP1 x86\r\npriv Privilege Admin\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 5 of 10\n\ncred Username DOMAIN\\Username1\r\npcname Computer name Computer3\r\navname Antivirus product name obtained via WMI query Windows Defender\r\ncard 1 if a usable smart-card is inserted into a reader, 0 otherwise 1\r\nbuild_time\r\nMalware build time, obtained at runtime by reading the PE\r\ntimestamp field from its file on disk\r\n14-01-2018 6:34:27\r\n20-02-2018 16:43:10\r\nConclusion\r\nAmmyy Admin is a popular remote access tool used by businesses and consumers to handle remote control and\r\ndiagnostics on Microsoft Windows machines. However, leaked source code for Version 3 of Ammyy Admin has\r\nemerged as a Remote Access Trojan called FlawedAmmyy appearing in a variety of malicious campaigns. For\r\ninfected individuals, this means that attackers potentially have complete access to their PCs, giving threat actors\r\nthe ability to access a variety of services, steal files and credentials, and much more.  We have seen\r\nFlawedAmmyy in both massive campaigns, potentially creating a large base of compromised computers, as well\r\nas targeted campaigns that create opportunities for actors to steal customer data, proprietary information, and\r\nmore.\r\nReferences\r\n[1] https://msdn.microsoft.com/en-us/library/windows/desktop/bb776784(v=vs.85).aspx\r\n[2] https://forums.asp.net/t/1563309.aspx?How+to+create+InternetShortcut+url+\r\nIndicators of Compromise (IOCs)\r\nMarch 5 campaign:\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n18436342cab7f1d078354e86cb749b1de388dcb4d1e22c959de91619947dfd63 SHA256 bill 0256853.zip\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 6 of 10\n\nd82ca606007be9c988a5f961315c3eed1b12725c6a39aa13888e693dc3b9a975 SHA256 B123177432431.url\r\nfile[:]//buyviagraoverthecounterusabb[.]net/documents/B123456789012.js URL\r\nSMB URL\r\ncontained in the\r\nInternet Shortcut\r\n8903d514549aa9568c7fea0123758b954b9703c301b5e4941acb33cccd0d7c57 SHA256\r\nB37348362793.js\r\n(downloaded over\r\nSMB)\r\nhxxp://chimachinenow[.]com/kjdhc783 URL\r\nJS Payload\r\nExample\r\nhxxp://highlandfamily[.]org/kjdhc783 URL\r\nJS Payload\r\nExample\r\nhxxp://intra[.]cfecgcaquitaine[.]com/kjdhc783 URL\r\nJS Payload\r\nExample\r\nhxxp://motifahsap[.]com/kjdhc783 URL\r\nJS Payload\r\nExample\r\nhxxp://sittalhaphedver[.]com/p66/kjdhc783 URL\r\nJS Payload\r\nExample\r\n2b53466eebd2c65f81004c567df9025ce68017241e421abcf33799bd3e827900 SHA256 Quant Loader\r\nhxxp://wassronledorhad[.]in/q2/index.php SHA256 Quant Loader C\u0026C\r\nhxxp://balzantruck[.]com/45rt.exe SHA256\r\nQuant Loader\r\nPayload\r\n(FlawedAmmyy)\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 7 of 10\n\n0d100ff26a764c65f283742b9ec9014f4fd64df4f1e586b57f3cdce6eadeedcd SHA256 FlawedAmmyy\r\n179.60.146[.]3:443 IP:Port\r\nFlawedAmmyy\r\nC\u0026C\r\nMarch 1 campaign:\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n9a7fb98dd4c83f1b4995b9b358fa236969e826e4cb84f63f4f9881387bc88ccf SHA256\r\nMacro MHT\r\ndocument\r\nExample\r\nhxxp://185.176.221[.]54/chrome.exe SHA256\r\nPayload\r\ndownload\r\nb0ad80bf5e28e81ad8a7b13eec9c5c206f412870814d492b78f7ce4d574413d2 SHA256 