This article documents a malware campaign in which the Amadey loader is used to deploy the StealC infostealer, leveraging a compromised self-hosted GitLab instance (gitlab[.]bzctoons[.]net) as a payload distribution platform.
The campaign demonstrates how threat actors abuse trusted developer infrastructure to host second-stage malware, increasing delivery success by blending malicious traffic with legitimate DevOps workflows.
Malware Components
Amadey Loader
Amadey is a modular loader malware primarily used to deliver secondary payloads. In this campaign, it acts as the initial execution vector and orchestrates the deployment of StealC and auxiliary plugins.
Key characteristics observed:
- Uses a mutex to prevent multiple executions
- Copies itself to temporary or user directories
- Launches multiple child processes
- Downloads encrypted or archived payloads
- Supports plugin-based execution (e.g., clipper)
Notable behaviors:
- Executes
rundll32.exeto load a malicious DLL - Uses
powershell.exeto extract ZIP archives - Establishes persistence via scheduled tasks
- Communicates with a remote command-and-control server
StealC Infostealer
StealC is the second-stage payload delivered by Amadey in this campaign. The sample observed is a 64-bit executable (x64_protect.exe) extracted from a ZIP archive.
Capabilities observed:
- Credential and browser data theft
- Encrypted network communications
- JSON-based command-and-control protocol
- Support for multiple payload formats
- Clipboard monitoring when paired with clipper plugin
StealC is executed immediately after extraction and establishes outbound communication with its own C2 infrastructure.
Clipper Plugin (clip64.dll)
The clipper plugin is loaded by rundll32.exe and monitors clipboard activity. Its purpose is to detect cryptocurrency wallet addresses and replace them with attacker-controlled addresses during copy/paste operations.
Abuse of GitLab Infrastructure
A key aspect of this campaign is the use of a compromised self-hosted GitLab server:
gitlab[.]bzctoons[.]netThe attackers host a malicious ZIP archive inside a repository and retrieve it using GitLab’s raw file functionality.
Malicious payload location:
https://gitlab[.]bzctoons[.]net/suau/fds/-/raw/main/protected.zip
This technique allows the malware to:- Use HTTPS with valid certificates
- Blend into normal developer traffic
- Evade simple URL reputation filtering
Infection Chain
- Initial Execution
Yfgfwb.exeis executed on the victim system.
- Loader Initialization
- Mutex
f936986d553273aef6eeaeef713ad28fis created. - Files are copied into
%TEMP%and%APPDATA%.
- Mutex
- Plugin Execution
rundll32.exeloadsclip64.dll.
- Payload Retrieval
- ZIP archive
protected.zipis downloaded from the compromised GitLab server.
- ZIP archive
- Extraction
powershell.exeextracts the archive into a temporary directory.
- StealC Execution
x64_protect.exeis launched.
- Command-and-Control
- Amadey and StealC communicate with separate C2 endpoints.
- Persistence
- A scheduled task (
Yfgfwb.job) is created.
- A scheduled task (
Persistence Mechanism
| Mechanism | Details |
|---|---|
| Scheduled Task | C:\Windows\Tasks\Yfgfwb.job |
| File Locations | %TEMP%\067640a009\%TEMP%\10000340261\protected\%APPDATA%\f936986d553273\ |
Detection Opportunities
Endpoint Indicators
- Execution of
rundll32.exeloading DLLs from%TEMP% - PowerShell usage for ZIP extraction
- Execution of unknown binaries from temporary directories
- Unusual scheduled task creation
Network Indicators
- Outbound HTTP traffic to non-standard IPs
- Raw file downloads from GitLab repositories
- Encrypted POST requests with JSON-like payloads
Incident Response (IR) Guidance
1. Identification
- Search for known file hashes and filenames
- Identify endpoints accessing
gitlab[.]bzctoons[.]net - Inspect scheduled tasks for suspicious entries
2. Containment
- Isolate affected hosts
- Block known C2 IP addresses
- Block access to the malicious GitLab domain
3. Eradication
- Remove scheduled tasks
- Delete malicious binaries and directories
- Preserve samples for forensic analysis
4. Recovery
- Rebuild affected systems where possible
- Reset credentials for impacted users
- Monitor for reinfection attempts
5. Hardening
- Restrict outbound access to developer platforms
- Enable EDR behavioral detection rules
- Monitor archive extraction followed by execution
Indicators of Compromise (IOC) Table
| Category | Indicator | Description |
|---|---|---|
| Domain | gitlab[.]bzctoons[.]net | Compromised GitLab instance |
| URL | /suau/fds/-/raw/main/protected.zip | Malicious ZIP payload |
| SHA256 | d7a366fa4d31c901ce3bcb6760d7bb5aa7cab49bb54d8c6551b3df14c8cf64e7 | Amadey loader (Yfgfwb.exe) |
| SHA256 | b5d4cc84845cb101f8bda324729ebedd8acd36cc8ec32f80969c4fb6d3c2b8a7 | StealC payload |
| SHA256 | bae0f38f58ad93728261f09840721ebedb9669a445f40083396fdd0da38a22a7 | Clipper DLL |
| IP Address | 91[.]92[.]243[.]129 | Amadey C2 |
| IP Address | 158[.]94[.]208[.]130 | StealC C2 |
| Mutex | f936986d553273aef6eeaeef713ad28f | Amadey mutex |
| Scheduled Task | Yfgfwb.job | Persistence mechanism |
| Filenames | Yfgfwb.exe, x64_protect.exe, clip64.dll | Malware components |
| Directories | %TEMP%\067640a009\%TEMP%\10000340261\protected\ | Drop locations |
Conclusion
This campaign highlights the continued effectiveness of loader-based malware ecosystems and the increasing abuse of trusted development platforms for malware hosting. The combination of Amadey’s modular delivery and StealC’s credential theft capabilities poses a significant risk, particularly in environments lacking outbound traffic controls and behavioral endpoint detection.
