high🔑Stealer

investigatedMarch 5, 2026publishedMarch 5, 2026

Fuery: A Go-Based Implant Hiding Behind Raft Consensus and a $117 Monero Operation

#stealer#stealc#smokeloader#lumma#amadey#phishing#cryptominer#c2#botnet#brute-force

TL;DR

Fuery is a garble-obfuscated Go 1.20.1 implant dropped by the Amadey botnet (campaign fbf543) that uses Raft consensus protocol data structures as a novel obfuscation layer to disguise its custom binary C2 protocol. Static analysis links it to the same developer behind a SmokeLoader variant attributed to operator "ingermany" (Krasnodar, Russia). The same Amadey campaign also deploys a VOLK CryptoMiner -- a three-layer Rust matryoshka delivering XMRig -- whose Monero wallets we traced across three mining pools, totaling 0.78 XMR (~$117) over 17 months of operation.

1. Sample Overview

Attribute	Value
SHA256	`18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab`
MD5	`9ff305f437f337e6b56ce4269995e04c`
Size	1,660,928 bytes
Type	PE32 executable (GUI) Intel 80386
Language	Go 1.20.1 (gc compiler)
Module	`metropolitan`
Source	`metropolitan/main.go`
PE Timestamp	`0x00000000` (zeroed -- timestomping)
Build Flags	`-trimpath=true`, `CGO_ENABLED=0`, `GOARCH=386`
Obfuscation	Garble (`github.com/burrowers/garble`)
Delivery	Amadey botnet, campaign tag `fbf543`
Masquerade	`volunteers.exe` (PE version info)

The binary is a single-package Go executable cross-compiled for 32-bit Windows with all source paths stripped. The compile timestamp is zeroed -- a deliberate anti-forensics measure. The PE version info populates every field with "volunteers", creating a thin disguise as a benign application.

2. Obfuscation: Garble with English Word Substitution

Fuery uses garble, the Go build obfuscator, to replace all user-defined identifiers with random English compound words. The pclntab reveals 182 main.* functions organized under 7 top-level obfuscated entry points:

Function	Sub-functions	Closures	Assessed Purpose
`main.Aggressive`	3	10	C2 communication / data exfil
`main.Congressional`	4	15	Config decryption / initialization
`main.Considers`	10	21	Core payload logic (largest)
`main.Guarantees`	6	22	Network operations
`main.Previously`	4	10	Persistence / setup
`main.Perfectly`	2	4	Utility / helper
`main.Correspondence`	2	4	Data encoding

Deep closure nesting (up to 3 levels) indicates goroutine-heavy control flow with callbacks. Functions containing .func*.4 and .func*.5 sub-closures suggest Go select{} blocks -- multiple channel operations with timeout/default cases, consistent with a concurrent C2 polling loop.

Two global variables initialized during main..inittask (before main.main) are strong candidates for holding decrypted runtime configuration:

main.Christiansthoroughly   -- likely config struct
main.Millenniumpractitioners -- likely state struct

Type names follow the same [Capitalized][lowercase] compound word pattern:

main.Sensitivedefendant
main.Returningcholesterol
main.Fundamentalsreductions

3. The Raft Protocol Cover Layer

This is the most interesting technique in the sample. Fuery defines a complete set of Raft consensus protocol data structures:

type AppendEntries struct {
    LeaderID     NodeID
    LeaderCommit LogIndex
    PrevLogIndex LogIndex
}

type VoteRequest struct {
    CandidateID  NodeID
    LastLogIndex LogIndex
    LastLogTerm  Term
}

type VoteResponse struct {
    VoteGranted bool
    // ... 12+ equality comparison functions suggest many hidden fields
}

Supporting types include LogEntry, LogIndex, NodeID, and Term, with map structures for peer tracking:

map[NodeID]bool       // peer membership
map[NodeID]LogIndex   // per-peer replication progress
map[LogIndex]Term     // log entry to term mapping

Additionally, VP8/VP9 video codec types are defined as a second cover layer:

type Bitstream struct { ... }
type MacroBlock struct { ... }
type MotionVector struct { ... }

This is structural obfuscation, not functional implementation. The Raft types serve as containers -- the actual C2 payloads are serialized within AppendEntries log entries using encoding/binary (little-endian). The effect is threefold:

Static analysis sees "distributed consensus" types and concludes the binary is a legitimate distributed systems application
Network traffic carries Raft-like framing, evading protocol-based detection
YARA rules targeting common malware protocol signatures will not trigger

The VoteResponse type has 12+ equality comparison functions generated by the compiler, indicating it is a large struct with many fields -- likely encoding the full C2 response format with multiple data channels.

