Date: 12/23/2025
Severity: High
Summary
Amadey is a malware loader active since 2018, commonly used to deploy second-stage payloads and infostealers. Historically, it has distributed payloads via GitHub repositories. Recent activity reveals a new campaign abusing a compromised, self-hosted GitLab instance to deliver the StealC infostealer. Threat actors repurpose abandoned GitLab servers to build a legitimate-looking payload delivery infrastructure. Leveraging long-standing domains with valid TLS certificates helps evade traditional security defenses.
Indicators of Compromise (IOC) List
Domains\URLs : | http://91.92.243.129/0gjSy4hf3/index.php http://91.92.243.129/0gjSy4hf3/Login.php http://158.94.208.130/8528aa6d5ece46dc.php gitlab.bzctoons.net https://gitlab.bzctoons.net/suau/fds/-/raw/main/protected.zip bzctoons.net |
IP Address : | 91.92.243.129 158.94.208.130 |
Hash : | d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7
b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7
bae0f38f58ad93728261f09840721ebedb9669a445f40083396fdd0da38a22a7
|
Mutex : | f936986d553273aef6eeaeef713ad28f |
Bot ID : | 0702f |
Decryption Key : | 828065b4fbbccc7d69743a0648c2f656 |
Directory : | %APPDATA%\f936986d553273\ %TEMP%\067640a009\ %TEMP%\10000340261\protected\ |
File : | Yfgfwb.exe Clip64.dll X64_protect.exe protected.zip |
Task : | C:\Windows\Tasks\Yfgfwb.job |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "http://91.92.243.129/0gjSy4hf3/Login.php" or url like "http://91.92.243.129/0gjSy4hf3/Login.php" or siteurl like "http://91.92.243.129/0gjSy4hf3/Login.php" or domainname like "https://gitlab.bzctoons.net/suau/fds/-/raw/main/protected.zip" or url like "https://gitlab.bzctoons.net/suau/fds/-/raw/main/protected.zip" or siteurl like "https://gitlab.bzctoons.net/suau/fds/-/raw/main/protected.zip" or domainname like "http://158.94.208.130/8528aa6d5ece46dc.php" or url like "http://158.94.208.130/8528aa6d5ece46dc.php" or siteurl like "http://158.94.208.130/8528aa6d5ece46dc.php" or domainname like "gitlab.bzctoons.net" or url like "gitlab.bzctoons.net" or siteurl like "gitlab.bzctoons.net" or domainname like "http://91.92.243.129/0gjSy4hf3/index.php" or url like "http://91.92.243.129/0gjSy4hf3/index.php" or siteurl like "http://91.92.243.129/0gjSy4hf3/index.php" or domainname like "bzctoons.net" or url like "bzctoons.net" or siteurl like "bzctoons.net" |
Detection Query 2 : | dstipaddress IN ("91.92.243.129","158.94.208.130") or srcipaddress IN ("91.92.243.129","158.94.208.130") |
Detection Query 3 : | sha256hash IN ("d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7","b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7","bae0f38f58ad93728261f09840721ebedb9669a445f40083396fdd0da38a22a7")
|
Detection Query 4 : | resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("%APPDATA%\f936986d553273","%TEMP%\067640a009","%TEMP%\10000340261\protected","Yfgfwb.exe","clip64.dll","x64_protect.exe","protected.zip") |
Detection Query 5 : | technologygroup = "EDR" AND objectname IN ("%APPDATA%\f936986d553273","%TEMP%\067640a009","%TEMP%\10000340261\protected","Yfgfwb.exe","clip64.dll","x64_protect.exe","protected.zip") |
Reference:
https://www.trellix.com/blogs/research/amadey-exploiting-self-hosted-gitlab-to-distribute-stealc/