![\"\"](\"https:\/\/infosec.new88088.net\/wp-content\/uploads\/sites\/20\/2026\/02\/amadey-300x167.png\")
<\/p>\nM\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng tinh vi \u0111ang \u00e2m th\u1ea7m di\u1ec5n ra, nh\u1eafm tr\u1ef1c ti\u1ebfp v\u00e0o ng\u01b0\u1eddi d\u00f9ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh Windows th\u00f4ng qua chu\u1ed7i l\u00e2y nhi\u1ec5m nhi\u1ec1u l\u1edbp. Trong chi\u1ebfn d\u1ecbch n\u00e0y, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i Amadey \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng nh\u01b0 m\u1ed9t m\u1eaft x\u00edch trung gian \u0111\u1ec3 tri\u1ec3n khai h\u00e0ng lo\u1ea1t m\u00e3 \u0111\u1ed9c \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u nguy hi\u1ec3m. \u0110\u00e1ng ch\u00fa \u00fd, k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 l\u1ee3i d\u1ee5ng c\u00e1c kho l\u01b0u tr\u1eef c\u00f4ng khai tr\u00ean GitHub l\u00e0m n\u01a1i ph\u00e2n ph\u1ed1i payload, qua \u0111\u00f3 d\u1ec5 d\u00e0ng v\u01b0\u1ee3t qua c\u00e1c c\u01a1 ch\u1ebf l\u1ecdc web v\u00e0 h\u1ec7 th\u1ed1ng ph\u00f2ng v\u1ec7 truy\u1ec1n th\u1ed1ng. V\u1ee5 vi\u1ec7c m\u1ed9t l\u1ea7n n\u1eefa cho th\u1ea5y c\u00e1c n\u1ec1n t\u1ea3ng h\u1ee3p ph\u00e1p, n\u1ebfu b\u1ecb khai th\u00e1c, ho\u00e0n to\u00e0n c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh c\u00f4ng c\u1ee5 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c hi\u1ec7u qu\u1ea3.<\/p>\n
Chu\u1ed7i t\u1ea5n c\u00f4ng b\u1eaft \u0111\u1ea7u b\u1eb1ng vi\u1ec7c c\u00e0i \u0111\u1eb7t m\u1ed9t tr\u00ecnh t\u1ea3i m\u00e3 \u0111\u1ed9c mang t\u00ean Emmenhtal, c\u00f2n \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn v\u1edbi t\u00ean g\u1ecdi PEAKLIGHT. M\u00e3 \u0111\u1ed9c n\u00e0y \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n b\u1eb1ng ng\u00f4n ng\u1eef AutoIt \u2013 v\u1ed1n ph\u1ed5 bi\u1ebfn trong c\u00e1c c\u00f4ng c\u1ee5 t\u1ef1 \u0111\u1ed9ng h\u00f3a h\u1ee3p ph\u00e1p \u2013 gi\u00fap n\u00f3 d\u1ec5 d\u00e0ng ng\u1ee5y trang d\u01b0\u1edbi d\u1ea1ng ph\u1ea7n m\u1ec1m v\u00f4 h\u1ea1i. Emmenhtal \u0111\u01b0\u1ee3c \u0111\u00f3ng g\u00f3i k\u00e8m theo c\u00e1c th\u01b0 vi\u1ec7n DLL t\u00f9y bi\u1ebfn nh\u1eb1m th\u1ef1c hi\u1ec7n nhi\u1ec1u k\u1ef9 thu\u1eadt n\u00e9 tr\u00e1nh, bao g\u1ed3m gi\u00e1m s\u00e1t ti\u1ebfn tr\u00ecnh h\u1ec7 th\u1ed1ng, che gi\u1ea5u l\u01b0u l\u01b0\u1ee3ng m\u1ea1ng v\u00e0 l\u00e0m ch\u1eadm qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch c\u1ee7a c\u00e1c chuy\u00ean gia b\u1ea3o m\u1eadt. Sau khi \u0111\u01b0\u1ee3c th\u1ef1c thi, Emmenhtal thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i t\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa, t\u1ea3i v\u1ec1 m\u00e3 \u0111\u1ed9c Amadey v\u00e0 k\u00edch ho\u1ea1t th\u00f4ng qua ti\u1ec7n \u00edch mshta.exe c\u00f3 s\u1eb5n trong Windows. Vi\u1ec7c t\u1eadn d\u1ee5ng c\u00e1c th\u00e0nh ph\u1ea7n h\u1ee3p ph\u00e1p c\u1ee7a h\u1ec7 \u0111i\u1ec1u h\u00e0nh gi\u00fap k\u1ebb t\u1ea5n c\u00f4ng gi\u1ea3m \u0111\u00e1ng k\u1ec3 nguy c\u01a1 b\u1ecb ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt ph\u00e1t hi\u1ec7n.<\/p>\n
