highBotnet

Amadey's Marketplace: Inside a 100-Sample Pay-Per-Install Operation Distributing Vidar, XWorm, and 22 Other Malware Families

PublishedMarch 12, 2026

Threat Actors:s are purchasing installs from this Amadey operator.

botnetvidarstealcasyncratxwormsmokeloaderlummaquasarratagentteslaamadey

TL;DR: An Amadey botnet instance tagged "fbf543" is running a large-scale pay-per-install (PPI) operation that has distributed 100 tracked samples across 24 distinct malware families. Vidar stealer dominates with 29 samples in two separate build lineages -- a Go-compiled variant cross-compiled with MinGW using space-themed obfuscation strings, and a Delphi variant dropped directly by Amadey. Delivery vectors include an HTA dropper abusing curl.exe as a LOLBin, a fake Roblox executor using VMware Tools DLL sideloading with Cyrillic homoglyphs in folder names, LimeWire file hosting abuse, and ConnectWise RMM MSI packages signed with legitimate certificates. Infrastructure is staged through Latvian and Romanian hosting providers.

Campaign Overview: Pay-Per-Install at Scale

The Amadey botnet is one of the commodity malware ecosystem's most durable fixtures -- a loader-as-a-service that sells execution slots to anyone willing to pay. Campaign "fbf543" is a textbook example of this model at industrial scale.

A single Amadey instance is distributing 100 unique samples spanning 24 malware families. The customer list reads like a who's-who of commodity threats:

Malware Family	Samples	Type
Vidar	29	Info Stealer
Unknown/Unidentified	27	Various
ConnectWise (RMM)	5	Remote Access
SantaStealer	5	Info Stealer
SalatStealer	4	Info Stealer
XWorm	4	RAT
QuasarRAT	3	RAT
CoinMiner	3	Cryptominer
Amadey	2	Loader/Botnet
SmokeLoader	2	Loader
RustyStealer	2	Info Stealer
LummaStealer	1	Info Stealer
DarkVisionRAT	1	RAT
AsyncRAT	1	RAT
AgentTesla	1	Info Stealer
RemcosRAT	1	RAT
Stealc	1	Info Stealer
Mirai	1	Botnet/DDoS
Others	7	Various

The diversity here is the point. No single threat actor operates Vidar, XWorm, QuasarRAT, AsyncRAT, and a Mirai variant simultaneously. This is a marketplace -- the Amadey operator sells installs, and customers supply whatever payload they want dropped. The 27 unidentified samples likely represent smaller or newer operations that have not yet been fingerprinted by the threat intelligence community.

The Attack Chain

[1] INITIAL ACCESS
    HTA dropper (VBScript + curl.exe LOLBin)
    Fake Roblox executor ZIP (social engineering)
    LimeWire file hosting
    Amadey botnet push (secondary payload)

[2] EXECUTION
    HTA: curl.exe downloads http://188.137.224.92/cache.bin -> %TEMP%\svc300695.exe
    ZIP: Xeno.exe (trojanized vmtoolsd) sideloads intl.dll (Vidar)
    Amadey: Direct PE execution of Vidar payloads

[3] DEFENSE EVASION
    Cyrillic homoglyphs in file/folder names
    DLL sideloading via legitimate VMware Tools binary
    Go binary with obfuscated function names (random English word pairs)
    Anti-VM/sandbox detection
    Ping delay before execution
    Stolen/abused code signing certificates

[4] C2 COMMUNICATION
    XOR-encoded dead drop resolver URLs (config encrypted at rest)
    Payload staging: 188.137.224.92 (Podaon SIA, Latvia -> DE datacenter)
    Possible C2: 188.241.219.55 (ZetServers, Romania)

[5] EXFILTRATION
    Cryptocurrency wallets (WalletID/Wallet Go structs)
    Browser credentials, cookies, autofill data
    Standard Vidar stealer target set

Technical Analysis: Two Vidar Lineages

The 29 Vidar samples split cleanly into two distinct build lineages with different compilers, obfuscation strategies, and delivery mechanisms.