FlawedAmmyy\r\n179.60.146[.]3:443 IP:Port  C\u0026C\r\nJanuary 16 campaign:\r\nIOC IOC Type Description\r\ncafa3466e422dd4256ff20336c1a032bbf6e915f410145b42b453e2646004541 SHA256 FlawedAmmyy\r\n194.165.16.11[:]443 IP:Port  C\u0026C\r\nAdditional samples on Virustotal:\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 8 of 10\n\nIOC\r\nIOC\r\nType\r\nDescription\r\n404d3d65430fbbdadedb206a29e6158c66a8efa2edccb7e648c1dd017de47572 SHA256 FlawedAmmyy\r\ncc0205845562e017ff8b3aafb17de167529d113fc680e07ee9d8753d81487b2f SHA256 FlawedAmmyy\r\n790e7dc8b2544f1c76ff95e56315fee7ef3fe623975c37d049cc47f82f18e4f2 SHA256 FlawedAmmyy\r\n2d19c42f753dcee5b46344f352c11a1c645f0b77e205c218c985bd1eb988c7ce SHA256 FlawedAmmyy\r\n6e701670350b4aea3d2ead4b929317b0a6d835aa4c0331b25d65ecbfbf8cb500 SHA256 FlawedAmmyy\r\n3cd39abdbeb171d713ee8367ab60909f72da865dbb3bd858e4f6d31fd9c930d0 SHA256 FlawedAmmyy\r\n1f5d31d41ebb417d161bc49d1c50533fcbff523bb583883b10b14974a3de8984 SHA256 FlawedAmmyy\r\n6877ac35a3085d6c10fa48655cf9c2399bd96c3924273515eaf89b511bbe356a SHA256 FlawedAmmyy\r\n059c0588902be3e8a5d747df9e91f65cc50d908540bdeb08acf15242cc9a25b5 SHA256 FlawedAmmyy\r\nc8b202e5a737b8b5902e852de730dbd170893f146ab9bbc9c06b0d93a7625e85 SHA256 FlawedAmmyy\r\n927fa5fea13f8f3c28e307ffea127fb3511b32024349b39bbaee63fac8dcded7 SHA256 FlawedAmmyy\r\n6048a55de1350238dfc0dd6ebed12ddfeb0a1f3788c1dc772801170756bf15c7 SHA256 FlawedAmmyy\r\nadfdead4419c134f0ab2951f22cfd4d5a1d83c0abfe328ae456321fccf241eb6 SHA256 FlawedAmmyy\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 9 of 10\n\n022f662903c6626fb81e844f7761f6f1cbaa6339e391468b5fbfb6d0a1ebf8cb SHA256 FlawedAmmyy\r\n3f5f5050adcf0d0894db64940299ac07994c4501b361dce179e3d45d9d155adf SHA256 FlawedAmmyy\r\ncafa3466e422dd4256ff20336c1a032bbf6e915f410145b42b453e2646004541 SHA256 FlawedAmmyy\r\nList of code-signing Certificates used:\r\nSubject Name Serial Number\r\nCYBASICS LTD 00 BB AE 27 7A C3 D9 CF 3F 85 00 86 A3 14 E7 0A D7\r\nCYBASICS LTD 7F 6B 67 8E 66 DD 35 D6 58 9D 9B B2 0F C3 BA 0B\r\nAdFuture Ltd 25 43 BF D0 26 6A 5C ED A6 63 9A 2A 49 15 75 3A\r\nLLC \"ASTER-AYTI\" 10 88 E7 1C 82 F9 BB 73 74 7C 6D 0B 75 E0 5F 17\r\nAtrast, OOO 00 A0 71 DB B3 2B 9D E4 F8 D2 17 39 44 C3 C2 39 F9\r\nET and ETPRO Suricata/Snort Coverage\r\n2025408 | Win32/FlawedAmmyy RAT CnC Checkin\r\n2024452 | ET TROJAN Quant Loader v1.45 Download Request\r\n2023203 | ET TROJAN Quant Loader Download Request\r\nSource: https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nhttps://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat\r\nPage 10 of 10\n\nProxy support Audio Chat \nFigure 5: Strings from the analyzed January 16 sample contain references to the leaked Ammyy Admin Version 3\n Page 4 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "report_names": [ "leaked-source-code-ammyy-admin-turned-flawedammyy-rat" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434383, "ts_updated_at": 1775792196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eae50649b4e17bddd0e55909d78404e635ca0866.pdf", "text": "https://archive.orkl.eu/eae50649b4e17bddd0e55909d78404e635ca0866.txt", "img": "https://archive.orkl.eu/eae50649b4e17bddd0e55909d78404e635ca0866.jpg" } }