S1025: Amadey
Analyst context for executives and security teams
Amadey is a Windows Trojan bot documented by ATT&CK as used since at least October 2018. Its mapped behaviors make it relevant beyond “malware detection”: it can support host discovery, security-tool discovery, persistence through Registry Run Keys or Startup Folder, web-based command-and-control, tool transfer, and exfiltration over the C2 channel. For leaders, the practical issue is whether endpoint, DNS/web, and Windows registry telemetry can show the full intrusion path quickly enough for containment decisions.
Executive priority
Prioritize Amadey as a readiness test for Windows endpoint resilience and SOC visibility. The ATT&CK relationships tie it to financially motivated and espionage-related group contexts, but local risk should be assessed from exposure, telemetry, and response capability rather than assuming current targeting. Executives should ask whether teams can prove coverage for Windows persistence, suspicious discovery activity, web-protocol C2, fast-flux DNS patterns, and data movement over existing C2 channels.
Technical view
SOC and IR teams should validate detection and investigation coverage across the mapped Windows-relevant behaviors: Registry modification and Run Key or Startup Folder persistence, system/user/network/security-software discovery, file and directory enumeration, obfuscated or decoded payloads, native API execution indicators, ingress tool transfer, web-protocol C2, fast-flux DNS, and exfiltration over the C2 channel. ATT&CK provides no official detection text for Amadey, so detection engineering should be behavior-led and mapped to the related techniques rather than dependent on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry auditing for modification and Run Key or Startup Folder changes
- Endpoint file creation, file modification, and directory enumeration events
- Security tool inventory or process/service discovery telemetry
- DNS query logs including TTL and rapidly changing resolution patterns
Detection direction
- Build detections around behavior clusters rather than Amadey name alone: discovery followed by persistence, tool transfer, C2, or outbound data movement is higher value than isolated events.
- Tune Windows Registry monitoring for suspicious Run Key and Startup Folder additions while accounting for legitimate software installers and enterprise management tools.
- Correlate DNS and web telemetry for domains with rapidly changing IP addresses, short TTL behavior, and unusual outbound web-protocol sessions from endpoints.
- Look for discovery of users, system information, network configuration, files, directories, location, and security software, especially when performed by unusual processes or shortly before network beaconing.
- Account for false positives from administration scripts, inventory tools, patching systems, and software deployment platforms; detections should include process lineage, signer/reputation context, user context, and destination reputation where available.
Mitigation priorities
- Start with endpoint hardening and monitoring for Windows persistence locations, especially Registry Run Keys and Startup Folders.
- Ensure EDR and Windows logging capture process, registry, file, and network events needed to reconstruct discovery, persistence, and C2 activity.
- Restrict and monitor outbound web traffic, DNS behavior, and file transfer paths from endpoints to reduce blind spots around web-protocol C2 and ingress tool transfer.
- Improve incident response playbooks for suspected bot infections: isolate affected Windows hosts, preserve endpoint and network evidence, review persistence locations, and scope for related discovery and exfiltration behaviors.
- Use the mapped techniques as control-validation requirements for managed detection, compliance evidence, and tabletop exercises rather than relying only on malware-family indicators.
Analyst notes and limits
ATT&CK identifies Amadey as a Trojan bot and maps it to multiple techniques across discovery, persistence, defense evasion, command-and-control, collection, and exfiltration. Relationship context states TA505 and Kimsuky use this object; this should inform threat intelligence enrichment but not be treated as attribution for any local event without supporting evidence.
The supplied ATT&CK object has no official detection text, no aliases, no labels, and no specified tactics on the malware object itself. Some related techniques list broader platforms, but the Amadey object platform is Windows; local detection planning should therefore focus on Windows unless other evidence exists. This take does not assert current exploitation, customer exposure, or guaranteed detection coverage.
Amadey
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Amadey has searched for folders associated with antivirus software.CitationKorean FSI TA505 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.CitationBlackBerry Amadey 2020 |
| Enterprise | T1568.001 | Fast Flux DNS Sub-technique | Amadey has used fast flux DNS for its C2.CitationKorean FSI TA505 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Amadey has checked for a variety of antivirus products.CitationKorean FSI TA505 2020CitationBlackBerry Amadey 2020 |
| Enterprise | T1106 | Native API | Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`.CitationBlackBerry Amadey 2020 |
| Enterprise | T1005 | Data from Local System | Amadey can collect information from a compromised host.CitationBlackBerry Amadey 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Amadey has sent victim data to its C2 servers.CitationBlackBerry Amadey 2020 |
| Enterprise | T1553.005 | Mark-of-the-Web Bypass Sub-technique | Amadey has modified the `:Zone.Identifier` in the ADS area to zero.CitationKorean FSI TA505 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Amadey can download and execute files to further infect a host machine with additional malware.CitationBlackBerry Amadey 2020 |
| Enterprise | T1082 | System Information Discovery | Amadey has collected the computer name and OS version from a compromised machine.CitationKorean FSI TA505 2020CitationBlackBerry Amadey 2020 |
| Enterprise | T1112 | Modify Registry | Amadey has overwritten registry keys for persistence.CitationBlackBerry Amadey 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.CitationKorean FSI TA505 2020CitationBlackBerry Amadey 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Amadey has decoded antivirus name strings.CitationKorean FSI TA505 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Amadey has collected the user name from a compromised host using `GetUserNameA`.CitationBlackBerry Amadey 2020 |
| Enterprise | T1614 | System Location Discovery | Amadey does not run any tasks or install additional malware if the victim machine is based in Russia.CitationBlackBerry Amadey 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Amadey has used HTTP for C2 communications.CitationBlackBerry Amadey 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Amadey can identify the IP address of a victim machine.CitationBlackBerry Amadey 2020 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G0092: TA505
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 62173724e1ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Korean FSI TA505 2020
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
Open source URL -
[2]
BlackBerry Amadey 2020
Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
Open source URL -
[3]
mitre-attack S1025Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.