Skip Navigation
Get a Demo
 

Amber Albatross

Amber Albatross arrived on the scene in 2024. While it is delivered via PUP, it behaves like a wolf.

#5

Overall Rank

2.9%

Customers Affected

Amber Albatross

Amber Albatross arrived on the scene in 2024. While it is delivered via PUP, it behaves like a wolf.

#5

Overall Rank

2.9%

Customers Affected

Analysis

Amber Albatross is a Red Canary-named activity cluster that we have been tracking since January 2024. The activity encompasses download and installation activities that consistently lead to a Pyarmor-obfuscated PyInstaller executable with stealer-like capabilities. We have consistently observed Amber Albatross installers as a payload delivered by potentially unwanted programs (PUP), including Bit Guardian’s Bit Driver Updater, PC App Store, and Let’s Compress.

The Amber Albatross intrusion chain contains multiple stages with anti-analysis techniques that make sandbox analysis difficult, and the final payload is heavily obfuscated. We assess that this activity is nefarious due to suspicious reconnaissance activity and its heavy obfuscation.

We first reported on Amber Albatross in our July 2024 Intelligence Insights.

The Amber Albatross intrusion chain contains multiple stages with anti-analysis techniques that make sandbox analysis difficult.

Intrusion chain

In 2024, the two most prevalent PUPs we observed installing Amber Albatross were PC App Store (beginning in June and continuing through the end of the year), and Let’s Compress (beginning in November and continuing into 2025). The charts below walk through the installation path used to deliver Amber Albatross’ PyInstaller executable for each program.

PC App Store

Amber Albatross PC App store Flow chart
Amber Albatross PC App store Flow chart

Let’s Compress

Amber Albatross Lets Compress Flow chart
Amber Albatross Lets Compress Flow chart

The final payload

Regardless of the initial infection chain, the final Amber Albatross payload–the PyInstaller file—will immediately perform reconnaissance, similar to what we typically observe from stealers. During the reconnaissance phase, the malware will use WMIC to detect if there is a hypervisor present on the endpoint as well as enumerate the manufacturer, model, and list of Windows software updates. The PyInstaller file also checks for antivirus and firewall products, and based on analyzing memory dumps looks for a wide range of browsers and their development versions, including:

  • Edge
  • FireFox
  • Chrome
  • Chromium
  • Avast Browser
  • Brave

Once it identifies the browsers utilized on the endpoint, the PyInstaller will attempt to access browser profiles or user data folders. For Chrome, we have seen Amber Albatross check the value of the following registry key:

HKLM:\SOFTWARE\Policies\Google\Chrome\CloudManagementEnrollmentToken

This key is set during enrollment for managed browsers, allowing Amber Albatross to determine if the browser might be controlled by corporate policy. We have yet to discern how Amber Albatross uses this information or continues the intrusion chain. However, these reconnaissance activities are typical for stealers.

Anti-analysis tactics

The downloaded Amber Albatross installation and PyInstaller files require specific command-line parameters in order to fully execute. We have consistently observed the arguments --safetorun and --channel=<hex numbers>. The numbers included in the --channel= flag vary by infection.

The requirement for command-line arguments has prevented behavioral analysis from showing the last-stage PyInstaller binary. For example, the PyInstaller files are rarely found on VirusTotal. This is because when the C++ file is uploaded to VirusTotal, it does not have arguments passed with it to the sandbox engines.

Additionally, we do not observe the same behavior from the PC App Store installer in sandboxes as we do in live telemetry. This indicates there is some anti-sandbox analysis happening with the initial installer, making it difficult to observe the entire infection chain in a controlled environment.

The final-stage PyInstaller file that performs the reconnaissance activities is protected by Pyarmor, which encrypts and obfuscates the Python bytecode. This makes static analysis a challenging and time consuming endeavor.

Take action

One of the best ways to prevent threats like Amber Albatross from executing in your environment is to restrict third-party app stores like PC App Store. Red Canary classifies PC App Store as a PUP and detects it as such. While PUPs are a lower priority for many teams, restricting their use can prevent possible credential theft and the leaking of sensitive company data.

Detection opportunities

Amber Albatross uses a small number of certificates to sign the C++ binary dropped by the PUP installer files, which can be used for detection. Although earlier PyInstaller EXEs had signed certificates, we have increasingly observed newer installers without signed certificates.

Certificates used by Amber Albatross

NameIssuerValid FromValid ToThumbprint
UTILITY ACCESS (SMC-PRIVATE) LIMITEDGlobalSign GCC R45 EV4/18/20244/19/2025e6454be52b74dec4a3c5048a2398bc73d3e38176
KHOKHER ENTERPRISES LLCGlobalSign GCC R457/19/20237/19/2024cb54eaa367136a1a1eb40d06b111e9c6f76328e5
HUDDA FOODS (SMC-PRIVATE) LIMITEDGlobalSign GCC R45 EV7/17/20237/17/202426bb932bb440440f9a6cd3829da7f422d438eab4
Arsalan KhanSSL.com Code Signing7/3/20237/2/2024d650d0d4a415c37b2ea6018495ea9e28d11555e4
Naresh SinghSectigo Public Code1/23/20231/23/2024a2d092a13ed5e04e06552bb60eb28228a34f8bf1

Amber Albatross also uses a small set of domains, most using Let’s Encrypt certificates. The domains are registered with Name.com and occasionally GoDaddy.

Domains contacted by Amber Albatross

  • sail-on-item[.]com
  • field-for-ever[.]com
  • opt-ics[.]com
  • perffer[.]com
  • river-of-data[.]com
  • servers-servers-servers[.]com
  • creaper[.]world
  • mobilityeve[.]com

Security gaps? We got you.

Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.

Sign up for our newsletter
 
 
Back to Top