Trojan:Win32/Amadey.B is a sophisticated information-stealing trojan that functions primarily as a modular malware loader. First detected in 2018 and still actively distributed in 2024, Amadey specializes in establishing persistent backdoor access to infected Windows systems, then downloading and executing additional malicious payloads based on instructions from command-and-control servers. This trojan is frequently sold as a service on underground forums and has been observed delivering ransomware, credential stealers, cryptocurrency miners, and other destructive malware families to compromised machines.

trojanamadeyb-removal cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

Unlike ransomware that announces itself immediately, Amadey operates silently in the background, giving attackers the flexibility to customize their attack based on the victim's system profile. The trojan collects system information, screenshots, and stored credentials before reporting back to its operators, who then decide which additional threats to deploy. This makes Amadey infections particularly dangerous—what starts as a simple trojan infection can quickly escalate into data theft, financial fraud, or complete system compromise.

Think you're infected right now? Disconnect your computer from the internet immediately (unplug Ethernet or disable Wi-Fi), then call us at (770) 674-6998. Do not enter any passwords or access financial accounts until the infection is confirmed removed. Amadey variants are designed to steal credentials and download additional threats—every minute connected increases your risk.

Threat Profile

Threat Name Trojan:Win32/Amadey.B (also detected as Trojan.Amadey, Amadey Bot)
Threat Type Trojan downloader, information stealer, backdoor, modular malware loader
Family Amadey trojan family (multiple variants including .A, .B, .C, .YG)
Aliases Win32/Amadey, MSIL/Bladabindi (earlier variants), Trojan-Downloader.Win32.Amadey
Platform Windows (all versions from XP through Windows 11; primarily targets x86/x64 systems)
First Discovered October 2018 (continues to evolve with active development through 2024)
Distribution Methods Malicious email attachments, exploit kits, software cracks, bundled installers, malvertising
Persistence Mechanisms Registry Run keys, scheduled tasks, startup folders, COM hijacking (varies by variant)
Primary Capabilities Download/execute additional malware, screenshot capture, credential harvesting, system reconnaissance, clipboard monitoring, process injection
Network Behavior Connects to C2 servers via HTTP/HTTPS; exfiltrates system data; downloads plugins and payloads; typical domains rotate frequently to evade detection
Common Payloads Delivered Redline Stealer, XMRig miners, Raccoon Stealer, various ransomware families, banking trojans
Detection Rate Moderate (50-70% by AV products); frequently repackaged with new obfuscation to evade signatures
Removal Difficulty Moderate to high; establishes multiple persistence points; may reinstall itself if components remain

How It Spreads

Amadey relies primarily on social engineering and exploit delivery systems to gain initial access to victim computers. The most common infection vector involves spam email campaigns that impersonate legitimate businesses—shipping notifications, invoice reminders, tax documents, or employment applications. These emails contain malicious attachments (typically Office documents with macros, compressed executables, or JavaScript files) that download and execute the Amadey dropper when opened. The email content is often convincing enough to trick even cautious users, especially during tax season or holiday shopping periods when people expect shipping notifications.

Another significant distribution channel involves software piracy and "cracked" applications. Users searching for free versions of paid software, license key generators, or game cracks frequently download Amadey-infected bundles from file-sharing sites, torrent trackers, and YouTube-linked download pages. The trojan is packaged alongside or inside the desired software, executing silently during installation. Because users explicitly bypass security warnings to install cracked software, these infections often proceed without any meaningful resistance from the operating system's built-in protections.

Additional distribution methods include:

  • Exploit kits: Compromised or malicious websites running RIG or Fallout exploit kits that target unpatched browser vulnerabilities to deliver Amadey without user interaction
  • Malvertising campaigns: Poisoned advertisements on legitimate websites that redirect to exploit landing pages or trick users into downloading fake software updates
  • Software bundling: Free utility programs and browser extensions from questionable sources that include Amadey as a "partner offer" during installation
  • SEO poisoning: Fake tech support sites, download portals, and driver update pages that rank highly in search results but serve malware instead of legitimate software
  • USB and removable media: Less common but documented; autorun configurations or hidden executables that trigger when infected drives are connected

What It Does On Your Machine

Once Amadey executes on your system, its first priority is establishing persistence and evading detection. The trojan copies itself to a randomly-named folder in your user profile directory (typically within AppData\Local or AppData\Roaming), then creates multiple persistence mechanisms to ensure it survives system reboots. Most variants modify Windows Registry Run keys to launch automatically on startup, while more sophisticated versions create scheduled tasks that execute at regular intervals or system events. Some Amadey samples employ process hollowing or injection techniques, hiding their malicious code inside legitimate Windows processes like svchost.exe or explorer.exe to avoid suspicion.

