Amadey malware pushed via software cracks in SmokeLoader campaign


Level 64
Thread author
Honorary Member
Top poster
Content Creator
Apr 24, 2016
A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures.

Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads.

While its distribution has faded after 2020, Korean researchers at AhnLab report that a new version has entered circulation and is supported by the equally old but still very active SmokeLoader malware.

This is a departure from Amadey's reliance on the Fallout, and the Rig exploit kits, which have generally fallen out of popularity as they target dated vulnerabilities.
SmokeLoader is downloaded and executed voluntarily by the victims, masked as a software crack or keygen. As it is common for cracks and key generators to trigger antivirus warnings, it is common for users to disable antivirus programs before running the programs, making them an ideal method of distributing malware.

Upon execution, it injects "Main Bot" into the currently running (explorer.exe) process, so the OS trusts it and downloads Amadey on the system.