Go Vidar (Samples 1, 3, 6)

The Go-compiled Vidar variants are cross-compiled on a Windows build machine using MinGW GCC 10.3.0. The build path leaks the operator's environment:

C:/Users/Administrator/x86_64-w64-mingw32/include

These samples are compiled with Go 1.25.x (both 1.25.0 and 1.25.3 observed), and use a distinctive obfuscation pattern: function names are replaced with concatenated pairs of ordinary English words. A sampling:

main.Connecticutvoyeurweb
main.Merchantsdefinitions
main.Modificationretailers
main.Obligationwellington
main.Performancespublisher
main.Rehabilitationpersonnel
main.Subscriptionscomparisons
main.Statutoryexperienced

This is not garbled noise -- the words are real English, chosen to make automated string-based detection harder while appearing plausible in cursory static analysis. The technique is effective enough that generic "suspicious function name" YARA rules miss it entirely.

More unusual are the space/aviation themed marker strings embedded throughout the binary:

ALPHA-BRAVO-CHARLIE
LAUNCH_AUTHORIZED
PayloadDeployment
FlightTermination
StageSeparation
MissionComplete
AscentPhase
OrbitalOperations
ControlledReentry
SpecificImpulse
ChamberPressure

These markers appear to serve as internal state machine labels -- the developer chose an aerospace naming convention for execution phases. LAUNCH_AUTHORIZED likely gates payload execution, StageSeparation marks the transition between data collection phases, and MissionComplete signals exfiltration completion.

C2 resolution uses XOR-encoded dead drop resolver URLs. The configuration is encrypted at rest with a multi-byte key that is not statically extractable -- dynamic analysis is required to recover the actual C2 addresses.

The Go variants target cryptocurrency wallets, confirmed by the presence of Go struct definitions:

main.WalletID
main.Wallet
map[main.WalletID]main.Wallet

Sample 6 is additionally tagged as antivm by ANY.RUN, indicating it implements sandbox detection before executing its stealer payload.

Sample	SHA-256 (truncated)	Size	Go Version	Imphash
1	`bea12652...`	3.0 MB	1.25.3	`d42595b6...`
3	`1c83863b...`	2.2 MB	1.25.0	`d42595b6...`
6	`8ba2f8ed...`	2.8 MB	1.25.0 + MinGW	`d8b31f8c...`

Delphi Vidar (Samples 2, 4, 5)

The second lineage is a PE32+ x86-64 binary compiled with Delphi. These samples are substantially larger (11.8-11.9 MB) and embed the TeeChart charting library from steema.com -- an unusual inclusion for a stealer that suggests the developer is reusing a legitimate Delphi application framework.

Key characteristics:

WinHTTP (Winapi.WinHTTP) for C2 communication
FireDAC database connectivity framework (unusual for a stealer -- may facilitate local credential database access)
TeeChart (steema.com) charting library
Configuration encrypted, not statically extractable
Delivered directly by Amadey botnet

All three Delphi samples share imphash 068780fe56d60c9502ffe606f8c04be5, which has appeared in 9+ samples since March 7 -- indicating ongoing distribution.

Sample	SHA-256 (truncated)	Size	Imphash
2	`7d3f3b89...`	11.8 MB	`068780fe...`
4	`57664d87...`	11.9 MB	`068780fe...`
5	`8a887f3b...`	11.8 MB	`068780fe...`

Delivery Vector 1: The HTA Dropper

The simplest delivery mechanism is a 643-byte HTA file that chains two LOLBins -- mshta.exe (implicit, since it is an HTA) and curl.exe -- to download and execute Vidar with zero disk footprint from attacker-supplied tools.