After securing its foothold, Amadey begins reconnaissance. The trojan collects detailed system information including your Windows version, installed software, antivirus products, system architecture, username, computer name, and geolocation data based on IP address. This intelligence is packaged and transmitted to the command-and-control server, where Amadey's operators evaluate whether your system is valuable enough to exploit further. Systems in certain countries, virtual machines, or those belonging to security researchers are sometimes abandoned at this stage, while typical home and business computers proceed to the next phase.

The real danger emerges when Amadey receives instructions to download additional malware modules. The trojan functions as a highly flexible infection platform—operators can deploy credential stealers to harvest browser passwords and cryptocurrency wallets, cryptominers that consume your system resources to generate currency for the attackers, or ransomware that encrypts your files for extortion. Many Amadey infections result in the deployment of RedLine Stealer or Raccoon Stealer, information-theft trojans that extract saved passwords from browsers, email clients, FTP programs, and messaging applications. These credentials are then sold on underground markets or used for identity theft and financial fraud.

Throughout the infection, Amadey maintains communication with its control servers, awaiting new commands and uploading collected data. Some variants include clipboard monitoring capabilities that watch for cryptocurrency wallet addresses being copied, replacing them with attacker-controlled addresses to redirect transactions. Others capture screenshots at regular intervals or during specific activities, providing operators with visual insight into your computer usage. The modular architecture means that Amadey's capabilities can expand at any time—what starts as simple information theft can evolve into a full-scale system compromise with minimal additional effort from the attackers.

Typical Amadey Filesystem and Registry Artifacts
C:\Users\\AppData\Local\{random-GUID}\cred64.dll C:\Users\\AppData\Roaming\{8-char-hex}\explorer.exe C:\Users\\AppData\Local\Temp\install.bat # Registry persistence (Run key example) HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ "{random-name}" = "%APPDATA%\{folder}\{executable}.exe" # Scheduled task persistence (varies by variant) C:\Windows\System32\Tasks\{random-name} Triggers: At logon, every 10 minutes, or at system startup # Network indicators Outbound HTTP/HTTPS connections to rotating C2 domains User-Agent strings often mimic legitimate browsers but may show inconsistencies

Manual Removal — Step by Step

01

Disconnect from All Networks Immediately

Before taking any other action, physically disconnect your computer from the internet by unplugging the Ethernet cable or disabling Wi-Fi through the hardware switch (if available). This prevents Amadey from downloading additional malware, exfiltrating more data, or receiving self-destruct commands that could complicate removal. Do not rely solely on software disconnect options, as malware can re-enable network connections.

02

Boot Into Safe Mode with Networking

Restart your computer and enter Safe Mode with Networking to prevent Amadey from loading its full complement of persistence mechanisms. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and select option 5 (Safe Mode with Networking). Safe Mode loads only essential Windows components, making it harder for the trojan to interfere with removal efforts while still allowing you to download security tools if needed.

03

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and carefully examine running processes, looking for unfamiliar executables running from AppData folders or processes with suspicious random names. Amadey often runs under generic names like "explorer.exe" (but from the wrong location) or completely random character strings. Right-click suspicious processes, select "Open file location" to verify the path, then end the process if it's running from a user directory rather than System32. Be cautious—ending critical Windows processes can cause system instability.

04

Remove Persistence Mechanisms

Open Registry Editor (type regedit in the Start menu) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for entries pointing to executables in AppData folders or with suspicious random names, and delete those entries. Next, open Task Scheduler (taskschd.msc), examine the Task Scheduler Library for tasks created recently or with random names, and delete any that reference executables in user directories. Check your Startup folder at C:\Users\[YourName]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup for unauthorized shortcuts.

05

Delete Malware Folders and Files

Navigate to C:\Users\[YourName]\AppData\Local and C:\Users\[YourName]\AppData\Roaming (you may need to enable "Show hidden files" in File Explorer's View options). Look for folders with random GUID-style names or 8-character hexadecimal names that were created around the time you suspect infection occurred. Delete these entire folders, along with any suspicious executables in the Temp folder. Empty the Recycle Bin immediately afterward to prevent accidental restoration.

06

Run Reputable Anti-Malware Scanners

Download and install Malwarebytes (malwarebytes.com) or HitmanPro, then perform a full system scan. These tools specialize in detecting trojan families like Amadey and can identify components that manual removal might miss. Run the scan at least twice—once immediately after installation, then again after rebooting normally. Some Amadey variants drop multiple components that can reinstall each other, so multiple scans help ensure complete removal. Consider also running Windows Defender Offline scan for rootkit-level detection.

07

Reset Browser Settings and Remove Extensions

Open each installed browser (Chrome, Firefox, Edge) and reset settings to defaults, as Amadey may have installed malicious extensions or modified search providers. In Chrome, go to Settings → Reset and clean up → Restore settings to their original defaults. In Firefox, use Refresh Firefox under Help → Troubleshooting Information. Manually review installed extensions and remove any you don't recognize or didn't intentionally install. Clear all browsing data including cookies, cached files, and saved passwords.

