highStealer

LummaStealer's Go Loader and the fbf543 Amadey Supermarket: 50 Payloads, 13 Malware Families, and the Bulletproof Host That Ties It All Together

PublishedMarch 12, 2026

Threat Actors:ProfileAssessment

stealervidarasyncratxwormlummaquasarratamadeyphishingsocial-engineeringcredential-theft

TL;DR: A Go-based loader (SHA256: b94921bb...d080) compiled with bleeding-edge Go 1.25.0 uses AES, RC4, and QuickLZ to decrypt and decompress an embedded LummaC2 infostealer before process-hollowing it into AppLaunch.exe. That would be interesting enough on its own, but the loader is just one item on the shelf. It was dropped by an Amadey botnet node tracked as the fbf543 campaign -- a distribution operation that pushed 50+ unique payloads across 13+ malware families in under five days, including Vidar, QuasarRAT, XWorm, SalatStealer, ConnectWise ScreenConnect (yes, the legitimate RMM tool), and eight more. Every piece of campaign infrastructure traces back to Omegatech LTD (AS202412), a Seychelles-registered shell company backed by a Turkish LIR parent, controlling 3,300+ IP addresses across 13+ /24 blocks, transiting through PFCLOUD -- a known bulletproof hosting provider. The operator left Go symbols unstripped, a build ID in the binary, a Russian code signing certificate on one of the payloads, and their entire hosting concentrated on a single ASN. One indicator led to total infrastructure.

One Loader, Fifty Friends

Most malware investigations follow a straightforward narrative: sample arrives, sample gets analyzed, IOCs get extracted, report gets filed. This one started that way. A Go-based PE32 executable flagged as LummaStealer appeared on MalwareBazaar on March 9, 2026, reported by Bitsight. At 1.5MB, compiled for 32-bit Windows, it looked like another commodity stealer in a crowded field.

It was not.

Pulling the download URL -- hxxp://158.94.211[.]222/files/8261736065/6QBuVkN.exe -- revealed the file was served from an Amadey botnet command-and-control server. Amadey is a loader-as-a-service platform: operators pay for access, upload their payloads, and the botnet distributes them to infected hosts based on targeting rules. The /files/ path structure is a signature of Amadey's payload delivery mechanism.

The real story started when we enumerated what else that Amadey node was distributing. The answer was everything. Over the span of March 6-10, 2026, the server identified by the campaign tag fbf543 pushed more than 50 distinct payloads spanning 13+ malware families. Stealers, RATs, miners, legitimate remote access tools being weaponized -- a full-service cybercrime supermarket, all flowing through the same infrastructure.

The question shifted from "what does this sample do" to "what is this campaign, who runs it, and how much of the internet do they control."

What Was Found vs. What Was Known

When this sample first appeared on MalwareBazaar, the community had it tagged simply as "LummaStealer exe." No campaign context, no infrastructure analysis, no understanding of the delivery chain. Here is the delta between the public record and what this investigation uncovered:

Aspect	Prior Public Reporting	Our Findings
Sample type	"LummaStealer exe"	Go-based loader wrapping an encrypted LummaC2 payload
Campaign scope	Single sample, no campaign linkage	50+ payloads, 13+ malware families under the fbf543 tag
Infrastructure	Unknown	Omegatech BPH (3,300+ IPs, AS202412, Seychelles/Turkey)
Delivery chain	Unknown	qpgroup[.]top --> Amadey --> 158.94.211[.]222 --> payload
Attribution artifacts	None	Russian code signing cert, Go build ID, word-salad obfuscation patterns
Adjacent infrastructure	Unknown	Crypto scams, backdoored hosts, and abusive domains sharing the same /24

The single-sample view gave defenders one hash to block. The campaign view gives them entire CIDR ranges to burn.

