high🤖Botnet

publishedMarch 12, 2026

Amadey v5.x "fbf543" Campaign: A Pay-Per-Install Supermarket Running 24 Malware Families on Bulletproof Rails

Threat Actors:ProfileAssessmentgroups purchasing installs

#botnet#vidar#stealc#asyncrat#xworm#smokeloader#lumma#quasarrat#agenttesla#amadey

TL;DR: A single MalwareBazaar sample led to the unraveling of a full-scale pay-per-install operation running Amadey botnet v5.x across bulletproof hosting infrastructure. The campaign -- tagged "fbf543" -- pushed over 100 unique malware samples spanning 24 distinct families in just 10 days (March 1-10, 2026). The C2 panel at sys32[.]cc hides behind Cloudflare, but the real backend lives at 158.94.211.222 on a domain called labinstalls[.]info -- a name so on-the-nose it might as well be a business card. The operator controls infrastructure across three bulletproof hosting providers (Omegatech in the Seychelles, 1337 Services in Germany, Podaon SIA in Latvia), uses Inno Setup wrappers with DLL sideloading for initial execution, and serves everything from Vidar and LummaStealer to QuasarRAT, ConnectWise ScreenConnect, and even a Mirai sample -- because apparently even IoT botnets need a Windows distribution channel. The operator's OPSEC is a contradiction: Cloudflare proxying and multi-provider compartmentalization on one hand, a self-naming domain and predictable URL patterns on the other.

One Sample, One Hundred Problems

This investigation began the way most good investigations do: with a single indicator that refused to stay simple.

On March 9, 2026, Bitsight submitted an Amadey loader sample to MalwareBazaar -- a 2.7MB Delphi PE wrapped in an Inno Setup installer, delivered from qpgroup[.]top. Amadey is a well-documented loader botnet, active since at least 2018, and most threat intel teams would tag it and move on. Commodity malware. Known family. Next ticket.

But when you pull the campaign tag -- fbf543 -- the picture changes dramatically. That single sample connects to a network of 100+ uploads spanning 24 different malware families, all pushed through the same C2 infrastructure in a 10-day window. This is not a lone operator running a stealer campaign. This is a pay-per-install service -- a malware distribution marketplace where different criminal customers pay for installs and the Amadey operator handles delivery.

The prior public reporting consisted of exactly one tagged sample and a generic "Amadey, dropped-by-amadey" label. What follows is the full infrastructure, the customer list, and the business model laid bare.

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
Campaign scope	Single sample (Bitsight)	100+ samples, 24 malware families
C2 infrastructure	sys32[.]cc domain	Full backend: labinstalls[.]info (158.94.211.222)
Hosting provider	Unknown	Omegatech BPH (Seychelles, 15x /24 blocks)
Payloads	"Amadey, dropped-by-amadey"	24 distinct families catalogued with delivery URLs
QuasarRAT link	Tagged only	Full C2 config: 45.88.186.189:4782 (1337 Services)
PPI model	Not documented	Confirmed by labinstalls.info naming + payload diversity
Delivery URLs	1 known	7+ delivery URLs across 3 servers

The gap between what was publicly known and what was actually happening is significant. A single-sample view of this campaign misses the entire business model. It is the difference between seeing one delivery truck and mapping the warehouse, the fleet, and the customer list.

The Amadey Loader: Delphi, Inno Setup, and a Forged Timestamp from 2010

The primary sample is a textbook Amadey delivery package, but the construction details matter for detection engineering.

Attribute	Value
SHA-256	`8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f`
MD5	`99a8d3cbe6f6c2c9ab6f420e6933defc`
SHA-1	`1bab43dd447d6097352985652758f560313433eb`
Imphash	`ac4ded70f85ef621e5f8917b250855be`
File Size	2,740,927 bytes
Compiler	Embarcadero Delphi for Win32 v36.0
Packer	Inno Setup 6.6.0
PE Timestamp	2010-11-30 07:36:54 UTC (FORGED)
First Seen	2026-03-09 15:43:14 UTC

The compilation timestamp is a dead giveaway. A binary compiled in November 2010 using Embarcadero Delphi v36.0 -- a compiler version that did not exist until years later -- is not a historical artifact. It is an operator who knows that some sandbox systems use PE timestamps for triage prioritization and deliberately sets them to look stale. A minor evasion, but it tells you the operator is thinking about the analysis pipeline.