08

Change All Passwords from a Clean Device

Because Amadey specializes in credential theft, assume that any passwords entered while infected have been compromised. Using a different computer, tablet, or smartphone that you know is clean, change passwords for all critical accounts—email, banking, social media, work accounts, and especially any cryptocurrency or financial services. Enable two-factor authentication wherever possible to add a second layer of protection even if passwords are stolen in the future.

09

Monitor Financial Accounts and Credit Reports

Contact your bank and credit card companies to alert them of potential credential compromise. Monitor account statements closely for unauthorized transactions over the next several weeks. Consider placing a fraud alert on your credit reports through one of the major credit bureaus (Equifax, Experian, TransUnion), which alerts creditors to verify your identity before opening new accounts. If Amadey was present for an extended period, identity theft protection services may be warranted.

10

Reboot and Verify Complete Removal

Restart your computer normally (not in Safe Mode) and reconnect to the internet. Immediately run another full system scan with your anti-malware tool to confirm no components survived the reboot. Monitor Task Manager and network activity for several days—watch for unexpected CPU usage spikes, unfamiliar processes, or suspicious network connections. If any malware behavior recurs, the infection may not be fully removed and professional assistance is recommended.

Prevention

  1. Never open email attachments from unknown senders. Even if an email appears to come from a legitimate company, verify shipping notifications and invoice claims by logging into the company's website directly rather than clicking links or opening attachments. Most legitimate businesses don't send unexpected executable files or macro-enabled documents.
  2. Avoid pirated software and key generators completely. Cracked applications are one of the most reliable infection vectors for trojans like Amadey. The money saved by avoiding legitimate software purchases is far outweighed by the cost of data theft, identity fraud, and professional malware removal. Free open-source alternatives exist for most commercial software.
  3. Keep Windows and all software fully updated. Enable automatic updates for Windows, browsers, Adobe products, Java, and other commonly exploited applications. Many Amadey infections arrive through exploit kits that target known vulnerabilities—patches eliminate these entry points. Don't ignore update prompts or postpone security patches indefinitely.
  4. Use reputable antivirus software and keep it current. Windows Defender provides decent baseline protection if kept updated, but dedicated solutions like Malwarebytes Premium, Bitdefender, or Kaspersky offer additional behavioral detection layers that can catch new malware variants before signature databases are updated. Configure real-time protection and don't disable it "temporarily" for installations.
  5. Implement browser security extensions and safe browsing habits. Install ad-blockers (uBlock Origin) and script-blockers (uMatrix or NoScript) to prevent malvertising and drive-by download attacks. Be extremely cautious with download sites—go directly to software publishers' official websites rather than using third-party download portals that bundle malware with legitimate installers.
  6. Create and use a Standard user account for daily activities. Reserve Administrator accounts for software installation and system maintenance only. Running as Standard user prevents malware from making system-wide changes without your explicit approval through UAC prompts. This single change blocks many automated infection attempts that rely on administrative privileges.
  7. Maintain regular backups on disconnected storage. Keep current backups of important files on external drives that you disconnect after each backup session, or use cloud backup services with versioning. If malware does infect your system, clean backups allow you to restore data without paying ransoms or losing irreplaceable files. Test backup restoration periodically to ensure your backup system actually works.
  8. Enable and properly configure Windows Firewall. The built-in firewall should remain active at all times, and outbound filtering can be configured to alert you when programs attempt unauthorized network connections. Third-party firewalls like GlassWire provide more detailed visibility into which applications are communicating with external servers, helping identify malware by its network behavior.
Our 90-Day Warranty on Malware Removal: When Computer Repair Roswell removes Trojan:Win32/Amadey.B or any other malware from your system, that removal is guaranteed for 90 days. If the same infection returns within that period, we'll re-clean your computer at no additional charge. We don't just delete files—we analyze infection vectors, close security gaps, and ensure your system is genuinely clean before returning it to you.

Bring It In

Manual removal of Amadey and its downloaded payloads requires technical expertise, patience, and specialized tools that most computer users don't have readily available. Even following detailed instructions, there's significant risk of missing hidden components, deleting critical system files by mistake, or failing to identify all the additional malware that Amadey may have installed. The trojan's modular nature means that what looks like successful removal on the surface may leave backdoors and stealers operating in the background, continuing to harvest your credentials and personal data long after you think the problem is solved.

Computer Repair Roswell has been cleaning infected systems for Roswell-area residents and businesses since 2007. We use forensic-grade malware analysis tools to identify every component of infections like Amadey, trace how the malware arrived on your system, remove all related threats, and implement security improvements to prevent reinfection. Our technicians stay current on evolving threats and removal techniques, and we don't consider a job finished until your system passes multiple independent security scans. Call us at (770) 674-6998 or stop by our shop at 1750 Hembree Road, Suite 100, Roswell, GA 30076. We offer same-day service for most malware removal jobs, and we'll explain exactly what we found, what we removed, and how to avoid similar infections in the future. Don't gamble with credential theft and identity fraud—bring your infected computer to professionals who do this work every day.