Intrusion chain

In 2025, installations from the potentially unwanted program PC App Store continued and we saw a small resurgence of installations through another PUP, Bit Guardian’s Win Riser. We also observed a revolving door of installer themes, mostly masquerading as PDF utilities. These installers, while signed, used a variety of different signers. The ever-changing signers and names of these utilities all performing the same reconnaissance and leading to the same Pyarmor-protected binary leads us to consider them more akin to masquerading malware than PUPs. Beyond the variable delivery mechanisms, Amber Albatross also updated some later stage TTPs—notably adding obfuscation through Base64-encoded PowerShell commands to download and execute later stage payloads, and migrating some of their second and third stage payloads from C++ to Go.

The installation activity also showed more variation this year. The installation path for the PC App Store variant, the most common initial access vector, remained the same. The PDFast lure was the second most common installation method, following a similar pattern to the “Let’s Compress” lure that began in late 2024. This variant dropped a binary named upd.exe leading to downloads and execution via Base64-encoded PowerShell commands.  The charts below walk through the installation paths used to deliver Amber Albatross’s PyInstaller executable for each program.

PC App Store

PDFast

The final payload

Regardless of the initial infection chain, the final Amber Albatross payload–the PyInstaller file—will immediately perform reconnaissance, similar to what we typically observe from stealers. During the reconnaissance phase, the malware will use WMIC to detect if there is a hypervisor present on the endpoint as well as enumerate the manufacturer, model, and list of Windows software updates. The PyInstaller file also checks for antivirus and firewall products, and based on analyzing memory dumps looks for a wide range of browsers and their development versions, including:

• Edge
• FireFox
• Chrome
• Chromium
• Avast Browser
• Brave

Once it identifies the browsers utilized on the endpoint, the PyInstaller EXE will attempt to access browser profiles or user data folders. For Chrome, we have seen Amber Albatross check the value of the following registry key:

HKLM:\SOFTWARE\Policies\Google\Chrome\CloudManagementEnrollmentToken

This key is set during enrollment for managed browsers, allowing Amber Albatross to determine if the browser might be controlled by corporate policy. We have yet to discern how Amber Albatross uses this information or continues the intrusion chain. However, these reconnaissance activities are typical for stealers.

In 2025, some variations added an additional reconnaissance step of querying the registry for software uninstall keys and compiling a list of software and versions installed on the machine.

Anti-analysis tactics

The downloaded Amber Albatross installation and PyInstaller files require specific command-line parameters in order to fully execute. We have consistently observed the arguments --safetorun and --channel=<hex numbers>. The numbers included in the --channel= flag vary by infection.

The requirement for command-line arguments has prevented behavioral analysis from showing the last-stage PyInstaller binary. For example, the PyInstaller files are rarely found on VirusTotal. This is because when the earlier-stage files are uploaded to VirusTotal, they do not have arguments passed with them to the sandbox engines.

Additionally, we do not observe the same behavior from the PC App Store installer in sandboxes as we do in live telemetry. This indicates there is some anti-sandbox analysis happening with the initial installer, making it difficult to observe the entire infection chain in a controlled environment.

The final-stage PyInstaller file that performs the reconnaissance activities is protected by Pyarmor, which encrypts and obfuscates the Python bytecode. This makes static analysis a challenging and time consuming endeavor.

One of the best ways to prevent threats like Amber Albatross from executing in your environment is to restrict third-party app stores like PC App Store. Red Canary classifies PC App Store as a PUP and detects it as such. While PUPs are a lower priority for many teams, restricting their use can prevent possible credential theft and the leaking of sensitive company data.