<\/p>\n
Sau khi \u0111\u01b0\u1ee3c tri\u1ec3n khai, Amadey kh\u00f4ng tr\u1ef1c ti\u1ebfp th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh vi t\u1ea5n c\u00f4ng ph\u1ee9c t\u1ea1p m\u00e0 \u0111\u00f3ng vai tr\u00f2 nh\u01b0 m\u1ed9t n\u1ec1n t\u1ea3ng trung gian, t\u01b0\u01a1ng t\u1ef1 m\u1ed9t \u201ch\u1ec7 \u0111i\u1ec1u h\u00e0nh thu nh\u1ecf\u201d d\u00e0nh ri\u00eang cho m\u00e3 \u0111\u1ed9c. Amadey c\u00f3 kh\u1ea3 n\u0103ng t\u1ea3i, qu\u1ea3n l\u00fd v\u00e0 k\u00edch ho\u1ea1t c\u00e1c plugin \u0111\u1ed9c h\u1ea1i theo y\u00eau c\u1ea7u. M\u1ed7i plugin \u0111\u1ea3m nhi\u1ec7m m\u1ed9t ch\u1ee9c n\u0103ng ri\u00eang bi\u1ec7t, t\u1eeb \u0111\u00e1nh c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp tr\u00ecnh duy\u1ec7t, tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u email, thu th\u1eadp th\u00f4ng tin FTP v\u00e0 VPN cho \u0111\u1ebfn ch\u1ee5p m\u00e0n h\u00ecnh ng\u01b0\u1eddi d\u00f9ng theo th\u1eddi gian th\u1ef1c. Trong chi\u1ebfn d\u1ecbch l\u1ea7n n\u00e0y, Amadey \u0111\u01b0\u1ee3c c\u1ea5u h\u00ecnh \u0111\u1ec3 k\u1ebft n\u1ed1i tr\u1ef1c ti\u1ebfp t\u1edbi c\u00e1c kho l\u01b0u tr\u1eef c\u00f4ng khai tr\u00ean GitHub nh\u1eb1m t\u1ea3i v\u1ec1 c\u00e1c th\u00e0nh ph\u1ea7n \u0111\u1ed9c h\u1ea1i b\u1ed5 sung, thay v\u00ec s\u1eed d\u1ee5ng h\u1ea1 t\u1ea7ng m\u00e1y ch\u1ee7 C2 truy\u1ec1n th\u1ed1ng v\u1ed1n d\u1ec5 b\u1ecb ph\u00e1t hi\u1ec7n v\u00e0 ch\u1eb7n \u0111\u1ee9ng.<\/p>\n
Nh\u00f3m t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng \u00edt nh\u1ea5t ba t\u00e0i kho\u1ea3n GitHub c\u00f4ng khai g\u1ed3m Legendary99999, DFfe9ewf v\u00e0 Milidmdds \u0111\u1ec3 l\u01b0u tr\u1eef m\u00e3 \u0111\u1ed9c. C\u00e1c kho n\u00e0y ch\u1ee9a nhi\u1ec1u t\u1ec7p th\u1ef1c thi (.exe), th\u01b0 vi\u1ec7n (.dll) v\u00e0 script PowerShell, \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng nh\u01b0 plugin m\u1edf r\u1ed9ng cho Amadey ho\u1eb7c l\u00e0m payload \u0111\u1ed9c l\u1eadp. \u0110\u1eb7c bi\u1ec7t nguy hi\u1ec3m l\u00e0 s\u1ef1 xu\u1ea5t hi\u1ec7n c\u1ee7a c\u00e1c stealer n\u1ed5i ti\u1ebfng nh\u01b0 Lumma Stealer, RedLine Stealer v\u00e0 Rhadamanthys \u2013 nh\u1eefng c\u00f4ng c\u1ee5 chuy\u00ean \u0111\u00e1nh c\u1eafp cookie \u0111\u0103ng nh\u1eadp, d\u1eef li\u1ec7u tr\u00ecnh duy\u1ec7t, th\u00f4ng tin v\u00ed ti\u1ec1n \u0111i\u1ec7n t\u1eed v\u00e0 nhi\u1ec1u d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m kh\u00e1c. Vi\u1ec7c t\u00edch h\u1ee3p c\u00e1c stealer n\u00e0y gi\u00fap k\u1ebb t\u1ea5n c\u00f4ng t\u1ed1i \u0111a h\u00f3a gi\u00e1 tr\u1ecb khai th\u00e1c t\u1eeb m\u1ed7i h\u1ec7 th\u1ed1ng b\u1ecb x\u00e2m nh\u1eadp.<\/p>\n
