Cyber Incident Victim: Ammyy

In late October to early November 2015, ESET Research identified that threat actors distributed Buhtrap malware by bundling it with legitimate installers of Ammyy Admin software. Attackers compromised the free version of Ammyy’s remote administration tool available on its official website, ammyy.com. Users who downloaded the software during this period received NSIS-based installers containing both the legitimate application and malicious components. The Buhtrap malware performed surveillance activities including keystroke logging and exfiltrating data to command-and-control servers. Attackers employed DLL sideloading techniques to execute malicious code while evading detection. ESET documented specific malware samples through SHA1 hashes such as 44769DD6A5291D1EAC79E78FEE3ED1F147990120. Comodo revoked a digital certificate associated with the malicious bundles. The operation leveraged Ammyy Admin’s broad user base to maximize infection rates.

The campaign, designated Operation Buhtrap, involved droppers capable of deploying multiple malware families beyond Buhtrap itself. Threat actors exploited the trust in Ammyy’s widely used remote administration software to distribute payloads. ESET’s analysis confirmed the malware’s persistence mechanisms and communication patterns with attacker-controlled infrastructure. The incident impacted systems where users installed the compromised Ammyy Admin versions during the specified timeframe. No vendor or law enforcement containment actions were described in the source material. ESET advised affected users to conduct system scans to identify potential infections. The discovery highlighted risks associated with software supply chain compromises even when downloading from official sources.