Amadey Botnet Campaign "fbf543" Weaponizes 9 Legitimate RMM Tools Across 5 Vendors for EDR-Evasive Persistence
TL;DR: An active Amadey botnet campaign (tag: fbf543) is deploying legitimately signed Remote Management/Monitoring (RMM) tools from 5 different vendors -- ConnectWise, DattoRMM, Atera, GoToResolve, and N-able -- as persistent, EDR-invisible backdoors. None of the RMM binaries are trojanized; they are stock vendor installers pre-configured to connect to attacker-controlled relay infrastructure spanning self-hosted domains, ConnectWise cloud instances, and bulletproof hosting in the Seychelles. The same campaign has distributed 50+ payloads over 4 days including Vidar, LummaStealer, XWorm, QuasarRAT, AsyncRAT, and a CoinMiner signed with a stolen AnyDesk certificate. The multi-vendor RMM strategy ensures that if one agent is detected and removed, others remain active -- a hallmark of Initial Access Broker and ransomware affiliate operations.
Why This Matters
Every enterprise EDR product on the market has a problem: it trusts the software your IT department uses. ConnectWise ScreenConnect, DattoRMM, Atera, GoToResolve, N-able -- these are signed by legitimate vendors, shipped with valid code-signing certificates, and explicitly whitelisted in most security stacks. The attacker behind campaign fbf543 understands this perfectly.
On March 9, 2026, nine RMM tool installers appeared on MalwareBazaar within a 4-hour window. All were stock vendor binaries. All carried valid signatures. And all were pre-configured to phone home to infrastructure controlled by the same threat actor running one of the most prolific Amadey botnet campaigns active today.
This is not a supply chain compromise. This is something simpler and harder to detect: the attacker registered trial accounts with 5 different RMM vendors and generated custom installers pointing to their own relay servers.
The Attack Chain
The operation follows a multi-stage model consistent with Initial Access Broker (IAB) playbooks:
Stage 1 -- Amadey delivers the initial payload. The Amadey botnet drops information stealers (Vidar, LummaStealer, SalatStealer, RustyStealer, SantaStealer) to harvest credentials, browser sessions, and crypto wallets. Five different stealer families provide redundancy -- if one gets caught, four others are still exfiltrating.
Stage 2 -- RATs establish interactive access. XWorm, QuasarRAT, AsyncRAT, and DarkVisionRAT are deployed for real-time remote control. NirCmd, a legitimate sysadmin utility, is included to silently execute commands and install subsequent payloads without user interaction.
Stage 3 -- RMM tools lock in persistence. Legitimate RMM agents from 5 vendors are installed as "clean" backdoors. Because these are signed, trusted binaries performing exactly the function they were designed for (remote access), they survive EDR scans, endpoint reimaging, and even incident response triage if the responder does not check which relay server the agent connects to.
Stage 4 -- Monetization. A CoinMiner payload signed with a stolen AnyDesk Software GmbH certificate provides immediate revenue while the operator decides whether to sell access, deploy ransomware, or maintain long-term persistence for espionage.
The RMM Arsenal: 9 Samples, 5 Vendors, Zero Trojans
All nine samples uploaded to MalwareBazaar on March 9 are legitimate vendor binaries. The only thing malicious about them is who configured them and where they connect.