The HTA creates a WScript.Shell object, uses curl.exe to fetch the payload from the staging server, writes it to %TEMP%\svc300695.exe, and executes it:

curl.exe → http://188.137.224.92/cache.bin → %TEMP%\svc300695.exe

A ping -n command introduces a timing delay between download and execution -- a simple sandbox evasion technique that adds a few seconds of inactivity. The HTA then self-closes via Self.Close.

The staging URL http://188.137.224.92/cache.bin is hosted on infrastructure operated by Podaon SIA, a Latvian hosting provider routing through a German datacenter.

Delivery Vector 2: Fake Roblox Executor with DLL Sideloading

The more sophisticated delivery vector targets gamers -- specifically, children and young adults looking for Roblox exploit tools. The lure is "BootstrapperUI," presented as a Xeno executor for Roblox.

The ZIP archive (sample 7, SHA-256: b314fee7..., 5.9 MB) contains:

Xeno.exe -- a modified VMware Tools daemon (vmtoolsd) repurposed as a DLL sideloading host
intl.dll -- the actual Vidar stealer payload (identical to sample 6: 8ba2f8ed...)
vmtools.dll, glib-2.0.dll, gobject-2.0.dll -- additional trojanized DLLs
A README file with the password "ryos"

Cyrillic Homoglyph Evasion

The folder names in the archive use Cyrillic homoglyphs -- characters from the Cyrillic alphabet that are visually identical to their ASCII equivalents but have different Unicode code points. To a human reading the file explorer, the path looks like normal English text. To a file system filter, string-matching rule, or hash comparison, it is completely different.

This technique defeats:

Path-based allowlisting/blocklisting
String-based YARA rules expecting ASCII paths
Endpoint detection rules that match on folder names
Log analysis that searches for known malicious paths

The Sideload Chain

User opens ZIP → runs Xeno.exe (legitimate vmtoolsd binary)
  → Xeno.exe loads intl.dll (expected VMware internationalization DLL)
    → intl.dll = Vidar stealer (Go 1.25.0 + MinGW)
      → Vidar executes with VMware Tools process context

Because Xeno.exe is a legitimate, signed VMware Tools binary, the initial execution passes application whitelisting and may inherit VMware's reputation in endpoint detection systems. The intl.dll name is not random -- it is a real dependency of vmtoolsd, making the sideload invisible to dependency analysis.

Infrastructure

Confirmed Staging and C2

IP	Role	ASN	Hosting	Country	Ports
`188.137.224.92`	Payload staging	AS211381	Podaon SIA (Latvia)	DE	3389
`188.241.219.55`	Possible C2	--	ZetServers / INTERKVM HOST SRL	RO	22, 8090, 8443, 9000

The staging server at 188.137.224.92 exposes RDP (port 3389), suggesting it may be a compromised or rented Windows server. The possible C2 at 188.241.219.55 runs multiple services across ports 8090, 8443, and 9000 -- a profile consistent with a multi-panel C2 framework.

Abused Legitimate Services

Service	Abuse Type
LimeWire	Payload hosting (`limewire.com/d/9srAi#oMPwoXroIp`)
ConnectWise RMM	5 MSI packages with legitimate certs for unauthorized remote access
AnyDesk	Stolen certificate used to sign a CoinMiner

Stolen and Abused Code Signing Certificates

The campaign makes heavy use of code signing certificates -- some stolen from legitimate companies, others likely purchased from underground certificate vendors:

Subject CN	Signed Payload
IP Davydov Egor Denisovich	Unknown PE (18.8 MB)
AnyDesk Software GmbH	CoinMiner
ConnectWise, LLC	RMM MSI packages (x3)
TRUST & SIGN POLAND SP Z O O	Unknown PEs (x2)
Dickinson and Sons	SmokeLoader
Vanguard Systems Inc	AgentTesla
Subantiquely	RemcosRAT
hsNRk3Og	Unknown PE (fake/self-signed cert)

The ConnectWise certificate abuse is particularly notable -- the attacker is distributing RMM installers signed with ConnectWise's own certificate, meaning the MSI packages appear legitimate to both SmartScreen and enterprise application whitelisting. Five such packages were identified in this campaign.

