Amadey stealer plugin adds Mikrotik and Outlook harvesting

Jason Reaves
Walmart Global Tech Blog
2 min readJul 8, 2021

By: Jason Reaves and Harold Ogden

Picture of a woman pointing at a line of code on a computer screen.

Last year Zscaler[3] wrote an article detailing a new version of Amadey “a2020 Amadey” that came with two new plugins ‘cred.dll’ and ‘scr.dll’. Recently, Amadey has been updated again to a new version “a2021 Amadey.” This article aims to go over some interesting additions to their stealer plugin component.

2021 Amadey Panel

With this new version comes some interesting additions to the ‘cred’ stealer plugin as they have added functionality for harvesting Mikrotik router data and Outlook data:

Older versions of Mikrotiks Winbox[1] would give the option to export you data to a ‘WBX’ file which would store the usernames and passwords for your managed devices unencrypted along with a Addresses.cdb file which is also stored unecrypted. Freely available tools also exist to help parse these files[2] for recovering lost credentials.

Another addition is the parsing of Outlook profiles from registry in order to harvest account data:

Loaders such as Amadey continue to update their toolsets for selling on the underground and the addition of Outlook account and Mikrotik account harvesting shouldn’t surprise anyone as both can be valuable data sets for criminal activities.









Jason Reaves
Walmart Global Tech Blog

Malware Researcher, Crimeware Threat Intel, Reverse Engineer @Walmart