We found no prior documentation of malware using Raft consensus structures for obfuscation. This appears to be a novel technique.

4. C2 Architecture: Raw Sockets, No HTTP, No stdlib Crypto

Fuery imports zero high-level networking packages. There is no net/http, no crypto/tls, no encoding/base64. All communication is hand-rolled through raw WinSock2 syscalls:

ws2_32.dll:  socket, connect, bind, listen, WSASend, WSARecv, WSASendTo, WSARecvFrom
mswsock.dll: AcceptEx (x2), TransmitFile, GetAcceptExSockaddrs
dnsapi.dll:  DnsQuery_W, DnsNameCompare_W, DnsRecordListFree

Key observations:

Bidirectional capability: The presence of both connect (8 references) and AcceptEx (2 references) means the implant can operate as both client and server -- supporting reverse shell, bind shell, or peer-to-peer mesh topologies
DNS-based C2 resolution: DnsQuery_W combined with gethostbyname (legacy fallback) and GetAddrInfoW (modern resolution) suggests domain-based C2 with redundant resolution methods, possibly including a DGA
Binary protocol: encoding/binary with littleEndian.Uint16/Uint32 for serialization -- no text-based protocols
Large data exfil: TransmitFile API enables efficient file transfer directly from disk to socket

C2 Configuration: Not Recoverable Statically

Extensive static extraction attempts yielded nothing:

Full string extraction (8,689 unique strings) -- no URLs, IPs, or domains
Single-byte XOR brute force (0x01-0xFF) across .rdata and .data -- no valid URLs
Base64 decoding of candidate strings -- no config data
Stack-string construction analysis -- only DLL names found
Known SmokeLoader C2 cross-reference (baxe.pics, coox.live, ropea.top) -- zero matches

The C2 configuration is protected by garble's literal obfuscation (runtime string decryption), multi-layer encryption requiring runtime key derivation, or a DGA seeded at execution time. Dynamic analysis with network capture is required.

5. Capabilities: Full-Spectrum Implant

Despite minimal stdlib imports, Fuery has the API surface of a complete implant:

Process Injection via Thread Hijacking

CreateToolhelp32Snapshot -> Process32FirstW/NextW -> OpenProcess
    -> SuspendThread -> GetThreadContext -> SetThreadContext -> ResumeThread

This is the classic thread context hijacking chain (T1055.003). The implant enumerates running processes, selects a target, suspends a thread, modifies its instruction pointer via SetThreadContext, and resumes execution of the injected code.

System Reconnaissance

API	Intelligence Gathered
`GetUserNameExW`	Current username
`GetUserProfileDirectoryW`	User profile path
`GetComputerNameW`	Machine hostname
`GetSystemInfo`	CPU architecture, page size
`RtlGetNtVersionNumbers`	OS version
`GetAdaptersInfo` / `GetIfEntry`	Network interfaces, MAC addresses
`NetGetJoinInformation`	Domain/workgroup membership
`GetTimeZoneInformation`	Timezone (geolocation hint)
`GetTokenInformation`	Process privileges
`ConvertSidToStringSidW`	User SID

Anti-Analysis

Technique	Implementation
Wine detection	`wine_get_version` import
Timer manipulation	`winmm.dll` (timeBeginPeriod/timeEndPeriod)
Sleep acceleration detection	`powrprof.dll`
Custom exception handler	`SetUnhandledExceptionFilter`
Error suppression	`SetErrorMode`
Anti-termination	`SetConsoleCtrlHandler`
Timestomping	Zeroed PE compile timestamp
Path stripping	`-trimpath=true`

File System Operations

Full CRUD plus stealth: CreateFileW/A, DeleteFileW, MoveFileW, SetFileAttributesW (can set HIDDEN), CreateHardLinkW, CreateSymbolicLinkW, CreateFileMappingW, MapViewOfFile, DeviceIoControl.