Indicators of Compromise

Network IOCs

188.137.224.92              # Payload staging (HTA dropper, Podaon SIA Latvia)
188.241.219.55              # Possible Vidar C2 (ZetServers, Romania)
http://188.137.224.92/cache.bin      # Vidar payload download URL
http://188.137.224.92/verify.hta     # HTA dropper delivery URL
limewire.com/d/9srAi#oMPwoXroIp     # Payload hosting on LimeWire

File IOCs (SHA-256)

Vidar Samples:

bea12652a19499dab04901a82d312925d01c0b1b5092917c3d63bcc1e200bcfc  # Go Vidar (3.0 MB)
7d3f3b8966fd945285d4ba2bacb706c4b47e4ffb9c84ee4264660d89a5232192  # Delphi Vidar (11.8 MB)
1c83863bda00873d081eb525fff37080a4b262a9092ca00887ba56234b860273  # Go Vidar (2.2 MB)
57664d87ff56fdb304b8bb7ac57a6710c09ac8847adfd4e29f40435c0c5995b3  # Delphi Vidar (11.9 MB)
8a887f3bd529c10a4cd8c86bbeedc47494416a6444bf0590fbf66dddeab3ee30  # Delphi Vidar (11.8 MB)
8ba2f8ed214293c731f0ec15db00fd8555f2bcdbec4c58c9d9b8cd4bbcf7d657  # Go Vidar DLL (2.8 MB, antivm)
b314fee7254192d4349b10ae360660cf5037328d816a1651e85442b06a172905  # DLL sideload ZIP (5.9 MB)
d3d809c318494982d61f3308ae80bcb7b5a3f11530ad4ed651363c01f2cd98a6  # HTA dropper (643 B)

Amadey Loader:

8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f

DLL Sideload Kit Components:

2803b74d5466845e4dc9063bd516f3679aa2a3f70a30d9e93976c212e87f6e87  # Xeno.exe (modified vmtoolsd)
dbee15d75e4bfc40a0091878009dedf0cca795f224554c91ad776710eb3a76a9  # vmtools.dll (trojanized)
29f281e0e9ebc9cc7b54af08535509feac1930a60d3d2e2fe9528f77711f04a8  # glib-2.0.dll (trojanized)

Imphash Clustering

068780fe56d60c9502ffe606f8c04be5  # Delphi Vidar lineage (9+ samples since Mar 7)
d42595b695fc008ef2c56aabd8efd68e  # Go Vidar lineage (generic Go PE imphash)
d8b31f8c...                        # Go Vidar DLL variant (Sample 6)
ac4ded70f85ef621e5f8917b250855be  # Amadey loader

Host IOCs

%TEMP%\svc300695.exe               # HTA dropper payload path
intl.dll                           # DLL sideload payload name
vmtoolsd / Xeno.exe                # Modified VMware Tools loader

Detection Opportunities

Process Chain Detection

The highest-fidelity detection for the HTA delivery vector is the parent-child process relationship:

mshta.exe → curl.exe → %TEMP%\svc300695.exe

Any environment where curl.exe is spawned as a child of mshta.exe should generate a high-confidence alert. This is not a normal process chain in any legitimate workflow.

