Top Tweets for #AMADEY
#ThreatProtection The #StealC #malware-as-a-service and #Amadey loader networks, often exploited to acquire enterprise access for ransomware campaigns, have faced global disruption. Read more about Symantec's protection: https://t.co/CBNeYKle08
International law enforcement just landed another major blow in #OperationEndgame.
Coordinated actions disrupted the infrastructure behind #SocGholish, #Amadey, and #StealC. Servers and domains taken down. Compromised sites cleaned up. Over €41 million in criminal crypto seized.
#StealC operators already responded with a new version.
Some still call this an endless cat and mouse game.
It is not.
Criminals are rational. They weigh risk and reward. Raise the costs and make the work harder, and less of it happens. That is the simple economic reality.
These takedowns are necessary. They protect people and organizations. They reduce the overall volume of cybercrime.
Keep going.
https://t.co/aXxWHUFoXL
I'm lucky at @proofpoint to be able to support in meaningful ops like this. Congrats to everyone involved. 🔥 #StealC #Amadey
https://t.co/1Pt1LbMFLq
We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄https://t.co/xlqOWu0hLd
Botnet C2s on ThreatFox:
🦊https://t.co/O1LpU8kYBl
![abuse_ch's tweet photo. We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄https://t.co/xlqOWu0hLd
Botnet C2s on ThreatFox:
🦊https://t.co/O1LpU8kYBl](https://pbs.twimg.com/media/G6xb0yvXcAAdgRJ.jpg)
Potential new stealer dropped by #Amadey, caught by @Bitsight 🤖🔍Who can name it? ⤵️
👉 https://t.co/egzv6plcZu
Botnet C2 domains:
📡defender-temeerty .sbs
📡telemetry-defender .lol
Botnet C2 server:
🛑185.100.157.69:443 (Partner Hosting 🇬🇧)
Malware sample:
📄 https://t.co/STBkUqabMO
Dropped by Amadey via:
🌐 https://t.co/STTRL3yMMF

Payload statistics for September 2025 📊
We observed 554 tasks distributed by threat actors across the tracked botnets. This resulted in 1897 unique payloads.
Top families:
1. #GCleaner
2. #Amadey
3. #LummaStealer
4. #StealC
5. #CredentialFlusher
Unpacking & detection: @unpacme

Top 10 last week's threats by uploads 🌐
⬆️ #Agenttesla 686 (380)
⬆️ #Vidar 588 (389)
⬇️ #Lumma 566 (686)
⬆️ #Remcos 449 (331)
⬆️ #Stealc 426 (272)
⬇️ #Quasar 383 (402)
⬆️ #Rhadamanthys 296 (286)
⬆️ #Dcrat 293 (278)
⬇️ #Amadey 269 (294)
⬆️ #Hijackloader 269 (197)
Track them all: https://t.co/lCE7FX4HWC
#Top10Malware

Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 696 (951)
⬆️ #Quasar 409 (390)
⬆️ #Vidar 406 (355)
⬆️ #Agenttesla 387 (285)
⬆️ #Remcos 340 (263)
⬇️ #Amadey 302 (372)
⬆️ #Dcrat 285 (238)
⬆️ #Stealc 285 (226)
⬆️ #Njrat 277 (205)
⬇️ #Xworm 240 (254)
Track them all: https://t.co/mfBPKsBYaG
#Top10Malware

C2: 185[.]156[.]72[.]96
AS215540 Global Connectivity Solutions Llp 🇫🇷
#Amadey
![skocherhan's tweet photo. C2: 185[.]156[.]72[.]96
AS215540 Global Connectivity Solutions Llp 🇫🇷
#Amadey https://t.co/BqJncFrpRU](https://pbs.twimg.com/media/G1PjA7-XUAAvVJb.jpg)
Top 10 last week's threats by uploads 🌐
⬇️ #Lumma 746 (796)
⬆️ #Xworm 521 (407)
⬇️ #Quasar 388 (470)
⬇️ #Agenttesla 342 (344)
⬆️ #Vidar 282 (260)
⬆️ #Remcos 272 (169)
⬆️ #Hijackloader 267 (90)
⬇️ #Stealc 228 (229)
⬇️ #Dcrat 219 (245)
⬇️ #Amadey 200 (227)
Track them all: https://t.co/9n6CZywVY8


