ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied ResolverRAT, LummaStealer, and an Amadey botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected .NET loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, pat[.]microsoft-telemetry[.]at, and newly activated infrastructure such as kampf[.]huehnchenfarm[.]ru tied to the same ecosystem.
A parallel March 2026 investigation linked the fbf543 Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on Omegatech LTD (AS202412) and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from ConnectWise, DattoRMM, Atera, GoToResolve, and N-able, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing AppLaunch.exe, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Breakglass published analyses of ResolverRAT and Amadey fbf543 activity
On March 12, 2026, Breakglass Intelligence published multiple reports detailing the ResolverRAT/Lumma dual-payload loader, the broader ResolverRAT infrastructure, and the Amadey fbf543 malware distribution and RMM abuse campaign. The reports connected active infrastructure, malware samples, and hosting patterns across the operations.
Google WE1 certificate was issued for huehnchenfarm[.]ru
A new Google WE1 certificate for huehnchenfarm[.]ru was issued on March 10, 2026. This supported the assessment that the ResolverRAT-associated infrastructure was being actively maintained and refreshed.
Fresh ResolverRAT infrastructure appeared during investigation
Breakglass observed new infrastructure for the ResolverRAT-linked operation on March 9, 2026, including kampf[.]huehnchenfarm[.]ru and IP address 45[.]141[.]119[.]34. The finding showed the campaign was still actively evolving during the investigation.
Nine RMM samples from Amadey fbf543 were uploaded to MalwareBazaar
Researchers linked nine legitimate but attacker-configured RMM installers uploaded to MalwareBazaar on March 9, 2026 to the fbf543 campaign. The tools came from ConnectWise, DattoRMM, Atera, GoToResolve, and N-able and were used for stealthy persistence.
Amadey fbf543 campaign began distributing malware payloads
The Amadey botnet campaign tagged fbf543 distributed more than 50 payloads across at least 13 malware families between March 6 and March 10, 2026. Payloads included LummaStealer, Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and multiple abused remote management tools.
MalwareBazaar received a ResolverRAT-linked .NET sample
A Donut-decrypted .NET executable later tied to the broader ResolverRAT cybercrime campaign was submitted to MalwareBazaar on March 5, 2026. Breakglass used this sample to analyze the malware's obfuscation, certificate pinning, and shared infrastructure.
Linked ResolverRAT/Lumma samples were observed from January 2026
Researchers identified five linked malware samples observed from January through March 2026 that shared the same imphash, indicating a common build pipeline and active maintenance. These samples delivered ResolverRAT and LummaStealer together through a heavily protected .NET loader.
Dormant ResolverRAT infrastructure was activated together
The five Registrar.eu domains associated with the ResolverRAT ecosystem were activated in December 2025 after months of dormancy. This marked a coordinated expansion or operationalization of the campaign's infrastructure.
ResolverRAT-linked campaign became active by at least November 2025
Breakglass assessed the broader cybercrime operation supporting ResolverRAT, PureRAT, PureHVNC, PureLogs Stealer, and likely Lumma/ZgRAT had been active since at least November 2025. The campaign used ClearFake/ClickFix fake browser update lures and a Donut-based in-memory loader to deliver obfuscated .NET malware.
Registrar.eu domains tied to ResolverRAT ecosystem were batch-registered
Investigators found five domains later used in the ResolverRAT-linked command-and-control ecosystem were registered together through Registrar.eu in March 2025. These domains then remained dormant for roughly nine months before activation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
ResolverRAT Bundles LummaStealer in a Triple-Encrypted .NET Loader: Five Linked Samples, Four C2 Servers, and a Fake Microsoft Domain - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceResolverRAT Unleashed: A Multi-Tool Cybercrime Arsenal Spanning 22 C2 Nodes and 12 Bulletproof Hosts - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceLummaStealer's Go Loader and the fbf543 Amadey Supermarket: 50 Payloads, 13 Malware Families, and the Bulletproof Host That Ties It All Together - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceAmadey Botnet Campaign "fbf543" Weaponizes 9 Legitimate RMM Tools Across 5 Vendors for EDR-Evasive Persistence - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Signed Malware Installers and Live C2 Infrastructure Fuel Multiple Loader Campaigns
Breakglass Intelligence identified several active malware delivery operations using signed installers, compromised websites, and live command-and-control infrastructure to distribute loaders, stealers, and remote access tools. One campaign used the newly registered domain `maybedontbanplease[.]com` as CastleLoader C2 on 3NT Solutions LLP infrastructure, with a large NSIS installer embedding Python 3.14, AES-encrypted payloads, and in-memory shellcode execution via `pythonw.exe`; the installer was signed with an EV certificate issued to the likely fictitious entity **SERPENTINE SOLAR LIMITED**. The activity was attributed with medium-high confidence to **GrayBravo** and linked to delivery of **LummaC2, StealC, RedLine, Rhadamanthys, DeerStealer, NetSupport RAT,** and **SectopRAT**, with targeting that included U.S. government, critical infrastructure, IT, and logistics organizations. A separate operation distributed a trojanized `MSTeamsSetup.exe` that installed a weaponized **RustDesk** client and communicated with `mon.systemautoupdater[.]com` on EvoXT infrastructure, while presenting a TLS certificate for `calipology[.]com`, tying the activity to the **GeorgeGinx/Striker** operator. In another live campaign, attackers used the compromised Syrian web development site `allsydevs[.]com` to host an obfuscated .NET loader masquerading as a WordPress image and connected victims to `172[.]93[.]167[.]12:4263` over HTTPS using a self-signed certificate with the fake common name **Mesh Data**; at least six related samples were linked to the same C2, with lure names suggesting targeting of Middle Eastern construction and export firms. Together, the investigations show financially motivated actors expanding malware distribution through fraudulent code-signing, trojanized business software, and hijacked web infrastructure.
Apr 25, 2026
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
Mar 21, 2026