DLL Sideloading Detection

Alert on vmtoolsd.exe execution outside of VMware environments. If your fleet does not run VMware Tools, any instance of vmtoolsd or Xeno.exe loading intl.dll is malicious:

Process Name: vmtoolsd.exe OR Xeno.exe
AND NOT Process Path: C:\Program Files\VMware\*
AND Module Loaded: intl.dll

YARA Detection

Six YARA rules cover all observed variants. Key rules for immediate deployment:

rule Vidar_Go_Variant_Mar2026 {
    meta:
        description = "Vidar stealer Go variant with obfuscated function names (March 2026)"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        campaign = "fbf543"
        severity = "HIGH"
    strings:
        $wallet1 = "main.WalletID" ascii
        $wallet2 = "main.Wallet" ascii
        $wallet3 = "map[main.WalletID]main.Wallet" ascii
        $obf1 = "main.Connecticutvoyeurweb" ascii
        $obf2 = "main.Merchantsdefinitions" ascii
        $obf3 = "main.Modificationretailers" ascii
        $obf4 = "main.Obligationwellington" ascii
        $obf5 = "main.Performancespublisher" ascii
        $marker1 = "ALPHA-BRAVO-CHARLIE" ascii
        $marker2 = "LAUNCH_AUTHORIZED" ascii
        $marker3 = "PayloadDeployment" ascii
        $marker4 = "FlightTermination" ascii
        $space1 = "StageSeparation" ascii
        $space2 = "MissionComplete" ascii
        $goversion1 = "go1.25.3" ascii
        $goversion2 = "go1.25.0" ascii
        $mingw = "mingw_app_type" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize > 1MB and filesize < 20MB and
        (
            (any of ($wallet*)) or
            (3 of ($obf*)) or
            (3 of ($marker*)) or
            (2 of ($space*) and any of ($goversion*))
        )
}

rule Vidar_HTA_Dropper_Mar2026 {
    meta:
        description = "HTA dropper delivering Vidar stealer via curl.exe LOLBin"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        campaign = "fbf543"
        severity = "HIGH"
    strings:
        $hta_tag = "HTA:APPLICATION" ascii nocase
        $vbs = "VBScript" ascii nocase
        $curl = "curl.exe" ascii nocase
        $shell = "WScript.Shell" ascii nocase
        $temp = "%TEMP%" ascii nocase
        $ping = "ping -n" ascii nocase
        $c2 = "188.137.224.92" ascii
    condition:
        filesize < 5KB and
        $hta_tag and $vbs and
        ($curl or $c2) and
        $shell and $temp
}

rule Vidar_Delphi_Amadey_Dropped_Mar2026 {
    meta:
        description = "Vidar stealer Delphi variant dropped by Amadey botnet"
        author = "Breakglass Intelligence"
        date = "2026-03-09"
        campaign = "fbf543"
        severity = "HIGH"
    strings:
        $delphi1 = "TFormStyleHook" ascii wide
        $delphi2 = "System.Net.HttpClient.TCookie" ascii wide
        $delphi3 = "System.Net.URLClient.TURLClient" ascii wide
        $winhttp = "Winapi.WinHTTP" ascii wide
        $steema = "www.steema.com" ascii wide
        $firedac1 = "TFDPhysConnectionMetadata" ascii wide
        $firedac2 = "FDPhysConnectionDefParamsFactory" ascii wide
    condition:
        uint16(0) == 0x5A4D and
        filesize > 5MB and filesize < 15MB and
        3 of ($delphi*) and
        $winhttp and
        ($steema or any of ($firedac*))
}

Network Detection -- Snort/Suricata

# Vidar HTA dropper payload download
alert http any any -> 188.137.224.92 any (msg:"VIDAR Payload Download from Latvian Staging"; \
  content:"cache.bin"; http_uri; flow:established,to_server; \
  sid:2026030901; rev:1;)

# curl.exe spawned by mshta.exe (LOLBin chain)
# Implement via EDR process chain rule — not natively Suricata

# Vidar HTA dropper delivery
alert http any any -> 188.137.224.92 any (msg:"VIDAR HTA Dropper Delivery"; \
  content:"verify.hta"; http_uri; flow:established,to_server; \
  sid:2026030902; rev:1;)

# LimeWire abuse for payload hosting
alert http any any -> any any (msg:"VIDAR Payload via LimeWire Abuse"; \
  content:"limewire.com"; http_host; content:"/d/9srAi"; http_uri; \
  sid:2026030903; rev:1;)