| # | SHA256 | Tool | Signed By | Relay / C2 | First Seen |
|---|---|---|---|---|---|
| 1 | c2a0820c... | ConnectWise | Unsigned | relay.gatewayssupply.net:8041 | 17:45:15 |
| 2 | 7d3b5d7a... | DattoRMM | Datto, LLC | Compressed config | 17:37:52 |
| 3 | 824c9bd9... | ConnectWise | ConnectWise, LLC | instance-lssdvv-relay.screenconnect.com:443 | 17:37:49 |
| 4 | 96a41ae0... | ConnectWise | ConnectWise, LLC | instance-i3onzo-relay.screenconnect.com:443 | 17:37:46 |
| 5 | d3148c4c... | AteraAgent | Atera Networks Ltd | AccountID: NZ/gWey... (Base64) | 17:37:43 |
| 6 | c37f2420... | GoToResolve | GoTo Technologies USA, LLC | CompanyId: 5953799839592786195 | 17:37:40 |
| 7 | 7338a3eb... | N-able | N-ABLE TECHNOLOGIES LTD | Compressed config | 17:37:27 |
| 8 | bfa9a04c... | ConnectWise | Unsigned | itfreedom.help:8041 | 15:12:14 |
| 9 | 6811c0d8... | N-able | N-ABLE TECHNOLOGIES LTD | Compressed config | 13:47:39 |
The social engineering filenames tell the story of the delivery vectors:
CateredFitCorp.exe (DattoRMM -- fake corporate software)
Documentt.exe (GoToResolve -- typosquatted document)
turnerlabels.EXE (N-able -- industry-specific lure)
ZoomInstaller.EXE (N-able -- fake Zoom installer)
hmliene.msi (Atera -- random/auto-generated)
hw5yt.msi (ConnectWise -- random/auto-generated)
Sample 8 is the critical pivot point. Tagged dropped-by-Amadey with campaign tag fbf543 on MalwareBazaar, it links the entire RMM operation to the broader Amadey botnet infrastructure.
ConnectWise Relay Infrastructure: 6 Servers, 3 Architecture Types
The attacker operates ConnectWise ScreenConnect relay infrastructure across three distinct hosting strategies, rotating relays every 1-2 days.
Self-Hosted Relays (Attacker-Owned Domains)
gatewayssupply.net
Relay: relay.gatewayssupply.net:8041
IP: 38.240.39.169 (Cogent Communications, US)
Registered: 2025-10-21 via NameCheap
DNS: Cloudflare
TLS: Wildcard cert issued 2025-10-23
Instance ID: 3ed6c2cc5abaac13
SC Version: 25.2.4.9229
itfreedom.help (Amadey-linked)
Relay: itfreedom.help:8041
IP: 158.94.208.194 (RIPE/NL)
Registered: 2026-02-18 via NameSilo (3 weeks pre-campaign)
DNS: Cloudflare
TLS: Let's Encrypt + Google Trust Services
Instance ID: 470f2f003a553817
SC Version: 25.4.20.9295
ConnectWise Cloud Instances (Abuse of Legitimate Infrastructure)
| Instance | Backend Server | Backend IP | Instance ID |
|---|---|---|---|
instance-lssdvv | server-ovh30010009-relay.screenconnect.com | 15.204.166.75 (OVH) | f3078a5d5ef69328 |
instance-i3onzo | server-ovh30020022-relay.screenconnect.com | 15.204.48.34 (OVH) | 22d4c9598c39df39 |
instance-y9neh7 | server-ovh60020016-relay.screenconnect.com | 15.235.97.45 (OVH) | f99822e4388c790b |
These are legitimate ConnectWise cloud relay servers. The attacker registered trial or paid accounts and generated installers through the normal vendor workflow. Blocking these IPs would impact legitimate ConnectWise customers -- you must block by instance ID instead.
Bulletproof Hosting (Direct IP)
Relay: 91.92.243.111:8041
ASN: Omegatech LTD (SEYCHELLES)
Instance ID: c26bd864ce80bf33
First Seen: 2026-03-08
Omegatech LTD is a known bulletproof hosting provider. This relay has no domain name and communicates directly over IP -- a fallback designed to survive domain takedowns.
The fbf543 Campaign: 50+ Payloads in 4 Days
The fbf543 tag on MalwareBazaar identifies a single Amadey botnet campaign that escalated dramatically over March 6-9, 2026.
Payload Timeline
| Day | Date | Payloads Deployed |
|---|---|---|
| 1 | Mar 6 | XWorm, SantaStealer, NirCmd, ConnectWise MSI, AsyncRAT, HijackLoader, DarkVisionRAT |
| 2 | Mar 7 | QuasarRAT (with BAT dropper), SantaStealer, Vidar, ConnectWise EXE |
| 3 | Mar 8 | RustyStealer, CoinMiner (stolen AnyDesk cert), ConnectWise MSI |
| 4 | Mar 9 | LummaStealer, Vidar (3x), GCleaner, QuasarRAT, Smoke Loader, Amadey self-update, ConnectWise MSI, SalatStealer |
Day 4 represents a significant escalation: three Vidar variants, a Smoke Loader secondary delivery mechanism, and an Amadey self-update suggest the operator is scaling up for a broader push.