PE Internals

The section table is unremarkable by design -- nothing screams "malware" at first glance:

Section	Virtual Size	Raw Size	Entropy	Notes
.text	0xAD6F8	0xAD800	6.39	Main code
.itext	0x17F0	0x1800	6.22	Initialization
.data	0x3F3C	0x4000	5.18	Runtime data
.rsrc	0x9BB0	0x9C00	5.63	Resources, manifest, DLL refs
.reloc	0x11440	0x11600	6.71	Relocations

Entropy values between 5.18 and 6.71 across all sections -- high enough to indicate compiled code, low enough to avoid tripping the "this is packed/encrypted" heuristics that most static analysis tools use as a first pass. The real payload is not in these sections at all. It sits in the Inno Setup overlay starting at offset 0xCFE00 -- a 1.89MB blob in zlb LZMA format that contains the actual Amadey bot. The Inno Setup installer extracts and executes it, using version.dll sideloading via an application manifest with a loadFrom directive.

DLL sideloading through version.dll is not new, but it remains effective because the DLL is loaded before most security hooks can intercept it. The application manifest references seven DLLs total: version.dll, winhttp.dll, netapi32.dll, netutils.dll, mpr.dll, comctl32.dll, and textshaping.dll. Whether all of these are actively sideloaded or are simply present as noise to complicate analysis is an open question, but version.dll is the confirmed execution vector.

Attack Chain

INITIAL ACCESS            EXECUTION                C2                    PAYLOADS

  qpgroup[.]top     -->   Inno Setup 6.6.0  -->   sys32[.]cc      -->  Vidar Stealer (29 samples)
  /uploads/                extracts Delphi PE      /Mir8s4ZZZru/        QuasarRAT (4)
  Coral_Setup.exe          |                       index.php            XWorm (4)
  (Omegatech BPH)         v                       (Cloudflare proxy)   ConnectWise ScreenConnect (5)
                          version.dll                   |               SantaStealer (5)
                          sideloading                   v               SalatStealer (4)
                          via manifest             labinstalls[.]info   CoinMiner (3)
                                                   158.94.211.222      SmokeLoader (2)
                                                   /files/{id}/        RustyStealer (2)
                                                   {random}.exe        NirCmd (2)
                                                   (Omegatech BPH)     LummaStealer (1)
                                                                       AsyncRAT (1)
                                                                       DarkVisionRAT (1)
                                                                       RemcosRAT (1)
                                                                       Stealc (1)
                                                                       HijackLoader (1)
                                                                       AgentTesla (1)
                                                                       VenomStealer (1)
                                                                       Mirai (1)
                                                                       GCleaner (1)
                                                                       Fuery (1)
                                                                       OffLoader (1)
                                                                       + Amadey itself (2)

The delivery URL pattern from the backend is consistent and predictable:

http://158.94.211.222/files/{campaign_id}/{random_name}.exe

Known campaign IDs observed:

Each numeric campaign ID likely corresponds to a different PPI customer or a different payload batch. The random filename component changes per delivery but the structure is invariant -- a detail that makes network-level detection straightforward.

The PPI Business Model: "labinstalls.info" Says It All

Pay-per-install is one of the oldest monetization models in cybercrime. The concept is simple: an operator runs a botnet that installs software on compromised machines, and customers pay per successful installation. Legitimate software companies used PPI networks in the mid-2000s for toolbar distribution before the model was entirely co-opted by criminals.

The evidence for PPI in this campaign is not circumstantial. It is structural.

Evidence 1: The domain name. The real C2 backend runs on labinstalls[.]info. "Lab installs" is not a randomly generated domain. It is a self-describing label for an installation service. This is the operator naming their own product.

