A threat actor has gained initial access to the manufacturing network and is utilizing the Lumma Stealer and Amadey Bot malware to steal sensitive data and maintain persistence.
Tag: Amadey Bot
Threat Actor Targets the Manufacturing Industry with Lumma Stealer and Amadey Bot
The attack begins with a spear-phishing email containing an LNK file disguised as a PDF document. This LNK file is hosted on a remote WebDAV share and impersonates LogicalDOC, a cloud-based document management system. When executed, the LNK file launches ssh.exe to run a PowerShell command that fetches and executes a malicious payload from a remote server. This server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL. The PowerShell code then triggers another malicious script hosted on Pastebin, which downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable that sideloads a malicious DLL file. This DLL injects malicious code into various processes, ultimately leading to the deployment of Lumma Stealer and Amadey Bot.