#malware #lumma via #tinyloader
178.16.53[.]7/icoxn/login[.]php
#cracked software
see: https://t.co/7hMBqEItkv
![ViriBack's tweet photo. #malware #lumma via #tinyloader
178.16.53[.]7/icoxn/login[.]php
#cracked software
see: https://t.co/7hMBqEItkv https://t.co/Vs8E4SYSrI](https://pbs.twimg.com/media/Gzm9OdBWEAAhlUR.png)
We encountered a new loader advertised as "Morpheus" in underground forums 🕵️, recently dropped by #Amadey ⬇️🪲. Morpheus' C2 protocol is based on HTTP and works with tasks, where each task consists of an ID and a command 📣
Botnet C2: sophos-upd-srv .info 🇳🇱
The #malware accepts two command line parameters:
➡️ log: Path where debug logs are stored
➡️ update-url: URL used by the self-update process
#Morpheus has the following capabilities 💡:
1⃣ Persistence through the Windows registry. It copies itself to the AppData Roaming directory under "SysSvc64.exe" and creates a new registry Run key that points to its location.
2⃣ A host-based ID generated by collecting the current time, hostname and the MAC address of the compromised host.
3⃣ Collects system information of the compromised host and sends them to a botnet C2, both, in the form of "HeartBeat" but also as Task command
4⃣ A self update mechanism, where it will download a new version of itself, write it to disk with a ".tmp" suffix and immediately execute it. The current running instance will then exit.
5⃣ Execution of various actions based on the commands received from the #botnet C2
The commands received from the botnet C2 come as a JSON object with two properties: "id" and "command". The following command-values are supported:
ℹ️ sysinfo: Collects the following information from the compromised host:
- Installed AV
- CPU (number of cores, architecture)
- Available Hard Disk (name, free space, total space)
- Domain (is domain joined, domain name)
- Available Memory (free, total)
- Network ( addresses, MAC, name)
- Processes (name, PID)
- Installed Apps
💥 selfdestruct: Deletes the Registry Run key and the executable from the disk running the command "/C ping 127.0.0.1 -n 3 > nul & del /f /q {sample_path}"
🌐 Anything starting with http/https: Downloads the files from the aforementioned URL and writes it to Windows Temp directory, using the current time as a name (nanoseconds since epoch). The file is then executed using the 'open' command of Windows.
💻 If there is no match from the above, but the command length is not zero, it will execute the value using "cmd".
A Morpheus sample is available on MalwareBazaar:
📄 https://t.co/XkXMjnoxqj
IOCs are available on ThreatFox:
🦊 https://t.co/XocVM8Znii


Dropping a new malware config parser for #Amadey!
Update your CAPEv2 parsers:
> sudo -u cape bash -c 'cd /opt/CAPEv2 && poetry add CAPE-parsers@latest && systemctl restart cape cape-web cape-processor'
Check it out here:
https://t.co/tITnKwycLH

Dropping a new malware config parser for #Amadey!
Update your CAPEv2 parsers:
> sudo -u cape bash -c 'cd /opt/CAPEv2 && poetry add CAPE-parsers@latest && systemctl restart cape cape-web cape-processor'
Check it out here:
https://t.co/tITnKwycLH

Last Seen Hashtags on Sotwe
Trends for you
Most Popular Users

Elon Musk 
@elonmusk
240.8M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
111M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.8M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.9M followers

Taylor Swift 
@taylorswift13
81.7M followers

Lady Gaga 
@ladygaga
73.3M followers

Virat Kohli 
@imvkohli
70.2M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
63M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
61M followers

X 
@x
60.8M followers






![skocherhan's tweet photo. labinstalls[.]info
130[.]12[.]180[.]43
178[.]16[.]55[.]189
AS214943 Railnet LLC 🇺🇸
#Amadey @500mk500 https://t.co/DSGHVRh1k7](https://pbs.twimg.com/media/HAJsLoEXAAACmU7.jpg)
![skocherhan's tweet photo. labinstalls[.]info
130[.]12[.]180[.]43
178[.]16[.]55[.]189
AS214943 Railnet LLC 🇺🇸
#Amadey @500mk500 https://t.co/DSGHVRh1k7](https://pbs.twimg.com/media/HAJrqHTXEAADwjy.jpg)

![abuse_ch's tweet photo. We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄https://t.co/xlqOWu0hLd
Botnet C2s on ThreatFox:
🦊https://t.co/O1LpU8kYBl](https://pbs.twimg.com/media/G6xbt90WcAAI8Pc.jpg)
![abuse_ch's tweet photo. We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄https://t.co/xlqOWu0hLd
Botnet C2s on ThreatFox:
🦊https://t.co/O1LpU8kYBl](https://pbs.twimg.com/media/G6xbgMbXMAA6Q_U.jpg)
![abuse_ch's tweet photo. We’ve identified an interesting malware family 🔍, which we’ve named #GrokPy due to its use of a Grok LLM model 🤖 to solve and subsequently bypass CAPTCHAs 🔥
The malware gets dropped by #Amadey and:
🪝 collects information about the infected device, such as screen resolution, public IP & location, ram usage and CPU name
💻 attempts to escalate privileges by running as admin or as a scheduled task
⚙️ uses the CDP (Chrome developer protocol) of either Edge or Chrome installed on the victim machine for further malicious actions
📡 calls back to the botnet C2 on the various stages of the infection and the results of its malicious actions
👱 creates new accounts on Discord to obtain authentication tokens, which are then reported back to the botnet C2
📧 uses dilly + [a-zA-Z0-9]{8,11}@gmail.com + password [a-zA-Z0-9]{8} as the email and password for the Discord registration process
🔍 has OCR capabilities for screenshots obtained via CDP, which are used to extract text from captcha
🤖 uses a Grok LLM model that resides in the botnet C2 server to solve the captcha
Botnet C2 servers are all hosted at @Hetzner_Online 🇩🇪on port 8008 TCP:
46[.]62.225.51 [active]
46[.]62.224.205
46[.]62.205.38
GrokPy malware samples on MalwareBazaar:
📄https://t.co/xlqOWu0hLd
Botnet C2s on ThreatFox:
🦊https://t.co/O1LpU8kYBl](https://pbs.twimg.com/media/G6xbbUrXEAAfACn.jpg)