The Attack Chain

Before diving into technical details, here is the full path from initial access to credential theft:

INITIAL ACCESS              EXECUTION                 PERSISTENCE         ACTIONS ON OBJECTIVE
+-------------------+      +-------------------+     +---------------+   +---------------------+
| Fake Installer    |----->| Amadey Bot        |---->| Amadey C2     |-->| Multi-Payload Drop  |
| Coral_Setup.exe   |      | labinstalls.info  |     | 158.94.211.222|   | LummaStealer        |
| qpgroup[.]top     |      | /files/NNNNN/     |     | nginx/Ubuntu  |   | Vidar, QuasarRAT    |
| 178.16.54.88      |      | payload.exe       |     |               |   | XWorm, SalatStealer |
+-------------------+      +--------+----------+     +---------------+   | ConnectWise (RMM)   |
                                     |                                    | + 8 more families    |
                                     v                                    +---------------------+
                            +-------------------+
                            | Go Loader         |
                            | AES/RC4 decrypt   |
                            | QuickLZ decompress|
                            +--------+----------+
                                     |
                                     v
                            +-------------------+
                            | Process Hollowing |
                            | AppLaunch.exe     |
                            | (suspended)       |
                            | Unmap->Write->    |
                            |         Resume    |
                            +--------+----------+
                                     |
                                     v
                            +-------------------+
                            | LummaC2 Stealer   |
                            | Browser creds     |
                            | Crypto wallets    |
                            | 2FA tokens        |
                            | C2: *.shop/*.cyou |
                            +-------------------+

The initial lure is a fake software installer called Coral_Setup.exe, served from qpgroup[.]top (178.16.54[.]88). The name suggests a social engineering play -- likely a cracked software or free tool offer. Once executed, the Amadey bot phones home to labinstalls[.]info (158.94.211[.]222) and begins pulling down whatever payloads the operator has queued for that targeting profile.

Our Go loader is one of those payloads. But it is far from alone.

The Go Loader: Bleeding Edge and Sloppy at the Same Time

Sample Overview

Attribute	Value
SHA-256	`b94921bb31f3dafcd7b786b83da8916746d1e31c6ec7c7e66ff07291cb46d080`
SHA-1	`7090c36a9d18371afbf43021463143af5f64ade6`
MD5	`da2775f1345e0b2b4429d704f9e16eb7`
Imphash	`1aae8bf580c846f39c71c05898e57e88`
SSDeep	`24576:ivGfGaFCrUEg/LqSnw1SD//cbavdJ1fPGCwv4TBfPwe0p4bPmV:iuOa64/ohoBf4e0p4bPm`
File Type	PE32 executable (GUI) Intel 80386
File Size	1,532,416 bytes (1.46 MB)
Compiler	Go 1.25.0 (GOARCH=386, GOOS=windows)
First Seen	2026-03-09 00:32:19 UTC
Reporter	Bitsight

The first thing that jumps out is the compiler version. Go 1.25.0 is bleeding-edge -- this is not a developer working from a stable release. It suggests either someone compiling from Go's development branch or someone operating in an environment where the latest toolchain is a priority. Either way, it is an unusual choice for malware authors, who typically favor stable, well-tested compilers to avoid introducing unexpected behavior into their payloads.

The second thing that jumps out is the compilation timestamp: 0. January 1, 1970. The operator deliberately zeroed it -- a basic but effective timestomping technique that prevents analysts from correlating the binary's build time with other campaign activity. They cared enough to strip the timestamp. They did not care enough to strip the symbols.

PE Section Anatomy

Section	Virtual Size	Raw Size	Entropy	Notes
`.text`	598,896	599,040	6.19	Code section -- standard for Go binaries
`.rdata`	770,648	771,072	6.10	Read-only data -- contains encrypted payload chunks
`.data`	166,044	17,408	3.24	Writable data -- low entropy, mostly uninitialized
`.idata`	1,100	1,536	3.87	Import table
`.reloc`	34,060	34,304	6.61	Relocation data
`.symtab`	85,428	85,504	5.02	Go debug symbols -- NOT stripped
`.rsrc`	22,071	22,528	7.77	Resources -- high entropy suggests embedded data

That .symtab section is an operational security gift to defenders. Go binaries include a symbol table by default, and stripping it requires an explicit -s -w flag at link time. The operator either forgot or did not know. The result is that the binary ships with full function and type metadata, making reverse engineering significantly easier than it needs to be.

