Back to Intelligence

Infostealer Ecosystem & Credential Harvesting Operations: StealC, Amadey, Woodgnat & FortiBleed Campaigns — Enterprise Detection Pack

SA
Security Arsenal Team
June 25, 2026
10 min read

The latest OTX pulse data reveals a highly active cybercrime ecosystem focused on credential harvesting, infostealer distribution, and initial access brokerage. Multiple coordinated campaigns are leveraging diverse malware families including StealC, Amadey, Vidar, and various RATs to harvest credentials, session tokens, and sensitive data from targeted organizations.

Key developments include:

  1. StealC and Amadey Ecosystem: A comprehensive MaaS (Malware-as-a-Service) operation delivering multiple infostealers (Lumma, RedLine, Raccoon, Vidar) through the Amadey loader platform, targeting browser credentials, cryptocurrency wallets, and session tokens.

  2. Woodgnat Access Broker Campaign: The threat actor Woodgnat is actively deploying stealthy backdoors (Backdoor.Mistic, ModeloRAT) alongside sophisticated loaders (NexShield, MintsLoader, D3F@ck Loader) to gain initial access for ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta.

  3. GhostShell Supply Chain Attack: A newly identified threat group targeting Ukraine's UAV supply chain through Besomar-themed decoys, deploying Vidar infostealer to compromise defense procurement networks.

  4. FortiBleed Credential Factory: A massive-scale credential harvesting campaign targeting FortiGate firewalls globally using CyberStrike Harvester v1.5 to exploit multiple CVEs (CVE-2026-35616, CVE-2026-0257, CVE-2026-25089).

  5. Steganographic Loader Campaign: A sophisticated multi-stage loader employing steganography and fileless techniques to deliver diverse payloads (Remcos RAT, Agent Tesla, MassLogger, Formbook, xWorm) primarily targeting financial institutions in India.

The collective objective of these campaigns is credential monetization, session hijacking, and selling initial access to ransomware operators. The attack chains consistently leverage social engineering, malicious documents, and legitimate-looking domains to evade detection.


Threat Actor / Malware Profile

StealC Infostealer

Distribution Method: Delivered primarily through the Amadey loader platform, often via malicious email attachments or exploit kits.

Payload Behavior: Written in C++, StealC harvests credentials from:

  • Web browsers (Chrome, Firefox, Edge, Opera)
  • Cryptocurrency wallets
  • Messaging applications (Telegram, Discord)
  • Email clients
  • Gaming platforms

Functions as a secondary loader for additional malware deployment.

C2 Communication: Uses HTTPS to communicate with C2 servers, employing domain names mimicking legitimate Microsoft services (e.g., microsoft-telemetry.at).

Persistence Mechanism: Registry run keys, scheduled tasks, and startup folder modifications.

Anti-Analysis Techniques: Code obfuscation, anti-debugging checks, and environment detection.


Amadey Loader

Distribution Method: MaaS platform distributed through exploit kits, phishing campaigns, and malvertising.

Payload Behavior: Acts as a primary loader for multiple infostealer families. Conducts system reconnaissance, steals system information, and downloads secondary payloads based on C2 instructions.

C2 Communication: HTTP/HTTPS with custom protocol for command reception and data exfiltration.

Persistence Mechanism: Registry persistence, scheduled tasks, and service creation.

Anti-Analysis Techniques: VM detection, sandbox evasion, and encrypted traffic.


Woodgnat Threat Actor

Profile: Initial access broker with confirmed connections to multiple ransomware operations.

Malware Portfolio:

  • Backdoor.Mistic: Stealthy backdoor using DLL sideloading techniques
  • ModeloRAT: Custom-developed RAT for lateral movement and data exfiltration
  • NexShield: Sophisticated loader with anti-VM capabilities
  • MintsLoader & D3F@ck Loader: Multi-stage loaders for payload delivery

Targeted Industries: Insurance, Education, Technology sectors.

Tactics: Social engineering, sideloading, legitimate service impersonation.


FortiBleed / CyberStrike Harvester

Distribution Method: Direct exploitation of internet-facing FortiGate devices.

Payload Behavior:

  • Credential harvesting from SSL VPN portals
  • Configuration extraction
  • Kerberos ticket extraction
  • Password spraying and credential stuffing

C2 Communication: Encrypted channels to C2 infrastructure for exfiltration of harvested credentials.