Evidence 2: Payload diversity that defies single-operator logic. Twenty-four malware families from at least a dozen different development ecosystems:

Delphi: Amadey itself
.NET: QuasarRAT, XWorm, AsyncRAT, SantaStealer, SalatStealer, AgentTesla, VenomStealer
C/C++: Vidar, Stealc, LummaStealer, SmokeLoader, DarkVisionRAT, RemcosRAT
Rust: RustyStealer
C (Linux-origin): Mirai
Legitimate software: ConnectWise ScreenConnect, NirCmd

No single threat actor develops in Delphi, .NET, C++, and Rust simultaneously while also deploying legitimate RMM tools. These are different customers submitting different payloads to the same distribution network.

Evidence 3: Volume and velocity. One hundred samples in 10 days is approximately 10 new payloads per day. That throughput matches automated payload rotation -- a PPI panel accepting uploads from multiple customers and queuing them for distribution to the bot fleet.

Evidence 4: GCleaner. One of the 24 families is GCleaner, which is itself a known PPI loader. PPI operators frequently cross-install each other's loaders to maximize revenue per compromised host. The presence of GCleaner is a neon sign that this is an installation marketplace, not a targeted operation.

Evidence 5: Campaign IDs. Five distinct numeric campaign IDs in the delivery URL paths suggest customer segmentation -- different IDs for different buyers tracking their install counts.

Evidence 6: ConnectWise ScreenConnect. Five MSI installers for a legitimate remote monitoring and management tool. No malware developer ships ScreenConnect as a payload. This is a customer -- likely a different threat actor running an access brokerage -- who purchased installs to deploy persistent remote access on victim machines through a legitimate tool that will not trigger AV detections.

Infrastructure Analysis: Three Providers, One Architecture

The operator distributes infrastructure across three bulletproof hosting providers, creating compartmentalization that would survive the takedown of any single provider.

Network Infrastructure

IP	ASN / Provider	Open Ports	Hostname / Domain	Purpose	Status
178.16.54.88	Omegatech (AS202412)	80, 3389	qpgroup[.]top	Sample delivery	LIVE
158.94.211.222	Omegatech (AS202412)	22, 80, 443, 3389	labinstalls[.]info	C2 panel + payload hosting	LIVE
104.21.79.224	Cloudflare	80, 443	sys32[.]cc	C2 proxy	LIVE
172.67.149.40	Cloudflare	80, 443	sys32[.]cc	C2 proxy	LIVE
45.88.186.189	1337 Services GmbH	3389, 5985	--	QuasarRAT C2	LIVE
80.89.238.200	Podaon SIA	22, 8443	blockchainresearchnetwork[.]org + 24 others	Vidar delivery	LIVE
45.131.182.242	Podaon SIA	--	--	Vidar delivery	UNKNOWN

Port 3389 (RDP) is open on both the delivery server and the C2 backend. This is the operator's management channel -- they RDP into their servers to administrate the panel. The presence of WinRM (port 5985) on the QuasarRAT C2 suggests a Windows server managed via PowerShell remoting, consistent with QuasarRAT's .NET architecture requiring a Windows host.

Domain Infrastructure

Domain	Registrar	Created	NS Pair	Purpose
sys32[.]cc	NameSilo	2026-02-06	reza/isaac.ns.cloudflare.com	Amadey C2 panel
qpgroup[.]top	Nicenic (HK)	2025-07-02	jerry/jessica.ns.cloudflare.com	Sample delivery
labinstalls[.]info	Unknown	~2025-10 (first cert)	romina/vern.ns.cloudflare.com	PPI backend panel

A critical detail: all three domains use different Cloudflare nameserver pairs. Cloudflare assigns NS pairs per account, which means these three domains are registered under three separate Cloudflare accounts. This could represent operational compartmentalization -- if one domain's Cloudflare account is terminated for abuse, the others survive. Alternatively, it could indicate different operators (the PPI service owner vs. customers who registered their own delivery domains), but the shared Omegatech hosting makes a single operator more likely.