The .rsrc section at entropy 7.77 is essentially random data -- almost certainly part of the encrypted payload. Combined with scattered high-entropy chunks in .rdata (totaling approximately 70KB at entropy 7.8+), the encrypted LummaC2 payload is distributed across the binary's read-only data sections.

Multi-Layer Encryption

CAPA analysis confirmed the following cryptographic capabilities in the binary:

Encryption / Compression Stack
+------------------------------------------+
| AES (via x86 extensions)                 |  <-- Primary payload encryption
| RC4 (PRGA implementation)                |  <-- Config / string encryption
| Salsa20 / ChaCha                         |  <-- Go runtime CSPRNG
| QuickLZ                                  |  <-- Post-decryption decompression
| MD5                                      |  <-- Integrity / identification hashing
| MurmurHash                               |  <-- Hash table operations
+------------------------------------------+

This is a layered approach: AES encrypts the primary payload, RC4 handles configuration strings and secondary data, and after decryption the blob gets decompressed with QuickLZ. The encryption key is derived at runtime and could not be extracted via static analysis alone -- dynamic analysis (sandbox execution or debugging) would be required to recover the decrypted LummaC2 payload and its embedded C2 configuration.

The use of QuickLZ is a tactical choice. It is a fast, lightweight compression library that adds minimal overhead -- important when you are decompressing a payload in memory before injecting it into another process. The operator prioritized speed over compression ratio, which makes sense for a loader that needs to execute quickly and disappear.

Process Hollowing: AppLaunch.exe as a Wolf in Microsoft's Clothing

The injection technique follows the textbook process hollowing pattern, but the target selection is deliberate:

Go loader decrypts the embedded payload using AES/RC4
Decompresses the result with QuickLZ
Creates a suspended instance of C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Calls NtUnmapViewOfSection to hollow out the process image
Writes the decrypted LummaC2 PE into the hollowed address space via WriteProcessMemory
Updates execution context with SetThreadContext
Resumes the thread -- LummaC2 now executes wearing AppLaunch.exe's skin

AppLaunch.exe is a legitimate Microsoft .NET Framework binary responsible for launching ClickOnce applications. It lives in the Framework directory, it is signed by Microsoft, and it runs routinely on systems with .NET applications. To a SOC analyst triaging process trees, or to an EDR product checking parent-child relationships, a .NET Framework binary doing network activity is not inherently suspicious. That is exactly the point.

The DLL import list further reveals the loader's capabilities:

kernel32.dll   -- Process creation, memory manipulation
crypt32.dll    -- Cryptographic operations (payload decryption)
secur32.dll    -- Security/authentication functions
shell32.dll    -- Shell operations
userenv.dll    -- User environment (profile paths)
advapi32.dll   -- Advanced API (registry, security)

Obfuscation: Word Salad with a Side of Kubernetes

The Go loader's obfuscation strategy is creative but ultimately self-defeating. Function and type names use concatenated English words designed to evade string-based detection rules:

Word-Salad Names -- random word combinations that look like nothing:

main.Screensaverthousands
main.Bandwidthaggressive
main.Conversationsstructured
main.Saskatchewanselections
main.Exercisescelebrate
main.Procurementsubscribe

Kubernetes/Container Theme -- names designed to blend with enterprise software telemetry:

main.Deployment
main.Pod
main.PodID
main.NodeID
main.ResourceQuota
main.RestartPolicy
main.ScheduleResult

Financial Types -- and here is where the mask slips:

main.Wallet
main.WalletID
main.Transaction
main.TxStatus

The Kubernetes-themed names are a clever idea in theory: if the binary's strings end up in a log aggregator or SIEM alongside legitimate container orchestration telemetry, the names would not immediately look out of place. But the financial types betray the payload's actual purpose. A "Kubernetes deployment tool" that also has Wallet, WalletID, and Transaction types should raise flags for anyone doing even cursory string analysis.

