Amadey, an established malware loader active since at least 2018, was observed downloading second-stage payloads from a hijacked self-hosted GitLab instance hosted on gitlab[.]bzctoons[.]net. The infrastructure appears to belong to a legitimate organization, with evidence suggesting compromise of either a user account or the broader GitLab environment. The loader uses custom Base64 encoding combined with RC4 encryption to obfuscate strings and command-and-control (C2) communications, while critical values such as the mutex, decryption key, and botnet ID are stored in plaintext within the binary.
Upon execution, the Amadey loader (Yfgfwb.exe) enforces mutex-based execution control, relocates itself to a temporary directory, and establishes persistence via scheduled tasks. It spawns multiple child processes in parallel, including rundll32.exe to load a clipper plugin, powershell.exe for archive extraction, and execution of the StealC infostealer (x64_protect.exe). StealC targets browser credentials from Chromium-based browsers and communicates with a separate C2 server. Additionally, a clipper plugin swaps copied cryptocurrency wallet addresses, enabling direct financial theft.