The domain timeline tells a story of gradual infrastructure buildout:

July 2025: qpgroup[.]top registered via a Hong Kong registrar (Nicenic). This is the delivery domain, and at 8 months old it is the longest-running component of the front-facing infrastructure.
October 2025: labinstalls[.]info first appears in certificate transparency logs. This is the backend -- the actual PPI panel. It predates the current campaign by 5 months, suggesting the service has been running well before the fbf543 burst.
February 2026: sys32[.]cc registered via NameSilo, just one month before the campaign spike. This is the C2 domain that Amadey bots check in to -- the most expendable component, likely rotated periodically.

Certificate Analysis

The certificate history reveals operational patterns:

labinstalls[.]info has the longest and most consistent certificate history -- regular rotations in October, November, December 2025, and February and March 2026. This is the persistent infrastructure, the backbone that outlives any individual campaign domain. The regular cert rotations suggest automated renewal, which in turn suggests the operator has standing infrastructure rather than spinning up servers per campaign.

sys32[.]cc has a wildcard cert from both Let's Encrypt and Google Trust Services, issued the same day as the WHOIS creation date (February 6, 2026). A one-month-old domain serving as a C2 panel -- disposable by design.

qpgroup[.]top shows certificates from three different issuers (Let's Encrypt, Sectigo, Google Trust Services) since November 2025, plus a discovered subdomain: numlookup.qpgroup[.]top. That subdomain hints at additional services running on the delivery infrastructure -- possibly a phone number lookup service, which would be consistent with the kind of ancillary fraud tools a cybercriminal operation might host alongside their malware delivery.

The Bulletproof Hosting Hierarchy

                         OMEGATECH LTD (Seychelles)
                         omegatechsc-mnt | AS202412
                         ~3,840 IPs across 15x /24 prefixes

                         Primary ranges:
                         146.19.125.0/24
                         45.132.180.0/24
                         158.94.208.0/24 - 158.94.211.0/24  <-- C2 + payload hosting
                         178.16.52.0/24 - 178.16.55.0/24    <-- delivery servers
                         91.92.240.0/24 - 91.92.243.0/24

    1337 SERVICES GmbH (Hamburg, DE)              PODAON SIA (Riga, LV)
    PREFIXBROKER-MNT                              lir-lv-podaon-1-MNT

    45.88.186.0/24  <-- QuasarRAT C2              80.89.238.125-255  <-- Vidar delivery
    + consumer VPN blocks worldwide               45.131.182.0/24    <-- Vidar delivery

Omegatech LTD is registered in the Seychelles -- a jurisdiction that does not cooperate with most Western law enforcement requests. They control approximately 3,840 IP addresses across 15 /24 CIDR blocks under AS202412. Both the C2 backend and the primary delivery server sit on Omegatech ranges. For network defenders, the entire Omegatech address space is worth blocking: legitimate traffic to Seychelles-registered bulletproof hosts with no web presence approaches zero.

1337 Services GmbH operates out of Hamburg, Germany under the PREFIXBROKER-MNT maintainer. Despite the German registration, the "prefix broker" label in their RIPE maintainer object suggests they resell IP space -- a common model for hosting providers that cater to customers who have been kicked off legitimate providers. The QuasarRAT C2 at 45.88.186.189 sits on their network.

Podaon SIA operates from Riga, Latvia and hosts the Vidar stealer delivery infrastructure. The 80.89.238.200 IP that serves Vidar payloads also has 24 other domains pointed at it, including blockchainresearchnetwork[.]org -- a domain name designed to look legitimate for infrastructure that is anything but.

The Customer List: 24 Families, Ranked

The payload diversity is the most telling aspect of this campaign. Here is the complete manifest of what the fbf543 PPI service delivered in 10 days:

Family	Samples	Type	Notable Details
Vidar	29	Information Stealer	Dominant payload. Delivered from Podaon SIA infrastructure
ConnectWise ScreenConnect	5	RMM Tool (Abused)	MSI installers for unauthorized remote access
SantaStealer	5	Information Stealer	.NET-based
QuasarRAT	4	Remote Access Trojan	C2: 45.88.186.189:4782 on 1337 Services BPH
XWorm	4	Remote Access Trojan	.NET-based RAT
SalatStealer	4	Information Stealer	--
CoinMiner	3	Cryptominer	At least one sample code-signed
Amadey	2	Loader	The loader itself, likely self-propagation
NirCmd	2	Utility (Abused)	NirSoft utility repurposed for credential dumping
RustyStealer	2	Information Stealer	Rust-based
SmokeLoader	2	Loader/Backdoor	Secondary loader -- PPI inception
AsyncRAT	1	Remote Access Trojan	--
DarkVisionRAT	1	Remote Access Trojan	--
RemcosRAT	1	Remote Access Trojan	--
Stealc	1	Information Stealer	--
HijackLoader	1	Loader	--
AgentTesla	1	Information Stealer	--
Mirai	1	IoT Botnet	Windows delivery of a Linux IoT botnet -- unusual
LummaStealer	1	Information Stealer	--
VenomStealer	1	Information Stealer	--
GCleaner	1	PPI Loader	Known PPI service -- cross-installation
Fuery	1	Unknown	--
OffLoader	1	Loader	--

The distribution pattern reveals the PPI customer base. Information stealers dominate (Vidar alone accounts for 29 of 100+ samples), which makes economic sense: stolen credentials have immediate monetization paths through underground markets, making stealer operators the most reliable PPI customers. The RAT cluster (QuasarRAT, XWorm, AsyncRAT, DarkVisionRAT, RemcosRAT) represents customers who want persistent access rather than smash-and-grab credential theft -- likely operators running access brokerages or targeted intrusion campaigns. And then there are the outliers.

The Outliers Worth Noting

ConnectWise ScreenConnect (5 samples): This is a legitimate enterprise RMM tool being deployed through a criminal PPI service. The customer purchasing these installs wants persistent, stealthy remote access that will not trigger antivirus alerts -- because the software itself is signed, legitimate, and widely used by IT departments. This is a tactic increasingly favored by ransomware affiliates and initial access brokers who sell RDP/RMM access on criminal forums.

Mirai (1 sample): A Linux IoT botnet delivered through a Windows PPI service is genuinely unusual. Mirai traditionally propagates through Telnet brute-forcing against embedded devices. The most likely explanation is that the Mirai operator is using Windows machines as a staging platform -- the Amadey-delivered binary either scans for IoT devices on the local network or uses the Windows host as a proxy for further Mirai propagation. Alternatively, this could be a Mirai variant that targets Windows, though those are rare.

GCleaner (1 sample): PPI operators installing other PPI loaders is a well-documented phenomenon in the underground economy. The fbf543 operator gets paid to install GCleaner, and GCleaner's operator gets paid to install whatever their customers want. It is affiliate marketing for malware -- turtles all the way down.

NirCmd (2 samples): NirSoft's NirCmd is a legitimate command-line utility for Windows automation. In the context of a PPI campaign, it is being deployed as a credential dumping tool -- NirSoft's suite includes utilities that can extract stored passwords from browsers and email clients without triggering the behavioral detections that tools like Mimikatz would.

C2 Communication: The Amadey Panel

Amadey's C2 protocol is well-documented but the specific configuration for this campaign is worth detailing for detection purposes.

The C2 URL is:

http://sys32[.]cc/Mir8s4ZZZru/index.php

Communication uses HTTP POST with form-urlencoded parameters. The campaign directory (Mir8s4ZZZru) serves as an identifier -- different Amadey deployments use different directory names, and the panel can host multiple campaigns simultaneously.

The C2 domain resolves to Cloudflare IPs (104.21.79.224 and 172.67.149.40), which means standard IP-based blocking of the C2 is ineffective -- you would be blocking Cloudflare. Domain-based blocking (DNS sinkhole or proxy rules) is required. However, the payload delivery bypasses Cloudflare entirely, hitting the backend directly:

http://158.94.211.222/files/{campaign_id}/{random_name}.exe

This is the operator's key architectural weakness. The C2 check-in is protected by Cloudflare's proxy, but the actual payload delivery uses a raw IP address. Any network monitor watching for HTTP requests to 158.94.211.222 will catch every payload download, regardless of what happens to the C2 domain.

