Amadey exploiting self-hosted gitlab to distribute stealc

Intel Name: Amadey exploiting self-hosted gitlab to distribute stealc

Date of Scan: December 23, 2025

Impact: High

Summary:
Amadey is a malware loader active since 2018, commonly used to deploy second-stage payloads and infostealers. Historically, it has distributed payloads via GitHub repositories. Recent activity reveals a new campaign abusing a compromised, self-hosted GitLab instance to deliver the StealC infostealer. Threat actors repurpose abandoned GitLab servers to build a legitimate-looking payload delivery infrastructure. Leveraging long-standing domains with valid TLS certificates helps evade traditional security defenses.

More Details