Certificate Store Access

CertOpenSystemStoreW -> CertEnumCertificatesInStore -> CertVerifyCertificateChainPolicy

The ability to enumerate and verify certificates suggests either TLS pinning for C2 or certificate theft capability.

6. Developer Attribution: The SmokeLoader Connection

A SmokeLoader sample (bac70244...3958, module name wallpapers) shares an identical obfuscation framework with Fuery. The structural similarities confirm a common developer:

Attribute	Fuery (`metropolitan`)	SmokeLoader (`wallpapers`)
Go version	`go1.20.1`	`go1.20.1`
CGO_ENABLED	0	0
Trimpath	true	true
PE timestamp	Zeroed	Zeroed
PE imports	kernel32.dll only	kernel32.dll only
Architecture	x86	x64
Source structure	Single `main.go`	Single `main.go`
Raft cover types	Present (identical set)	Present (identical set)
Video codec types	Present (identical set)	Present (identical set)
Function naming	English words (7 top-level)	English words (7 top-level)

The obfuscation framework generates unique function names per build but uses the same Raft + VP8/VP9 cover type template every time. This is a fingerprint.

The SmokeLoader variant is attributed via WHOIS to:

Field	Value
Name	German Ingrmen
Handle	`ingermany`
Location	Krasnodar, Krasnodarskiy kray, Russia
Email	`ingermany1@inbox.eu`
Phone	`+7.9114890282` (MegaFon, NW Russia)
C2 Panel	`coox.live` (Flask app branded "InsureFlow Pro")

While Fuery does not share SmokeLoader's C2 infrastructure, the identical obfuscation framework establishes the developer link. Fuery was likely built by the same operator for a different customer or operation, delivered through Amadey's loader-as-a-service.

7. The Monero Sidecar: VOLK CryptoMiner

The same Amadey campaign (fbf543) that drops Fuery also delivers VOLK CryptoMiner -- a three-layer Rust matryoshka that ultimately deploys XMRig 6.25.0. We extracted three Monero wallet addresses from the VOLK binary and traced them across mining pool APIs.

Wallet Activity Summary

Wallet	Address Prefix	Worker	Pools	Total Earned	Status
W1 (`82Wq...`)	8 (subaddress)	EliOsno	HashVault	0.007484 XMR	ACTIVE (2 victims)
W2 (`87Sn...`)	8 (subaddress)	JeOsno	HashVault, Nanopool, MoneroOcean	0.775703 XMR	Offline
W3 (`4AHD...`)	4 (standard)	--	None confirmed	0.000000 XMR	Inactive

Grand total: 0.783187 XMR (~$117 USD)

Wallets 1 and 2 are subaddresses (prefix 8), meaning they derive from the same master wallet. The operator uses subaddresses for pool separation.

Active Victims (Wallet 1, HashVault)

Worker	Hashrate	Total Hashes	Assessment
`Jefri`	1,972 H/s	3.68B	High-end CPU (Ryzen 7/9 or i7/i9 class). Primary victim.
`suber`	817 H/s	121M	Mid-range CPU. Recently infected -- only 3% of Jefri's total shares.

Both workers were online as of 2026-03-07 06:06 UTC.

Pool Migration Timeline

2024-10-16  MoneroOcean test (38 shares, abandoned same day)
2024-10-18  Nanopool goes live (3 payments in 3 days -- burst)
2025-01-02  Steady-state Nanopool operations
2025-06-11  Still active after 8 months
2026-01-10  Final Nanopool payment
2026-02-07  Migrates to HashVault (Wallet 2)
2026-03-03  New subaddress (Wallet 1) on HashVault
2026-03-07  Still mining with 2 active victims

The three payments in three consecutive days at launch (Oct 18-20, 2024) suggest either significant hashpower from a burst of new infections or initial testing on the operator's own hardware.