Operational Security: The Contradictions

This operator demonstrates a split OPSEC posture that is common in mid-tier cybercrime operations -- sophisticated enough to know what best practices look like, but not disciplined enough to follow them consistently.

What They Got Right

Cloudflare proxying on the C2 domain hides the real backend IP from casual reconnaissance
Three BPH providers for infrastructure compartmentalization -- no single takedown kills the operation
Separate Cloudflare accounts for each domain prevent account-level takedowns from cascading
Forged PE timestamp (2010) to confuse automated triage systems
Inno Setup wrapper adds a layer of legitimacy to the initial execution

What They Got Catastrophically Wrong

labinstalls[.]info: The operator named their own service. This domain appears in TLS certificates indexed by certificate transparency logs and in Shodan scan results. Anyone searching for PPI infrastructure now has a keyword.
Predictable delivery URL pattern: Every payload follows the exact same format -- /files/{numeric_id}/{random_name}.exe. A single Suricata rule catches every delivery:

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"Amadey PPI payload delivery pattern";
    flow:to_server,established;
    content:"/files/"; http_uri;
    pcre:"/\/files\/\d{7,12}\/[a-zA-Z0-9]+\.exe/U";
    reference:url,bazaar.abuse.ch/sample/8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f;
    sid:2026031001; rev:1;
)

Same BPH for delivery and C2: Both qpgroup[.]top (delivery) and labinstalls[.]info (C2 backend) sit on Omegatech ranges. Compartmentalizing across providers only works if you actually use different providers for different functions.
Raw IP addresses in payload URLs: The delivery mechanism uses 158.94.211.222 directly rather than a domain. This means no DNS-layer resilience -- the operator cannot rotate the backend by updating a DNS record. If the IP is blocked or seized, the payload delivery chain breaks.
RDP open on C2 servers: Port 3389 on both the delivery server and the C2 backend. This is the operator's management access, and it is exposed to the entire internet. Any scanner -- Shodan, Censys, or an enterprising researcher -- can fingerprint these as Windows servers with RDP, correlate the Omegatech ASN, and start mapping the operator's login patterns.

Threat Actor Profile

Attribution confidence: LOW-MEDIUM

Model: Pay-Per-Install service operator

Motivation: Financial (service fees from PPI customers)

Likely region: Eastern European / CIS. This assessment is based on:

Bulletproof hosting providers commonly associated with CIS-linked operations (Omegatech, Podaon SIA)
Delphi as the development language for Amadey -- Delphi has a disproportionately strong tradition in Russian-speaking malware development
The Amadey botnet ecosystem has historically been tied to Russian-language underground forums
Infrastructure in jurisdictions with limited Western law enforcement cooperation (Seychelles, Latvia)

None of these are individually conclusive, but together they point to a CIS-region operator running a commercial PPI service. The scale (100+ samples, 24 families, 10 days) and the infrastructure investment (3 BPH providers, Cloudflare accounts, dedicated delivery servers) indicate this is not a hobbyist. This is a business.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application in This Campaign
Initial Access	Drive-by Compromise	T1189	Victim downloads Coral_Setup.exe from qpgroup[.]top
Execution	User Execution: Malicious File	T1204.002	Victim runs fake installer
Execution	PowerShell	T1059.001	Post-infection PowerShell execution
Persistence	DLL Side-Loading	T1574.002	version.dll sideloading via application manifest
Persistence	Scheduled Task/Job	T1053.005	QuasarRAT persistence mechanism
Defense Evasion	Masquerading: Invalid Code Signature	T1036.001	Forged PE timestamp, Inno Setup wrapper
Defense Evasion	System Binary Proxy Execution	T1218	Inno Setup as execution proxy
Defense Evasion	Deobfuscate/Decode Files	T1140	Encrypted payload within Inno Setup overlay
Discovery	System Information Discovery	T1082	OS, architecture, hostname collection
Discovery	System Language Discovery	T1614.001	Language check (possible CIS exclusion)
Discovery	Software Discovery	T1518	Installed software enumeration
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP POST to Amadey PHP panel
Command and Control	Remote Access Software	T1219	ConnectWise ScreenConnect deployment
Credential Access	Credentials from Password Stores	T1555	Vidar, LummaStealer, Stealc credential harvesting
Impact	Resource Hijacking	T1496	CoinMiner deployment for cryptojacking