More importantly, the word-salad pattern itself is a fingerprint. The concatenation style -- two unrelated English words smashed together with no separator, using title case -- is distinctive enough to write detection rules against. An obfuscation technique is only useful if it looks like something normal. These look like nothing at all, which makes them look like something.

Anti-Analysis Features

Technique	Implementation
Anti-Debug	Software breakpoint detection (`0xCC` scanning)
Anti-VM	VM environment string checks, system fingerprinting
Timestamp Stomping	Compilation timestamp zeroed to epoch
Symbol Obfuscation	Word-salad and Kubernetes-themed function/type names
Payload Encryption	Multi-layer AES + RC4, then QuickLZ compression

Standard for a loader of this sophistication level. The anti-VM checks are worth noting -- the operator expects this payload to be detonated in sandboxes and has taken steps to detect and evade automated analysis environments.

The fbf543 Campaign: An Amadey Supermarket

The Go loader is one product in a very full catalog. The fbf543 campaign tag links to an Amadey distribution operation that was pushing payloads at an aggressive pace during March 6-10, 2026. Here is what was on the shelves:

Malware Family	Samples	Notable Details
LummaStealer	1	Go loader variant -- the sample under analysis
Vidar	5	Consistent imphash across variants (`068780fe...`) -- same builder
QuasarRAT	4	.NET RAT, includes a BAT dropper variant
SalatStealer	3	Including a UPX-packed variant
SantaStealer	3	Emerging stealer family, limited public reporting
XWorm	3	.NET RAT with broad capabilities
ConnectWise ScreenConnect	4	Legitimate RMM tool abuse (MSI and EXE installers)
Smoke Loader	1	Veteran loader/dropper framework
RustyStealer	2	Rust-based stealer -- newer family
HijackLoader	1	DLL side-loading loader
AsyncRAT	1	BAT dropper delivery
DarkVisionRAT	1	Commercial RAT sold on underground forums
GCleaner	1	Pay-per-install loader
CoinMiner	1	Signed with a stolen or purchased code signing cert
NirCmd	2	Legitimate Nirsoft utility abuse
Unknown/Unsigned	15+	Various sizes, BAT scripts, unidentified payloads
TOTAL	50+	13+ distinct families

The diversity tells a story. This is not a single threat actor running a single campaign -- it is an Amadey operator selling distribution-as-a-service to multiple customers, or a single sophisticated operator hedging bets with redundant tooling. The inclusion of ConnectWise ScreenConnect is particularly telling: legitimate RMM tools are increasingly favored by threat actors for persistent access because they do not trigger AV detections, they look like normal IT operations, and they give the operator a fully functional remote desktop without deploying anything overtly malicious.

The five Vidar samples sharing the same imphash suggest they came from the same builder configuration -- likely the same customer re-uploading slightly modified variants. The three SalatStealer and three SantaStealer samples suggest emerging stealer families being test-driven through the distribution network.

The Code Signing Certificate

One campaign payload was signed with what appears to be a legitimate code signing certificate:

Attribute	Value
Subject	IP Davydov Egor Denisovich
Issuer	GlobalSign GCC R45 CodeSigning CA 2020
Serial	`374d2b07f28d196ca40f43b1`
Valid From	2025-09-19
Valid To	2026-09-20
Thumbprint	`e5baf58a7752a374f8209bce07711507f2f1d9298030046efceac2a7251c37e2`

"IP" in Russian business registration stands for "Individual Proprietor" (Individualnyy Predprinimatel). This is a format used by Russian nationals who register as sole proprietors for business purposes. Whether Davydov Egor Denisovich knowingly signed malware or had their certificate compromised is an open question, but the certificate is now being used to sign payloads distributed through a botnet. GlobalSign should be notified for revocation.

