Amadey Loader Abuses Compromised Self-Hosted GitLab to Deliver StealC Infostealer (Campaign)
ID: 575cce45-3976-57fc-8747-8761d4ecc919
STIX ID: report--575cce45-3976-57fc-8747-8761d4ecc919
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2025-12-18
Date Updated: 2026-05-01
Author: [email protected] (Wiz Threat Research)
Amadey, an established malware loader, was observed abusing a compromised self-hosted GitLab instance (gitlab.bzctoons.net) to deliver the StealC infostealer; the loader uses custom Base64 with RC4 obfuscation, enforces mutex-based execution, creates scheduled-task persistence, spawns child processes (including a clipper via rundll32.exe and a StealC payload x64_protect.exe), and exfiltrates Chromium browser credentials while swapping copied cryptocurrency addresses to steal funds.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.