Indicators of Compromise

File Indicators

# Amadey Loader (Primary Sample)
SHA256: 8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f
MD5:    99a8d3cbe6f6c2c9ab6f420e6933defc
SHA1:   1bab43dd447d6097352985652758f560313433eb
Imphash: ac4ded70f85ef621e5f8917b250855be

# QuasarRAT
SHA256: 3b46e6a3843acbce890fa4fb3525ad232617f65e1d758a1a54c9c38ce78ddcfb
Imphash: f34d5f2d4577ed6d9ceec516c1f5a744

# LummaStealer
SHA256: b94921bb31f3dafcd7b786b83da8916746d1e31c6ec7c7e66ff07291cb46d080
Imphash: 1aae8bf580c846f39c71c05898e57e88

Network Indicators (Defanged)

# Amadey C2
sys32[.]cc
hxxp://sys32[.]cc/Mir8s4ZZZru/index.php
158[.]94[.]211[.]222 (labinstalls[.]info -- real C2 backend)
labinstalls[.]info

# Delivery Infrastructure
qpgroup[.]top
hxxps://qpgroup[.]top/uploads/Coral_Setup.exe
178[.]16[.]54[.]88

# QuasarRAT C2
45[.]88[.]186[.]189:4782

# Vidar Delivery
80[.]89[.]238[.]200
45[.]131[.]182[.]242

Network Blocks (Omegatech BPH -- Block Entire Ranges)

146.19.125.0/24
45.132.180.0/24
158.94.208.0/24
158.94.209.0/24
158.94.210.0/24
158.94.211.0/24
178.16.52.0/24
178.16.53.0/24
178.16.54.0/24
178.16.55.0/24
91.92.240.0/24
91.92.241.0/24
91.92.242.0/24
91.92.243.0/24

Behavioral Indicators

# Execution artifacts
Inno Setup installer wrapping Delphi PE with version.dll sideloading
HTTP POST to /[random_string]/index.php (Amadey panel pattern)
Payload downloads from /files/{numeric_id}/{random_name}.exe

# Network signatures
TCP connections to port 4782 (QuasarRAT default)
HTTP requests to Omegatech IP ranges with .exe in URI path

# Amadey C2 campaign identifiers
Campaign directory: Mir8s4ZZZru
Campaign IDs: 7942715918, 825476364, 8538310255, 7782139129, 7093422244

Detection Opportunities

Suricata / Snort

# Amadey payload delivery (raw IP pattern)
alert http $HOME_NET any -> [158.94.208.0/22,178.16.52.0/22] any (
    msg:"BREAKGLASS Amadey PPI payload delivery - Omegatech BPH";
    flow:to_server,established;
    content:"/files/"; http_uri;
    content:".exe"; http_uri;
    sid:2026031002; rev:1;
)

# Amadey C2 check-in
alert http $HOME_NET any -> any any (
    msg:"BREAKGLASS Amadey C2 check-in - sys32.cc";
    flow:to_server,established;
    content:"sys32.cc"; http_host;
    content:"/Mir8s4ZZZru/"; http_uri;
    sid:2026031003; rev:1;
)

# QuasarRAT C2 communication
alert tcp $HOME_NET any -> 45.88.186.189 4782 (
    msg:"BREAKGLASS QuasarRAT C2 - 1337 Services BPH";
    flow:to_server,established;
    sid:2026031004; rev:1;
)