Infrastructure Analysis: One ASN to Rule Them All

The Omegatech Problem

Every piece of the fbf543 campaign's operational infrastructure -- the Amadey C2, the dropper site, the payload hosting -- lives on a single autonomous system: AS202412, Omegatech LTD.

IP	ASN	Provider	Open Ports	Services	Role	Status
158.94.211.222	AS202412	Omegatech (Seychelles)	22, 80, 443	OpenSSH 8.9p1, nginx 1.18.0	Amadey C2	LIVE
178.16.54.88	AS202412	Omegatech (Seychelles)	80, 3389	nginx 1.22.1	Amadey Dropper	LIVE
37[.]77[.]150[.]150	Proton66	Proton66 OOO (Russia)	25, 587	Exim 4.94.2	LummaC2 C2	LIVE

The LummaC2 C2 endpoint (dinglev[.]cyou) sits on Proton66 OOO -- a Russian hosting provider based in St. Petersburg with a well-documented history of hosting malicious infrastructure. The split between Omegatech (for the Amadey distribution layer) and Proton66 (for the stealer C2) suggests either compartmentalization between the Amadey operator and the LummaC2 customer, or a deliberate decision to separate the delivery infrastructure from the exfiltration infrastructure.

The Bulletproof Hosting Hierarchy

Omegatech does not exist in isolation. Tracing the BGP routing reveals a layered hosting hierarchy designed to insulate the operational infrastructure from takedown:

TIER 0 -- Upstream Transit Providers
+-------------------------------------------------------+
| AS51396  PFCLOUD (Germany)     -- KNOWN BPH TRANSIT   |
| AS203446 SMARTNET LIMITED (Manchester, UK)             |
| AS30823  AUROLOGIC (Langen, Germany)                   |
+-------------------------------------------------------+
                        |
                        v
TIER 1 -- Bulletproof Hosting Operator
+-------------------------------------------------------+
| AS202412 OMEGATECH-AS                                  |
| Omegatech LTD (Seychelles -- shell company)            |
| LIR: lir-tr-mgn-1-MNT (Istanbul, Turkey)              |
| RIPE Sponsor: ORG-DM262-RIPE                           |
+-------------------------------------------------------+
                        |
                        v
TIER 2 -- Operational Infrastructure
+-------------------------------------------------------+
| 158.94.211.222  -- Amadey C2 (labinstalls.info)        |
| 178.16.54.88    -- Dropper site (qpgroup.top)          |
| + Adjacent: crypto scams, botnets, abusive domains     |
+-------------------------------------------------------+

The corporate structure is textbook bulletproof hosting. Omegatech LTD is registered in the Seychelles -- a jurisdiction chosen specifically for its minimal corporate transparency requirements and limited cooperation with international law enforcement requests. The actual network operations are managed through a Turkish Local Internet Registry (LIR), meaning the technical staff and infrastructure are likely based in Turkey while the corporate liability sits in a South Pacific shell company.

PFCLOUD (AS51396) as a transit provider is a red flag on its own. It is a known provider of upstream connectivity to bulletproof hosting operations, which means any abuse complaints that make it past Omegatech's likely-nonexistent abuse desk will stall again at PFCLOUD.

Omegatech's IP Empire

The scale of Omegatech's allocations tells you this is not a small operation:

IP Range	Size	Known Usage
158.94.208.0/24 through 158.94.211.0/24	1,024 IPs	Amadey C2 infrastructure
178.16.52.0/24 through 178.16.55.0/24	1,024 IPs	Dropper infrastructure
45.132.180.0/24	256 IPs	Unknown purpose
91.92.240.0/24 through 91.92.243.0/24	1,024+ IPs	Unknown purpose
Total	3,300+ IPs

Over 3,300 IP addresses under a single ASN operated by a Seychelles shell company with a Turkish backend. For context, that is more IP space than many legitimate small ISPs control. The "unknown purpose" ranges are likely allocated to other customers of the same bulletproof hosting service -- other campaigns, other operators, other malware families sharing the same protective infrastructure.