M\u1ed9t k\u1ef9 thu\u1eadt \u0111\u00e1ng ch\u00fa \u00fd kh\u00e1c trong chi\u1ebfn d\u1ecbch l\u00e0 vi\u1ec7c s\u1eed d\u1ee5ng c\u00e1c t\u1ec7p v\u0103n b\u1ea3n .txt tr\u00ean GitHub nh\u01b0 m\u1ed9t b\u1ea3ng \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa \u0111\u01a1n gi\u1ea3n. C\u00e1c t\u1ec7p n\u00e0y ch\u1ee9a danh s\u00e1ch URL tr\u1ecf t\u1edbi c\u00e1c payload th\u1ef1c s\u1ef1, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng linh ho\u1ea1t thay \u0111\u1ed5i chu\u1ed7i t\u1ea3i xu\u1ed1ng m\u00e0 kh\u00f4ng c\u1ea7n c\u1eadp nh\u1eadt l\u1ea1i m\u00e3 Amadey \u0111\u00e3 c\u00e0i \u0111\u1eb7t tr\u00ean m\u00e1y n\u1ea1n nh\u00e2n. C\u00e1ch ti\u1ebfp c\u1eadn n\u00e0y v\u1eeba gi\u00fap duy tr\u00ec kh\u1ea3 n\u0103ng \u0111i\u1ec1u ph\u1ed1i chi\u1ebfn d\u1ecbch, v\u1eeba che gi\u1ea5u h\u00e0nh vi \u0111\u1ed9c h\u1ea1i d\u01b0\u1edbi d\u1ea1ng d\u1eef li\u1ec7u v\u0103n b\u1ea3n th\u00f4ng th\u01b0\u1eddng, khi\u1ebfn qu\u00e1 tr\u00ecnh ph\u00e1t hi\u1ec7n tr\u1edf n\u00ean kh\u00f3 kh\u0103n h\u01a1n.<\/p>\n
T\u1ed5ng th\u1ec3, chi\u1ebfn d\u1ecbch cho th\u1ea5y m\u1ee9c \u0111\u1ed9 r\u1ee7i ro ng\u00e0y c\u00e0ng gia t\u0103ng khi c\u00e1c n\u1ec1n t\u1ea3ng h\u1ee3p ph\u00e1p nh\u01b0 GitHub b\u1ecb l\u1ea1m d\u1ee5ng cho m\u1ee5c \u0111\u00edch ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c. Vi\u1ec7c tin t\u01b0\u1edfng tuy\u1ec7t \u0111\u1ed1i v\u00e0o ngu\u1ed3n t\u1ea3i xu\u1ed1ng, ch\u1ec9 d\u1ef1a tr\u00ean uy t\u00edn b\u1ec1 ngo\u00e0i c\u1ee7a n\u1ec1n t\u1ea3ng, c\u00f3 th\u1ec3 t\u1ea1o ra l\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng trong h\u1ec7 th\u1ed1ng ph\u00f2ng th\u1ee7. \u0110\u00e2y l\u00e0 l\u1eddi c\u1ea3nh b\u00e1o r\u00f5 r\u00e0ng r\u1eb1ng c\u1ea3 ng\u01b0\u1eddi d\u00f9ng c\u00e1 nh\u00e2n l\u1eabn t\u1ed5 ch\u1ee9c c\u1ea7n n\u00e2ng cao c\u1ea3nh gi\u00e1c, t\u0103ng c\u01b0\u1eddng gi\u00e1m s\u00e1t h\u00e0nh vi m\u1ea1ng v\u00e0 \u0111\u00e1nh gi\u00e1 k\u1ef9 l\u01b0\u1ee1ng m\u1ecdi t\u1ec7p tin, k\u1ec3 c\u1ea3 khi ch\u00fang \u0111\u1ebfn t\u1eeb nh\u1eefng ngu\u1ed3n t\u01b0\u1edfng ch\u1eebng an to\u00e0n.<\/p>\n","protected":false},"excerpt":{"rendered":"
M\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng tinh vi \u0111ang \u00e2m th\u1ea7m di\u1ec5n ra, nh\u1eafm tr\u1ef1c ti\u1ebfp v\u00e0o ng\u01b0\u1eddi d\u00f9ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh Windows th\u00f4ng qua chu\u1ed7i l\u00e2y nhi\u1ec5m nhi\u1ec1u l\u1edbp. Trong chi\u1ebfn d\u1ecbch n\u00e0y, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i Amadey \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng nh\u01b0 m\u1ed9t m\u1eaft x\u00edch trung gian \u0111\u1ec3 tri\u1ec3n khai h\u00e0ng lo\u1ea1t m\u00e3 \u0111\u1ed9c […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10177","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10177"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10177\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}