YARA

rule Amadey_fbf543_InnoSetup_Loader {
    meta:
        description = "Amadey v5.x loader from fbf543 PPI campaign"
        author = "Breakglass Intelligence"
        date = "2026-03-10"
        reference = "https://intel.breakglass.tech"
        tlp = "WHITE"
        hash = "8be7f594f8773283f61d37ce24b74985e5569d9c1396c07848e1469a81cd3f5f"

    strings:
        $inno = "Inno Setup" ascii
        $delphi = "Embarcadero" ascii wide
        $sideload = "version.dll" ascii wide
        $c2_path = "/Mir8s4ZZZru/" ascii wide
        $c2_domain = "sys32" ascii wide
        $ppi_domain = "labinstalls" ascii wide

    condition:
        uint16(0) == 0x5A4D and
        filesize > 2MB and filesize < 4MB and
        $inno and $delphi and
        ($sideload or $c2_path or $c2_domain or $ppi_domain)
}

rule Amadey_PPI_Delivery_URL_Pattern {
    meta:
        description = "Amadey PPI backend delivery URL pattern"
        author = "Breakglass Intelligence"
        date = "2026-03-10"

    strings:
        $url_pattern = /\/files\/\d{7,12}\/[a-zA-Z0-9_]{4,20}\.exe/ ascii wide
        $ip_backend = "158.94.211.222" ascii wide
        $domain_backend = "labinstalls" ascii wide

    condition:
        $url_pattern and ($ip_backend or $domain_backend)
}

Endpoint Detection (Sysmon / EDR Queries)

# Hunt for version.dll sideloading from Inno Setup temp directories
process_name:* AND
  loaded_dll:"version.dll" AND
  dll_path:("*\\Temp\\is-*" OR "*\\AppData\\Local\\Temp\\*") AND
  NOT dll_path:"C:\\Windows\\System32\\version.dll"

# Hunt for Amadey-style HTTP beaconing
dns_query:"sys32.cc" OR
  http_url:"*/Mir8s4ZZZru/*" OR
  dst_ip:(158.94.211.222 OR 178.16.54.88 OR 45.88.186.189)

# Unauthorized ConnectWise ScreenConnect (not deployed by IT)
process_name:"ScreenConnect.ClientService.exe" AND
  NOT installer_source:("your_approved_connectwise_source")

Recommended Actions

Immediate (24-48 hours)

Block all Omegatech BPH network ranges at the firewall level (see Network Blocks above)
Sinkhole sys32[.]cc, qpgroup[.]top, and labinstalls[.]info at DNS
Block 45.88.186.189:4782 (QuasarRAT C2) and 80.89.238.200 / 45.131.182.242 (Vidar delivery)
Hunt for imphash ac4ded70f85ef621e5f8917b250855be in endpoint telemetry
Search for version.dll sideloading events from Inno Setup temp directories
Deploy the Suricata and YARA rules above

Short-term (1-2 weeks)

Audit all ConnectWise ScreenConnect installations -- any instance not deployed by IT is a compromise indicator
Scan for QuasarRAT persistence artifacts (scheduled tasks, startup registry entries)
Review credential stores for signs of Vidar/LummaStealer/Stealc exfiltration
Monitor MalwareBazaar for new samples tagged fbf543 -- the campaign is active
Check browser credential databases for unauthorized access timestamps

Medium-term (1-3 months)

Implement application whitelisting policies that block execution from Inno Setup temp directories
Deploy Windows Defender Application Control (WDAC) policies to prevent DLL sideloading
Monitor RIPE for new Omegatech prefix announcements -- BPH providers regularly acquire new IP blocks
Submit abuse reports to Cloudflare for sys32[.]cc and qpgroup[.]top
Track Amadey panel infrastructure evolution via certificate transparency log monitoring on labinstalls[.]info

References

MalwareBazaar: Primary Sample
ThreatFox: IOC 1762325
URLhaus: Delivery URL 3793129
CAPE Sandbox: Analysis 56861
Triage: Report 260309-s53jesf16v
ANY.RUN: Task 12c4952c
VMRay: Analysis Report
UnpacMe: Unpacking Results
CERT-PL MWDB: Sample Entry
Malpedia: win.amadey

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 1 sample. 100+ payloads. 24 malware families. 3 bulletproof hosting providers. 1 operator who named their PPI service. Classification: TLP:CLEAR