Credential Theft Pipeline
Five distinct information stealer families provide comprehensive coverage:
| Stealer | Target Data | First Seen in Campaign |
|---|---|---|
| Vidar | Browsers, crypto wallets, 2FA tokens, email clients | Mar 7 |
| LummaStealer | Browser credentials, crypto extensions, system info | Mar 9 |
| SalatStealer | Browser data, messaging apps | Mar 9 |
| SantaStealer | Passwords, cookies, autofill data | Mar 6 |
| RustyStealer | Credentials, SSH keys, FTP clients | Mar 8 |
This is not redundancy for its own sake. Each stealer family has different extraction capabilities and different detection signatures. Running five simultaneously maximizes the probability of successful data exfiltration while ensuring that no single AV signature update eliminates the entire credential harvesting operation.
The Stolen AnyDesk Certificate
The CoinMiner payload deployed on Day 3 is signed with a code-signing certificate issued to AnyDesk Software GmbH -- almost certainly stolen or fraudulently obtained. This mirrors a pattern seen across multiple ransomware operations in late 2025 and early 2026, where stolen certificates from remote access vendors are used to sign malicious payloads that blend into environments where the legitimate vendor's software is already installed.
Attribution Assessment
Assessed threat actor profile: Initial Access Broker (IAB) or ransomware affiliate.
Supporting indicators:
- Multi-stage operation combining credential theft with persistent, EDR-evasive access -- the classic IAB playbook of "harvest, persist, sell"
- Bulletproof hosting on Omegatech/Seychelles infrastructure
- Rapid infrastructure rotation (new relays every 1-2 days)
- Multiple RMM tools deployed for redundant persistence
- Domain registration pattern: fresh domains registered 2-3 weeks before campaign activation
- ConnectWise/ScreenConnect abuse matches documented TTPs of Black Basta affiliates and Royal/BlackSuit ransomware groups (ref: CISA AA24-131A)
- An
fbf543payload is signed by "IP Davydov Egor Denisovich" (GlobalSign cert) -- likely a purchased or fraudulent code-signing certificate, potentially linked to Russian-speaking threat actors
Indicators of Compromise
Domains
gatewayssupply.net (registered 2025-10-21, NameCheap)
itfreedom.help (registered 2026-02-18, NameSilo)
IP Addresses
38.240.39.169 (Cogent, US -- gatewayssupply.net relay)
158.94.208.194 (RIPE/NL -- itfreedom.help relay)
91.92.243.111 (Omegatech/Seychelles -- bulletproof relay)
15.204.166.75 (OVH -- ConnectWise cloud relay backend)
15.204.48.34 (OVH -- ConnectWise cloud relay backend)
15.235.97.45 (OVH -- ConnectWise cloud relay backend)
ConnectWise Instance IDs
3ed6c2cc5abaac13 (gatewayssupply.net self-hosted)
f3078a5d5ef69328 (ConnectWise cloud, instance-lssdvv)
22d4c9598c39df39 (ConnectWise cloud, instance-i3onzo)
470f2f003a553817 (itfreedom.help self-hosted, Amadey-linked)
c26bd864ce80bf33 (91.92.243.111 bulletproof, fbf543 campaign)
f99822e4388c790b (ConnectWise cloud, instance-y9neh7, fbf543 campaign)
GoToResolve
CompanyId: 5953799839592786195
Public Key: 50b526c451269c6e24ea1d50a51dca19a97a4b621bf60014af4936172ed3ff5c
Account: Created 2025-11-30 12:22:19 UTC
Template: syn-prd-ava-unattended
AteraAgent
AccountID: NZ/gWeyibo4aEmrKed8JY6HcNRyin1egHCqRdUK4BC8=
Environment: Production
Campaign Tag
fbf543 (Amadey botnet campaign identifier)
File Hashes (SHA256) -- RMM Samples
c2a0820c49e988c291f0d7b24105da595546674e3a164b424546df13919ed33a (ConnectWise)
7d3b5d7a66fc119fdbc90aa98fa7c7e8c4a0bd7aa73eab8714b8e6f42c29fb6e (DattoRMM)
824c9bd950fe5116b503f0f9fa9c17e7ba09464ed6e5b4450ab4354d67259607 (ConnectWise)
