• A phishing campaign that delivers Amadey botnet malware is targeting US taxpayers.
  • The Amadey botnet is relatively new in the threat landscape, with its first appearance in early 2019.


The campaign involves sending an email that appears to be from the Internal Revenue Service (IRS).

  • It reads that the receiver is eligible for a tax refund and gives them a one-time username and password.
  • When the victim clicks on the ‘Login Right Here’ button, they’re redirected to an IRS login page hosted on ‘hxxp://yosemitemanagement[.]com/fonts/page5/’.
  • The victim is taken to a fake IRS portal after entering the credentials provided in the email. This portal asks the user to download a file, sign it, and then mail it back or upload it in the portal to avail of the tax refund.

The file contains a Visual Basic Script dropper and downloading it leads to the Amadey botnet malware installing itself.

What happens after the initial infection?

According to Milo Salvia from Cofense, the VBScript is highly obfuscated and encrypted.

  • The script decrypts itself after execution at runtime and drops a file named ‘ZjOexiPr.exe’ in C:\Users\Byte\AppData\Local\Temp\.
  • This, in turn, installs another executable file called ‘kntd.exe’ in C:\ProgramData\0fa42aa593.
  • This malware achieves persistence by lodging itself in the Windows Registry. It then contacts its command-and-control server.

“Amadey instantly beacons out to its command and control (C2) channels sending system diagnostic information back to the C2 server and awaits further instructions. Amadey connects out via HTTP on port 80 to multiple C2 servers,” says Milo in the Cofense blog.

The details Amadey sends to its C2 server include Operating system (OS), Antivirus (AN), and System name (SN).

What should you do?

Cofense has published the Indicators of Compromise (IOCs) observed in their analysis. Apart from monitoring for these indicators in your system, you should also exercise caution in opening emails and downloading attachments.

Cyware Publisher