Operator Fingerprints

Worker name pattern: [Name]Osno -- the "Osno" suffix is consistent across both wallets
Victim machine names leak through pool worker APIs: Jefri, suber
VOLK persistence: Windows service named "System Security Purview", mutex SLIM_ACTIVE
Distribution: Amadey payload server at 158.94.211.222 / labinstalls.info

8. Delivery Chain

Amadey Botnet (campaign fbf543)
    |
    +-- drops --> Fuery (volunteers.exe) --> custom Raft-based C2 (unknown infrastructure)
    |
    +-- drops --> VOLK CryptoMiner (3-layer Rust) --> XMRig 6.25.0 --> Monero mining pools

Amadey is a modular Windows botnet sold as MaaS by author "InCrease" on XSS/Exploit forums, active since 2018. It commonly drops Lumma, StealC, RedLine, CoinMiners, and RATs. The fbf543 campaign tag identifies this specific customer/operation.

9. MITRE ATT&CK Mapping

Tactic	Technique	ID	Evidence
Initial Access	Phishing / Loader delivery	T1566	Dropped by Amadey botnet
Execution	Native API	T1106	LoadLibrary / GetProcAddress for all DLL resolution
Persistence	Registry Run Keys	T1547	RegOpenKeyExW / RegQueryValueExW capability
Privilege Escalation	Access Token Manipulation	T1134	GetTokenInformation
Defense Evasion	Obfuscated Files or Information	T1027	Garble obfuscation, Raft cover types
Defense Evasion	Software Packing	T1027.002	Custom identifier obfuscation framework
Defense Evasion	Timestomp	T1070.006	Zeroed PE compile timestamp
Defense Evasion	Match Legitimate Name	T1036.005	`volunteers.exe` masquerade
Defense Evasion	Deobfuscate/Decode Files	T1140	Runtime config construction
Discovery	Process Discovery	T1057	CreateToolhelp32Snapshot / Process32FirstW
Discovery	System Information Discovery	T1082	GetSystemInfo, RtlGetNtVersionNumbers
Discovery	System Owner/User Discovery	T1033	GetUserNameExW
Discovery	System Network Configuration	T1016	GetAdaptersInfo, GetIfEntry
Discovery	File and Directory Discovery	T1083	FindFirstFileW / FindNextFileW
Discovery	Query Registry	T1012	RegOpenKeyExW, RegEnumKeyExW
Collection	Data from Local System	T1005	ReadFile, CreateFileMappingW
Command and Control	Application Layer Protocol	T1071	Custom binary protocol over raw TCP
Command and Control	Encrypted Channel	T1573	Custom encryption (no stdlib crypto)
Command and Control	Data Obfuscation	T1001	Raft protocol framing
Exfiltration	Exfiltration Over C2 Channel	T1041	TransmitFile, WSASend
Impact	Resource Hijacking	T1496	VOLK XMRig cryptominer (co-deployed)
Impact	Service Stop	T1489	TerminateProcess

10. Detection Opportunities

YARA Signature Anchors

The co-occurrence of Raft consensus types and video codec types in a Go binary is highly anomalous. A YARA rule matching the simultaneous presence of these strings in the pclntab would catch both Fuery and the related SmokeLoader variant:

rule Go_Raft_VideoCodec_Obfuscation {
    meta:
        description = "Detects Go binaries using Raft+VP8 cover type obfuscation (Fuery/SmokeLoader family)"
        author = "breakglass.intelligence"
        date = "2026-03-08"
        reference = "intel.breakglass.tech"

    strings:
        $raft1 = "main.AppendEntries" ascii
        $raft2 = "main.VoteRequest" ascii
        $raft3 = "main.VoteResponse" ascii
        $codec1 = "main.Bitstream" ascii
        $codec2 = "main.MacroBlock" ascii
        $codec3 = "main.MotionVector" ascii
        $go_build = "go1.20.1" ascii

    condition:
        uint16(0) == 0x5A4D and
        all of ($raft*) and
        2 of ($codec*) and
        $go_build
}

Network Detection

Alert on non-HTTP TCP connections from Windows hosts to unusual ports that use little-endian binary serialization with Raft-like field structures
Monitor for DnsQuery_W calls resolving domains with high entropy or DGA-like patterns
Look for processes loading powrprof.dll + winmm.dll + ws2_32.dll in combination (anti-analysis + raw networking)

