AhnLab analyzes Amadey Bot malware distributed as a fake KakaoTalk update during public concern over Kakao service disruptions. The initial executable used the messenger program’s name and icon, recursively relaunched itself, injected into its own process, and downloaded a ZIP payload to the public folder. The dropper launched a DLL through rundll32.exe, creating and executing an Amadey Bot component that reported host ID, version, privilege level, architecture, Windows version, PC name, and username to its C2 server. The report provides detections, hashes, and URLs for the downloader, dropper, and Amadey payload.