Domain Infrastructure

Domain	IP	Registrar	Created	Nameservers	Purpose
labinstalls[.]info	158.94.211.222	Unknown (.info)	Unknown	vern/romina.ns.cloudflare.com	Amadey C2
qpgroup[.]top	178.16.54.88	NICENIC (Hong Kong)	2025-07-02	jerry/jessica.ns.cloudflare.com	Initial dropper
dinglev[.]cyou	37[.]77[.]150[.]150	Unknown	Unknown	Unknown	LummaC2 C2

NICENIC International Group (Hong Kong) as the registrar for the dropper domain is a consistent signal. This registrar appears repeatedly in Russian-speaking cybercrime infrastructure -- it offers cheap domains, accepts a range of payment methods, and is not known for aggressive domain takedowns.

Both Omegatech-hosted domains use Cloudflare nameservers, which provides DNS resilience and obscures the authoritative DNS infrastructure from direct abuse. The Let's Encrypt certificate on labinstalls[.]info was issued on March 6, 2026, just days before the campaign payloads started appearing -- the infrastructure was fresh.

Neighbors Tell a Story

The /24 block surrounding the Amadey C2 (158.94.211.0/24) is a neighborhood you would not want to live in:

IP	Hostname	Threat Indicator
158.94.211.211	aimdirection[.]info	Suspicious -- Cloudflare fronted
158.94.211.215	unlswap-v3[.]cv	Crypto scam (fake Uniswap DEX)
158.94.211.216	(none)	Port 1337 open -- likely backdoor
158.94.211.221	goyslopjewbag[.]icu	Abusive/hate content domain
158.94.211.228	client-tdportal[.]com	Potential C2 panel

A fake Uniswap clone, a backdoored host with a meme port number, an abusive domain, and a probable C2 panel -- all within a few IPs of the Amadey server. This is what bulletproof hosting looks like at the operational level: the provider does not discriminate between malware C2, crypto scams, and abuse domains because accepting all of them is the business model.

The Operator: Russian-Speaking, Financially Motivated, Not as Careful as They Think

Attribution Assessment

Confidence: MEDIUM
Region: Russia / CIS
Motivation: Financial (credential theft, crypto mining, persistent access for resale)
Sophistication: Advanced at the technical layer, sloppy at the operational layer

The Evidence Chain

The attribution to a Russian-speaking operation rests on five converging indicators:

Code signing certificate registered to a Russian individual proprietor (IP Davydov Egor Denisovich) using the Russian "IP" business registration format
LummaC2 C2 hosting on Proton66 OOO, a St. Petersburg-based provider with extensive ties to Russian cybercrime
Amadey botnet -- historically a Russian-speaking cybercrime tool, sold and operated primarily in Russian-language underground forums
Turkish LIR managing the Omegatech BPH -- a common jurisdictional arrangement for Russian-speaking operators who want geographic distance between themselves and their infrastructure
NICENIC registrar usage -- a Hong Kong registrar that is a recurring feature of Russian cybercriminal domain registration patterns

No single indicator is conclusive. Together, they paint a consistent picture.

OPSEC Failures: The Gift That Keeps Giving

For all the sophistication of the Go loader -- the multi-layer encryption, the process hollowing, the anti-VM checks -- the operator's operational security has holes you could drive a truck through:

Go symbols not stripped. The .symtab section is still in the binary, with full function and type metadata. One -s -w flag at compile time would have eliminated this. They did not use it.
Go build ID exposed. The build ID 1AQXdqBNH-OY12Bhp0CS/p37VOHv6UZ3tkodv0YAX/bn17HkAZwxpxziNGbrLA/ssdJqZcSXMa6I59qHOC7 is a unique fingerprint that can be used to correlate this binary with other builds from the same environment.
Type names reveal intent. The Kubernetes-themed obfuscation is creative, but including main.Wallet, main.WalletID, and main.Transaction alongside main.Pod and main.Deployment tells every analyst exactly what the payload is designed to steal.
The obfuscation pattern is a fingerprint. Word-salad names like Screensaverthousands and Saskatchewanselections are distinctive enough to write YARA rules against. The concatenation pattern -- two title-cased English words with no separator -- is not something that appears in legitimate software.
All infrastructure on one ASN. The dropper site and the Amadey C2 are both on Omegatech (AS202412). This means a defender who blocks one automatically has the network intelligence to block the other. Distributing infrastructure across multiple providers costs more but makes takedown harder. This operator chose convenience.
Code signing certificate is traceable. Whether the certificate belongs to the operator or was stolen, it contains a name -- and names can be investigated.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Campaign Application
Initial Access	Phishing: Spearphishing Link	T1566.002	Fake software installer (Coral_Setup.exe) via qpgroup[.]top
Execution	User Execution: Malicious File	T1204.002	Victim executes fake Coral Setup installer
Execution	Shared Modules	T1129	Go loader dynamically loads DLLs (crypt32, secur32, etc.)
Defense Evasion	Process Injection: Process Hollowing	T1055.012	Hollows AppLaunch.exe to inject LummaC2
Defense Evasion	Obfuscated Files or Information	T1027	AES/RC4 encrypted payload, word-salad symbol names
Defense Evasion	Virtualization/Sandbox Evasion	T1497.001	Anti-VM string checks, anti-debug breakpoint scanning
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	Kubernetes/container themed type names to blend in
Defense Evasion	Indicator Removal: Timestomp	T1070.006	Compilation timestamp zeroed to epoch
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP/HTTPS C2 to .shop, .cyou, *.top domains
Command and Control	Ingress Tool Transfer	T1105	Amadey downloads 50+ payloads to infected hosts
Credential Access	Credentials from Password Stores	T1555	LummaC2 extracts browser credentials, wallets, 2FA tokens
Collection	Data from Local System	T1005	Wallet files, browser databases, cookie stores

Indicators of Compromise

File Indicators

# Primary Sample -- LummaStealer Go Loader
SHA256: b94921bb31f3dafcd7b786b83da8916746d1e31c6ec7c7e66ff07291cb46d080
SHA1:   7090c36a9d18371afbf43021463143af5f64ade6
MD5:    da2775f1345e0b2b4429d704f9e16eb7
Imphash: 1aae8bf580c846f39c71c05898e57e88
SSDeep: 24576:ivGfGaFCrUEg/LqSnw1SD//cbavdJ1fPGCwv4TBfPwe0p4bPmV:iuOa64/ohoBf4e0p4bPm

# Code Signing Certificate (Campaign-Wide)
Thumbprint: e5baf58a7752a374f8209bce07711507f2f1d9298030046efceac2a7251c37e2
Serial:     374d2b07f28d196ca40f43b1
Subject:    IP Davydov Egor Denisovich
Issuer:     GlobalSign GCC R45 CodeSigning CA 2020

Network Indicators

# Amadey Infrastructure (Omegatech BPH -- AS202412)
158.94.211[.]222          -- Amadey C2 server
178.16.54[.]88            -- Amadey dropper server
labinstalls[.]info        -- Amadey C2 domain
qpgroup[.]top             -- Initial dropper domain (Coral_Setup.exe)

# Payload Download URLs (defanged)
hxxp://158.94.211[.]222/files/8261736065/6QBuVkN.exe
hxxps://qpgroup[.]top/uploads/Coral_Setup.exe

# LummaC2 C2 Domains
dinglev[.]cyou            -- 37.77.150[.]150 (Proton66 OOO, Russia)
tailfcw[.]shop
sorbiru[.]shop
sirjosd[.]shop
implczf[.]shop
quapfi[.]asia

