Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • Proofpoint discovers new Ammyy admin turned into FlawedAmmyy RAT
  • Malware

Proofpoint discovers new Ammyy admin turned into FlawedAmmyy RAT

Do Son March 11, 2018 2 minutes read
Flawed Ammyy
Add Daily CyberSecurity as a preferred source on Google

Recently, cybersecurity company Proofpoint discovered a previously unreported remote-access Trojan (RAT) and named it “Flawed Ammyy,” which allows an attacker to gain full access to an infected computer.

Since January 2016, Flawed Ammyy has been spreading emails distributed through phishing campaigns. These phishing campaigns often use large-scale batch delivery to distribute e-mail to target a large number of different targets at the same time, but it does not rule out high-targeted attacks. For example, on January 16 this year, there was a highly targeted phishing campaign targeting the automotive industry.

FlawedAmmyy recently appeared in large-scale phishing campaigns on March 5th and 6th this year. The emails distributed during the event use a zip file as an attachment. It is named after the English word “Bill” or “Invoice” combined with a set of random numbers. Obviously, the sender wants to use fake bills and invoices as bait to trick the recipient to download and open the attachment.

Based on the content of the e-mail and the mode of dissemination, the operating team behind the Flawed Ammyy is considered to be the TA505, a hacking organization that has been active since 2014. In the past few years, the organization has successfully launched many large-scale cyber attacks by using bank Trojan Dridex and ransomware Locky and Jaff as attack tools.

The zip file contains an url file. Through parsing, we can see that the file content contains a link for downloading malicious JavaScript scripts. The url file is interpreted as an “Internet Shortcuts” file on Windows systems. For an example, you can find it in the “Favorites” folder of the Windows operating system. Normally, after double-clicking on this file, the web browser will launch and automatically respond to the web page.

However, when the recipient double-clicks on the url file, an alert window will be displayed. If “Open” is selected, the system will download and execute the JavaScript script file by calling the SMB protocol instead of launching the web browser.

This JavaScript script, in turn, downloads a loader, which is then downloaded by the loader and installs Flawed Ammyy on the infected computer.

According to Proofpoint, Flawed Ammyy builds on the source code of the third version of the leaked remote desktop software Ammyy Admin (a legitimate application). This makes it include some features of Ammyy Admin, such as remote desktop control, file system management, proxy support, and audio chat.

Source, Image: Proofpoint

Related coverage

  • Kaspersky Reveals Lazarus’ Sophisticated Techniques in Targeting Software Vendors
  • OctoV2 Android Banking Trojan Masquerades as Deepseek AI in Phishing Attack
  • Higaisa Hacker Targets Chinese Users with Deceptive OpenVPN Clone
  • 5-Year Threat: Malicious NuGet Package Used Homoglyphs and Typosquatting to Steal Crypto Wallets
  • ShadowRoot Ransomware Targets Turkish Businesses
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.