Amber Albatross arrived on the scene in 2024. While it is delivered via PUP, it behaves like a wolf.
Amber Albatross is a Red Canary-named activity cluster that we have been tracking since January 2024. The activity encompasses download and installation activities that consistently lead to a Pyarmor-obfuscated PyInstaller executable with stealer-like capabilities. We have consistently observed Amber Albatross installers as a payload delivered by potentially unwanted programs (PUP), including Bit Guardian’s Bit Driver Updater, PC App Store, and Let’s Compress.
The Amber Albatross intrusion chain contains multiple stages with anti-analysis techniques that make sandbox analysis difficult, and the final payload is heavily obfuscated. We assess that this activity is nefarious due to suspicious reconnaissance activity and its heavy obfuscation.
We first reported on Amber Albatross in our July 2024 Intelligence Insights.
In 2024, the two most prevalent PUPs we observed installing Amber Albatross were PC App Store (beginning in June and continuing through the end of the year), and Let’s Compress (beginning in November and continuing into 2025). The charts below walk through the installation path used to deliver Amber Albatross’ PyInstaller executable for each program.
Regardless of the initial infection chain, the final Amber Albatross payload–the PyInstaller file—will immediately perform reconnaissance, similar to what we typically observe from stealers. During the reconnaissance phase, the malware will use WMIC to detect if there is a hypervisor present on the endpoint as well as enumerate the manufacturer, model, and list of Windows software updates. The PyInstaller file also checks for antivirus and firewall products, and based on analyzing memory dumps looks for a wide range of browsers and their development versions, including:
Once it identifies the browsers utilized on the endpoint, the PyInstaller will attempt to access browser profiles or user data folders. For Chrome, we have seen Amber Albatross check the value of the following registry key:
HKLM:\SOFTWARE\Policies\Google\Chrome\CloudManagementEnrollmentToken
This key is set during enrollment for managed browsers, allowing Amber Albatross to determine if the browser might be controlled by corporate policy. We have yet to discern how Amber Albatross uses this information or continues the intrusion chain. However, these reconnaissance activities are typical for stealers.
The downloaded Amber Albatross installation and PyInstaller files require specific command-line parameters in order to fully execute. We have consistently observed the arguments --safetorun
and --channel=<hex numbers>.
The numbers included in the --channel=
flag vary by infection.
The requirement for command-line arguments has prevented behavioral analysis from showing the last-stage PyInstaller binary. For example, the PyInstaller files are rarely found on VirusTotal. This is because when the C++ file is uploaded to VirusTotal, it does not have arguments passed with it to the sandbox engines.
Additionally, we do not observe the same behavior from the PC App Store installer in sandboxes as we do in live telemetry. This indicates there is some anti-sandbox analysis happening with the initial installer, making it difficult to observe the entire infection chain in a controlled environment.
The final-stage PyInstaller file that performs the reconnaissance activities is protected by Pyarmor, which encrypts and obfuscates the Python bytecode. This makes static analysis a challenging and time consuming endeavor.
One of the best ways to prevent threats like Amber Albatross from executing in your environment is to restrict third-party app stores like PC App Store. Red Canary classifies PC App Store as a PUP and detects it as such. While PUPs are a lower priority for many teams, restricting their use can prevent possible credential theft and the leaking of sensitive company data.
Amber Albatross uses a small number of certificates to sign the C++ binary dropped by the PUP installer files, which can be used for detection. Although earlier PyInstaller EXEs had signed certificates, we have increasingly observed newer installers without signed certificates.
Name | Issuer | Valid From | Valid To | Thumbprint |
UTILITY ACCESS (SMC-PRIVATE) LIMITED | GlobalSign GCC R45 EV | 4/18/2024 | 4/19/2025 | e6454be52b74dec4a3c5048a2398bc73d3e38176 |
KHOKHER ENTERPRISES LLC | GlobalSign GCC R45 | 7/19/2023 | 7/19/2024 | cb54eaa367136a1a1eb40d06b111e9c6f76328e5 |
HUDDA FOODS (SMC-PRIVATE) LIMITED | GlobalSign GCC R45 EV | 7/17/2023 | 7/17/2024 | 26bb932bb440440f9a6cd3829da7f422d438eab4 |
Arsalan Khan | SSL.com Code Signing | 7/3/2023 | 7/2/2024 | d650d0d4a415c37b2ea6018495ea9e28d11555e4 |
Naresh Singh | Sectigo Public Code | 1/23/2023 | 1/23/2024 | a2d092a13ed5e04e06552bb60eb28228a34f8bf1 |
Amber Albatross also uses a small set of domains, most using Let’s Encrypt certificates. The domains are registered with Name.com and occasionally GoDaddy.
sail-on-item[.]com
field-for-ever[.]com
opt-ics[.]com
perffer[.]com
river-of-data[.]com
servers-servers-servers[.]com
creaper[.]world
mobilityeve[.]com
Amber Albatross exhibits behaviors represented by the following Atomic Red Team tests:
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.