Amber IT Compromised : Malware Found; Threat Actor Claim

In a recent investigation, Bangladesh Cyber Security Intelligence (BCSI) identified a potential security breach involving Amber IT’s ticketing system. Following our initial post, Amber IT’s IT team commented on social media, claiming their ticketing system has been local and not online for the past years. We have since conducted a thorough re-investigation and present our updated findings and technical analysis.

Initial Incident:

Our cybersecurity researchers at BCSI discovered credentials and access details for Amber IT’s ticketing system panel being traded on a dark web forum. This prompted us to alert the public and Amber IT about the potential security risks, emphasizing the need for immediate action to safeguard sensitive data and maintain service integrity.

Amber IT’s IT team responded to our post via social media, stating:

“Amber IT’s ticketing system has been local and not online for the past years. The claims made are incorrect and seem to aim at creating unnecessary panic among our users.”

Re-Investigation and Findings

Taking Amber IT’s feedback into account, we removed the post and conducted a detailed re-investigation. Here are our findings

User Malware Infection:

Email: [email protected] 

Compromised PC Information:

IP Address:

File Location: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Username: NTP_ETB_321

Location: Dhaka, Bangladesh

HWID: 87A7F3C4888527D32E4C3BCCB14FE51C

Operating System: Windows 10 Enterprise x64

Antivirus: Windows Defender

Exposed Credentials:

During our re-investigation, we discovered the following exposed credentials linked to the compromised user at Amber IT:


Username: [email protected]

Password: sr*****95


Username: sydurrahman12345@

Password: sy*****45


Username: support

Password: s******rt


Username: [email protected]

Password: rah*****anuR


Username: 21029001

Password: 7*****6


Username: homeinternet

Password: Sm*****ter@22


Username: noor

Password: Helpdesk*****3


Username: [email protected]

Password: Sho*****23


Username: homesupport

Password: H0*****p0rtZbX


Username: [email protected]

Password: Sh*****r123

Our investigation revealed that the credentials shared by the threat actor were linked to a user whose PC was compromised by malware. The malware could potentially allow a hacker to gain access to local networks, including internal systems such as the ticketing system.

Technical Analysis: Malware and Local Network Compromise

Understanding Malware Impact:

When a user’s PC is compromised by malware, it can serve as a gateway for attackers to infiltrate local networks. 

Here’s how:

Tunneling: Attackers can use the compromised PC to create a tunnel, allowing them to bypass network security measures and access local network applications from outside the network. This technique enables attackers to exploit internal systems that are otherwise protected from direct external access.

Credential Theft: Malware can capture and transmit user credentials, granting attackers access to various systems and applications.

Network Spread: Malware can exploit network vulnerabilities, spreading to other devices and systems within the local network.

Data Exfiltration: Sensitive data, including internal communications and client details, can be extracted and misused by attackers.

Further Investigation: Telegram Threat Actor

During our continued investigation, another threat actor on Telegram claimed to have access to Amber IT’s network. The actor provided screenshots and SMS data of all users sent by AmberIT as evidence of their access. The threat actor claimed to possess SMS data of around 1,500,000 messages, containing numerous credentials. He also mentioned his intent to sell this data. Below are examples of the data provided by the threat actor.

Screenshots of SMS Data:

Further Investigation: Threat Actor Claims

Additionally, the threat actor claimed to have significant access to various systems within Amber IT and is willing to sell the acquired data. These claims include access to internal networks, sensitive applications, and user data. We are currently awaiting further evidence to substantiate these claims. We will continue to monitor the situation closely and post updates as more information becomes available.


Our investigation demonstrates that while the ticketing system may not have been directly accessible online, the malware infection on a user’s PC poses a severe risk to local network security. Additionally, evidence from a threat actor on Telegram suggests further network compromise.

In the future, we request everyone that email us with any queries rather than commenting on our page. And we have no intention of harming any business or creating panic. Our goal is to provide accurate and actionable threat intelligence to ensure the safety and security of all organizations.

“Collaboration eliminates coincidence.” – BCSI

Share this post
Scroll to Top