96a41ae0f5d9c14fb505c506862a6e7947f5a20dd705f48aaa133ba0513dd3aa (ConnectWise)
d3148c4cd9c2f347177df88bd356f700fd0ceec90f2e08ef151221c05b86fc68 (AteraAgent)
c37f242047aef3d35f06639206de1f2ce356e5e9d1c8cddb34e16551dae9da0b (GoToResolve)
7338a3eb6266fba2bd98636cac12ec91feef40ddfee4b3ad891aee32d915e069 (N-able)
bfa9a04c5d5bed462d38b90bf22d52455d058ec992eecd5e15a29d48502cc2ab (ConnectWise/Amadey)
6811c0d8596a0b2f13b780fb42a184b337f1b7e92ac6821d0cc87712afa3a133 (N-able)
File Hashes (SHA256) -- fbf543 Additional ConnectWise Payloads
03f6e5d70260c1dedcab1d5375eac458f0145a2859edb6cde63cacdd652539f9 (ConnectWise, Mar 8)
74d37470689e9ea87ba558d0adc254517b8e181642ae43daff9713ee63210077 (ConnectWise EXE, Mar 7)
4d24949840cbe6127c1a949786a10fd526693cb8ae286be0da8fcd776f635387 (ConnectWise, Mar 6)
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Resource Development | Obtain Capabilities: Tool | T1588.002 | Registered accounts with 5 RMM vendors to generate custom installers |
| Resource Development | Acquire Infrastructure: Domains | T1583.001 | gatewayssupply.net, itfreedom.help registered weeks before campaign |
| Resource Development | Acquire Infrastructure: Botnet | T1583.005 | Amadey botnet used for payload distribution |
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Social engineering filenames (ZoomInstaller.EXE, Documentt.exe) |
| Execution | System Services: Service Execution | T1569.002 | RMM agents install as system services |
| Persistence | Remote Access Software | T1219 | 9 legitimate RMM tools across 5 vendors for redundant persistence |
| Defense Evasion | Masquerading: Match Legitimate Name or Location | T1036.005 | RMM binaries are legitimate vendor software |
| Defense Evasion | Subvert Trust Controls: Code Signing | T1553.002 | Valid vendor certificates; stolen AnyDesk cert on CoinMiner |
| Credential Access | Credentials from Password Stores: Credentials from Web Browsers | T1555.003 | Vidar, Lumma, Salat, Santa, Rusty stealers |
| Command and Control | Remote Access Software | T1219 | ConnectWise, DattoRMM, Atera, GoToResolve, N-able relay connections |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 | ConnectWise cloud relays proxy through OVH backend servers |
| Exfiltration | Exfiltration Over C2 Channel | T1041 | Credentials exfiltrated via stealer C2 channels |
| Impact | Resource Hijacking | T1496 | CoinMiner for cryptocurrency monetization |
Detection Opportunities
Network-Level Detections
Block known attacker relay infrastructure:
# Self-hosted relays (block at firewall/proxy)
relay.gatewayssupply.net
itfreedom.help
91.92.243.111
# GoToResolve attacker account
CompanyId: 5953799839592786195
Monitor ConnectWise ScreenConnect by instance ID, not by IP. The attacker uses ConnectWise's own cloud infrastructure, so IP-based blocking will cause collateral damage. Extract the instance ID from ScreenConnect client configurations and alert on the six IDs listed above.
Endpoint-Level Detections
Alert on multiple RMM agents installed on a single endpoint. The simultaneous presence of ConnectWise + Atera + GoToResolve + DattoRMM + N-able on one machine is a near-certain indicator of compromise. Even two unexpected RMM tools should trigger investigation.
# Windows -- check for RMM service installations
sc query | findstr /i "ScreenConnect DattoRMM AteraAgent GoToResolve N-able"
# Registry -- ScreenConnect instance check
reg query "HKLM\SOFTWARE\WOW6432Node\ScreenConnect Client" /v InstanceId
Hunt for NirCmd execution. NirCmd (nircmd.exe / nircmdc.exe) is a legitimate sysadmin tool but is rarely used in enterprise environments. Its presence alongside RMM tools is a strong signal the attacker is using it for silent installation.