Hunting Queries

Cyrillic homoglyph detection -- Search for file and folder names containing mixed-script characters. Legitimate software does not embed Cyrillic characters in otherwise Latin-alphabet paths:

# PowerShell: Find files with Cyrillic characters in path
Get-ChildItem -Recurse | Where-Object { $_.FullName -match '[\u0400-\u04FF]' }

Imphash hunting -- The Delphi Vidar lineage shares a stable imphash. Search your EDR/sandbox telemetry for:

imphash:068780fe56d60c9502ffe606f8c04be5

Any hit on this imphash since March 7, 2026 is highly likely to be a Vidar variant from this campaign.

MalwareBazaar monitoring -- The campaign tag fbf543 is actively tracked. New payloads appear regularly:

https://bazaar.abuse.ch/browse/tag/fbf543/

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Phishing: Spearphishing Link	T1566.002	LimeWire-hosted payload links
Initial Access	Drive-by Compromise	T1189	HTA dropper delivery
Execution	User Execution: Malicious File	T1204.002	Fake Roblox executor ZIP
Execution	System Services: Service Execution	T1569	Amadey direct PE execution
Execution	Command and Scripting Interpreter: VBScript	T1059.005	HTA dropper VBScript
Persistence	Hijack Execution Flow: DLL Side-Loading	T1574.002	VMware Tools vmtoolsd + intl.dll
Defense Evasion	Masquerading: Match Legitimate Name or Location	T1036.005	intl.dll mimics VMware DLL
Defense Evasion	Masquerading: Invalid Code Signature	T1036.001	Stolen/abused code signing certs
Defense Evasion	Obfuscated Files or Information	T1027	XOR-encoded dead drop URLs, word-pair function names
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Anti-VM detection (Sample 6)
Defense Evasion	Subvert Trust Controls: Code Signing	T1553.002	AnyDesk, ConnectWise stolen certs
Defense Evasion	Signed Binary Proxy Execution: Mshta	T1218.005	HTA dropper via mshta.exe
Defense Evasion	System Binary Proxy Execution	T1218	curl.exe as LOLBin for payload download
Credential Access	Credentials from Password Stores: Credentials from Web Browsers	T1555.003	Browser credential/cookie/autofill theft
Credential Access	Unsecured Credentials: Credentials in Files	T1552.001	Cryptocurrency wallet file theft
Collection	Data from Local System	T1005	Wallet data, browser data collection
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTP/HTTPS C2 communication
Command and Control	Web Service: Dead Drop Resolver	T1102.001	XOR-encoded dead drop C2 resolution
Command and Control	Ingress Tool Transfer	T1105	curl.exe payload download from staging server
Exfiltration	Exfiltration Over C2 Channel	T1041	Data exfiltration via C2 infrastructure

Recommendations

Block infrastructure -- Add 188.137.224.92 and 188.241.219.55 to firewall and proxy blocklists immediately
Monitor LOLBin chains -- Alert on curl.exe spawned as a child process of mshta.exe
Detect VMware Tools abuse -- Alert on vmtoolsd.exe execution outside VMware environments
Hunt for Cyrillic homoglyphs -- Search file system telemetry for mixed-script paths
Deploy imphash rules -- Monitor for 068780fe56d60c9502ffe606f8c04be5 (Delphi Vidar) and ac4ded70f85ef621e5f8917b250855be (Amadey loader)
Deploy YARA rules -- All six rules from this investigation to endpoint and network sensors
Report abuse -- Podaon SIA (abuse@podaon.com) and ZetServers (abuse@zetservers.com)
Monitor campaign tag -- Track fbf543 on MalwareBazaar for new payloads as this campaign remains active

Published by Breakglass Intelligence. Investigation conducted 2026-03-09. Campaign status: ACTIVE. 100 samples tracked across 24 malware families. 29 Vidar variants in two build lineages. Classification: TLP:CLEAR