# Omegatech BPH Ranges -- BLOCK AT FIREWALL
158.94.208.0/22           -- (158.94.208.0 - 158.94.211.255)
178.16.52.0/22            -- (178.16.52.0 - 178.16.55.255)
45.132.180.0/24
91.92.240.0/22            -- (91.92.240.0 - 91.92.243.255)

Behavioral Indicators

# Process Hollowing Target
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

# Go Build ID (unique binary fingerprint)
1AQXdqBNH-OY12Bhp0CS/p37VOHv6UZ3tkodv0YAX/bn17HkAZwxpxziNGbrLA/ssdJqZcSXMa6I59qHOC7

# Compilation Metadata
Compiler: Go 1.25.0
Architecture: GOARCH=386, GOOS=windows

# DLLs Loaded at Runtime
kernel32.dll, crypt32.dll, secur32.dll, shell32.dll, userenv.dll, advapi32.dll

# Amadey C2 TLS Certificate
Subject:   labinstalls.info
Issuer:    Let's Encrypt R13
Issued:    2026-03-06
Expires:   2026-06-04

Detection Opportunities

Immediate (24-48 hours)

Block all Omegatech IP ranges at the perimeter firewall. The four CIDR blocks listed above cover the entire known Omegatech allocation. Legitimate traffic from a Seychelles shell company's bulletproof hosting network is not something your users need access to.
Search EDR/SIEM for connections to 158.94.211[.]222, 178.16.54[.]88, labinstalls[.]info, and qpgroup[.]top. Any hits indicate an active or historical Amadey infection.
Hunt for AppLaunch.exe anomalies. Specifically: AppLaunch.exe processes spawned by non-standard parents (anything other than ClickOnce deployment), AppLaunch.exe making outbound network connections to .shop, .cyou, or .top TLDs, and AppLaunch.exe processes with unusually high memory consumption (the injected LummaC2 payload will inflate the working set).
Deploy YARA rules targeting the Go build ID, the word-salad function name pattern, and the imphash.

Short-Term (1-2 weeks)

Block AS202412 at the BGP level if your network architecture supports it. This eliminates the entire Omegatech address space in one rule.
Monitor for LummaC2 C2 domain patterns. The stealer uses algorithmically generated domains across .shop, .cyou, .top, and .asia TLDs. Short, nonsensical domain names on these TLDs resolving to Proton66 IP space should be treated as suspect.
Audit ConnectWise ScreenConnect installations. The campaign pushes legitimate ScreenConnect MSI/EXE installers. Any ScreenConnect agent that was not provisioned by IT is a potential indicator of compromise.
Cross-reference the Vidar imphash (068780fe...) across your threat intelligence feeds. Five samples sharing the same imphash means the builder configuration is stable and the hash is a reliable detection pivot.

Medium-Term (1-3 months)

Report the code signing certificate to GlobalSign for revocation (serial: 374d2b07f28d196ca40f43b1). Every day this certificate remains valid, signed malware has an easier path to execution.
Submit abuse reports to Omegatech (abuse@omegatech[.]sc), PFCLOUD, SMARTNET, and AUROLOGIC. These will almost certainly be ignored by the bulletproof hosting provider, but the upstream transits (especially the EU-based ones) may be more responsive.
Monitor the fbf543 campaign tag on MalwareBazaar for new payloads. This campaign was actively pushing samples as of March 10, 2026, and the infrastructure is still live. New families and variants should be expected.
Track Omegatech IP range reassignments via RIPE database monitoring. Bulletproof hosting providers periodically rotate IP allocations to evade reputation-based blocking. The same operator may reappear on new ranges under the same ASN.

References

MalwareBazaar: b94921bb...d080
CAPE Sandbox: Analysis 56697
URLhaus: URL 3792694
ThreatFox LummaC2 IOCs: win.lumma

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 1 Go loader dissected. 50+ payloads cataloged. 3,300+ bulletproof IPs mapped. 13 malware families, one ASN, zero stripped symbols. Classification: TLP:CLEAR