YARA Rules
rule Suspicious_Multi_RMM_MSI {
meta:
description = "Detects MSI installers containing ScreenConnect components with non-standard relay domains"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "HIGH"
reference = "https://intel.breakglass.tech"
strings:
$sc_relay1 = "relay.gatewayssupply.net" ascii wide nocase
$sc_relay2 = "itfreedom.help" ascii wide nocase
$sc_component = "ScreenConnect.Client" ascii wide
$sc_msi = "ScreenConnect.ClientSetup" ascii wide
$bp_ip = "91.92.243.111" ascii wide
condition:
uint32(0) == 0xE011CFD0 and
$sc_component and
any of ($sc_relay*, $bp_ip)
}
rule Amadey_fbf543_RMM_Campaign {
meta:
description = "Detects ConnectWise installers associated with Amadey fbf543 campaign"
author = "Breakglass Intelligence"
date = "2026-03-09"
tlp = "TLP:CLEAR"
severity = "CRITICAL"
strings:
$instance1 = "3ed6c2cc5abaac13" ascii wide
$instance2 = "470f2f003a553817" ascii wide
$instance3 = "c26bd864ce80bf33" ascii wide
$instance4 = "f99822e4388c790b" ascii wide
$instance5 = "f3078a5d5ef69328" ascii wide
$instance6 = "22d4c9598c39df39" ascii wide
$relay1 = "gatewayssupply.net" ascii wide
$relay2 = "itfreedom.help" ascii wide
condition:
any of them
}
Snort/Suricata Rules
# Amadey fbf543 -- ScreenConnect relay to attacker self-hosted domain
alert tls any any -> any 8041 \
(msg:"AMADEY-FBF543 ScreenConnect Relay to gatewayssupply.net"; \
tls.sni; content:"gatewayssupply.net"; \
flow:established,to_server; sid:2026030901; rev:1;)
# Amadey fbf543 -- ScreenConnect relay to itfreedom.help
alert tls any any -> any 8041 \
(msg:"AMADEY-FBF543 ScreenConnect Relay to itfreedom.help"; \
tls.sni; content:"itfreedom.help"; \
flow:established,to_server; sid:2026030902; rev:1;)
# Amadey fbf543 -- ScreenConnect relay to bulletproof IP
alert tcp any any -> 91.92.243.111 8041 \
(msg:"AMADEY-FBF543 ScreenConnect Relay to Omegatech Bulletproof"; \
flow:established,to_server; sid:2026030903; rev:1;)
# GoToResolve -- attacker CompanyId (if visible in unencrypted traffic)
alert http any any -> any any \
(msg:"AMADEY-FBF543 GoToResolve Attacker CompanyId"; \
content:"5953799839592786195"; \
sid:2026030904; rev:1;)
Hunting Queries (KQL -- Microsoft Sentinel / Defender)
// Hunt for multiple RMM agents on single endpoints
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("ScreenConnect.ClientService.exe", "AteraAgent.exe",
"GoToResolve.exe", "DattoRMMAgent.exe", "N-ableAgent.exe",
"nircmd.exe", "nircmdc.exe")
| summarize RMMTools = dcount(FileName), ToolList = make_set(FileName) by DeviceName
| where RMMTools >= 2
| sort by RMMTools desc
// Hunt for ScreenConnect connections to known attacker relays
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any ("gatewayssupply.net", "itfreedom.help")
or RemoteIP in ("91.92.243.111", "38.240.39.169", "158.94.208.194")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
// Hunt for RMM installers with suspicious filenames
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName in~ ("ZoomInstaller.EXE", "Documentt.exe",
"CateredFitCorp.exe", "turnerlabels.EXE")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
Published by Breakglass Intelligence. Investigation conducted 2026-03-09. 9 RMM samples analyzed across 5 vendors. 6 ConnectWise relay servers mapped. 50+ Amadey fbf543 payloads correlated. Classification: TLP:CLEAR