Host-Based Indicators

Thread context manipulation chain: SuspendThread followed by GetThreadContext + SetThreadContext + ResumeThread on a foreign process
Service creation named "System Security Purview" (VOLK persistence)
Mutex SLIM_ACTIVE (VOLK)
Process named volunteers.exe with Go binary characteristics

11. Indicators of Compromise

File Hashes

Type	Value
SHA256 (Fuery)	`18e9a8bfad425d3ff9c0ab3d71e6890320166127b8bdf7460a7edd30f45be0ab`
MD5 (Fuery)	`9ff305f437f337e6b56ce4269995e04c`
SHA256 (SmokeLoader, related)	`bac70244b93a4a92b9d633415435cd81e8643ecd20b52b962b369ceaaddc3958`
Go Build ID (Fuery)	`gVYpfhUk3DWtxASOCFCn/DWtMZsapqiHtyfeJGvQQ/GSzuZ3lkY60QelBpSCGH/EZlxkPTQCT099rRT6Tc0`
Go Build ID (SmokeLoader)	`qPBUDLj4YLz64NmmMMAP/TJKS1F6Lhlg92D4hD5KP/mezFiV2R8r3d-8bNl_te/LkR6QbVC79SYAXlLAgM7`

Network Indicators

Type	Value	Context
Domain	`coox.live`	SmokeLoader C2 panel (same developer)
Domain	`baxe.pics`	SmokeLoader C2 (same developer)
Domain	`ropea.top`	SmokeLoader C2 (suspended)
IP	`65.21.104.235`	`baxe.pics` resolution (Hetzner, Finland)
IP	`168.231.114.49`	`coox.live` resolution (Hostinger, GB)
IP	`158.94.211.222`	Amadey payload server (VOLK distribution)
Domain	`labinstalls.info`	Amadey payload server

Monero Wallets

82Wq8pZX8heGxSXn9YnvzcWSicCkboxZkdARQZWSkBUfAgRWGwRh6NzSZp6tq4aFDqMHciMm3SmMuge5P9Hu7VGCCcZk2VM
87SnpXbDpmA9EoEJLZ9R4hfz9KhWkbcnrETtZBJb5K5R4fsG3LdSxgwMBZYKwBVVHjEjrdgLyVpsfQhW8djpnXaG8CyH1nf
4AHDdT4p6y6K9c9dUNdfKXKWxvwvTar8jTt4ohjtdpdcEE8oM8RSRQSeor8H69KFcvLRV5hriCsxQCYnm91m5wKW4h3dvf1

Mining Pool Transaction Hashes

01432e6dca8c75e27e2ac933e5cfa80da5791ca7cf8d5694d00e029507af877f  (HashVault, 2026-03-03)
ececac97499926fbc6a078e578bbe0f62fc249b997c52a9c35554f86f84d3c4a  (HashVault, 2026-02-07)
fbea2d2797f08e7d21ed70599f658e992ef23da26af1ab3c0c178ed461b67381  (Nanopool, 2024-10-18)
9882b9e70a43e3a0bb0d03c7a371b4d89ed6c189d00ad239696f7cfc7865475d  (Nanopool, 2024-10-19)
d1e5174f7fa2a0a553604f66839570b08f626d00743787b3f4a1b646058c62fc  (Nanopool, 2024-10-20)
cf99351055510a5d575d689ce550ef0c6e702382df11c3fe5b1dce82d63739b3  (Nanopool, 2025-01-02)
c0561083716e4d8e4dfd2fe54e8573ee884f7358a27bf2b2a266235ff8bdbfb3  (Nanopool, 2025-06-11)
a4e97b46ce5f4c8134473e82eacd975f9d1a9140c237dc0eaa02ad1d708a8515  (Nanopool, 2026-01-10)

Attribution

Field	Value
Developer handle	`ingermany`
Name	German Ingrmen
Location	Krasnodar, Krasnodarskiy kray, Russia
Email	`ingermany1@inbox.eu`
Phone	`+7.9114890282` (MegaFon, NW Russia)
Amadey campaign	`fbf543`
VOLK worker names	`EliOsno`, `JeOsno`

Analysis conducted by breakglass.intelligence. Dynamic sandbox analysis of the Fuery binary is pending -- C2 infrastructure extraction will be published in a follow-up.