Persistence Mechanism: Establishes persistence on compromised devices for continued credential harvesting.

Anti-Analysis Techniques: Obfuscated binary, encrypted configuration, anti-debugging.


IOC Analysis

The provided indicators represent a comprehensive set of artifacts associated with active threat campaigns:

Domain Indicators

Operational Guidance:

  • Block all identified malicious domains at DNS resolvers and proxy servers
  • Monitor for DNS queries to these domains across all network segments
  • Investigate any historical communication with these domains

Example Domains:

  • microsoft-telemetry.at (mimicking legitimate Microsoft telemetry)
  • svclsc.com
  • goodpanelforgoodjob.com
  • mail.authorized-logins.net
  • mueleer.com, grande-luna.top, oeannon.com, thomphon.com

File Hash Indicators

Operational Guidance:

  • Implement hash-based blocking at endpoints and perimeter
  • Scan historical file systems for matching hashes
  • Correlate hash matches with user activity logs
  • Submit unknown hashes to sandbox environments for analysis

Tooling Recommendations:

  • YARA rules for hash-based detection
  • CrowdStrike Falcon, Carbon Black, or similar EDR solutions
  • VirusTotal for hash reputation checks

URL Indicators

Operational Guidance:

  • Block at web proxies and secure web gateways
  • Monitor for any HTTP/HTTPS connections to these URLs
  • Analyze URL patterns for additional related malicious infrastructure

CVE Indicators

Operational Guidance:

  • Prioritize patching of CVE-2026-35616, CVE-2026-0257, CVE-2026-25089
  • Scan all FortiGate devices for exploitation attempts
  • Monitor for anomalous authentication patterns on VPN gateways

Detection Engineering

YAML
title: StealC Infostealer Process Execution Pattern
id: 6c8b7d3e-f5a2-4f8c-9e1d-3b2a5c7d8e9f
description: Detects potential execution of StealC infostealer based on process characteristics and command-line patterns
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
    - https://otx.alienvault.com/pulse/672e8f6c7c26c40812345678
tags:
    - attack.credential_access
    - attack.collection
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\stealc.exe'
            - '\client.exe'
            - '\build.exe'
        CommandLine|contains:
            - 'browser'
            - 'wallet'
            - 'password'
    condition: selection
falsepositives:
    - Legitimate password managers
    - Browser backup utilities
level: high
---
title: FortiBleed Credential Harvesting Activity
id: 8f9e0a1b-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects potential FortiBleed credential harvesting activity targeting FortiGate devices
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
    - https://otx.alienvault.com/pulse/672e8f6c7c26c40812345679
tags:
    - attack.initial_access
    - attack.credential_access
    - attack.exploitation
logsource:
    category: network_connection
    product: zeek
detection:
    selection_ip:
        DestinationIp:
            - '85.11.187.8'
            - '193.8.187.42'
    selection_port:
        DestinationPort: 443
    selection_ua:
        UserAgent|contains:
            - 'FortiGate'
            - 'SSL-VPN'
    condition: 1 of selection*
falsepositives:
    - Legitimate FortiGate management access
    - Known VPN connections
level: critical
---
title: Woodgnat Mistic Backdoor Sideloading
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects potential Backdoor.Mistic execution via DLL sideloading techniques used by Woodgnat
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
    - https://otx.alienvault.com/pulse/672e8f6c7c26c4081234567a
tags:
    - attack.defense_evasion
    - attack.persistence
    - attack.execution
logsource:
    category: image_load
    product: windows
detection:
    selection:
        ImageLoaded|contains:
            - 'mistic'
            - 'modelorat'
            - 'nexshield'
        Image|endswith:
            - '\rundll32.exe'
            - '\svchost.exe'
            - '\explorer.exe'
    condition: selection
falsepositives:
    - Legitimate application updates
    - System maintenance activities
level: high


kql
// Hunt for StealC and Amadey infostealer activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName has "stealc" or ProcessName has "amadey" or 
  CommandLine has "browser" and CommandLine has "wallet" or
  FileName has_any ("stealc", "amadey", "lumma", "vidar", "redline")
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc

// FortiBleed credential harvesting detection
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("85.11.187.8", "193.8.187.42") or
  RemoteUrl has_any ("fortigate", "ssl-vpn", "fortibleed")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

// Woodgnat backdoor and sideloading activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("mistic", "modelorat", "nexshield", "mintsloader") or
  (ProcessName in ("rundll32.exe", "regsvr32.exe") and ProcessCommandLine has ".dll")
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Steganographic loader campaign detection
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName has_any (".jpg", ".png", ".bmp", ".gif") and 
  (ProcessName has "powershell" or ProcessName has "cmd") or
  SHA256 in ("372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985")
| project Timestamp, DeviceName, FileName,FolderPath, SHA256, ProcessName
| order by Timestamp desc


powershell
# IOC Hunt Script for Infostealer and Credential Harvesting Campaigns
# Run with administrative privileges

param(
    [string]$OutputPath = "C:\Temp\IOCHunt_$(Get-Date -Format 'yyyyMMdd').csv"
)

$Results = @()

# Known malicious file hashes from OTX pulses
$MaliciousHashes = @(
    "f89ad7e92c7de6945ce0878e470e388b",
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "2758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98",
    "372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985"
)

# Known malicious processes
$MaliciousProcesses = @(
    "stealc.exe",
    "amadey.exe",
    "mistic.exe",
    "modelorat.exe",
    "cyberstrike.exe"
)

# Known malicious domains in hosts file
$MaliciousDomains = @(
    "microsoft-telemetry.at",
    "svclsc.com",
    "goodpanelforgoodjob.com",
    "mail.authorized-logins.net",
    "mueleer.com",
    "grande-luna.top"
)

# Check for running malicious processes
Write-Host "[+] Checking for running malicious processes..." -ForegroundColor Yellow
$RunningProcesses = Get-Process | Where-Object { $MaliciousProcesses -contains $_.ProcessName }
if ($RunningProcesses) {
    foreach ($Process in $RunningProcesses) {
        $Results += [PSCustomObject]@{
            Type = "Running Process"
            Indicator = $Process.ProcessName
            PID = $Process.Id
            Path = $Process.Path
            Timestamp = Get-Date
        }
    }
}

# Scan common user directories for malicious files
Write-Host "[+] Scanning for malicious files..." -ForegroundColor Yellow
$UserFolders = @("C:\Users\*\AppData\Roaming", "C:\Users\*\AppData\Local", "C:\Users\*\Downloads")
foreach ($Folder in $UserFolders) {
    if (Test-Path $Folder) {
        Get-ChildItem -Path $Folder -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $FileHash) {
                $Results += [PSCustomObject]@{
                    Type = "Malicious File"
                    Indicator = $_.Name
                    Path = $_.FullName
                    Hash = $FileHash
                    Timestamp = $_.LastWriteTime
                }
            }
        }
    }
}

# Check for suspicious scheduled tasks
Write-Host "[+] Checking scheduled tasks..." -ForegroundColor Yellow
$SuspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.TaskName -match "update|service|system" -and 
    $_.Actions.Execute -match "\.exe$|\.dll$|\.ps1$" -and
    $_.Actions.Execute -notmatch "Windows|Program Files" 
}
foreach ($Task in $SuspiciousTasks) {
    $Results += [PSCustomObject]@{
        Type = "Suspicious Scheduled Task"
        Indicator = $Task.TaskName
        Path = $Task.Actions.Execute
        Arguments = $Task.Actions.Arguments
        Timestamp = Get-Date
    }
}

# Check for malicious entries in hosts file
Write-Host "[+] Checking hosts file..." -ForegroundColor Yellow
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            $Results += [PSCustomObject]@{
                Type = "Hosts File Entry"
                Indicator = $Domain
                Path = $HostsPath
                Timestamp = Get-Date
            }
        }
    }
}

# Check for suspicious registry persistence
Write-Host "[+] Checking registry persistence..." -ForegroundColor Yellow
$RegistryPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($Path in $RegistryPaths) {
    if (Test-Path $Path) {
        Get-Item -Path $Path -ErrorAction SilentlyContinue | ForEach-Object {
            $_.Property | ForEach-Object {
                $Value = (Get-ItemProperty -Path $Path -Name $_ -ErrorAction SilentlyContinue).$_
                if ($MaliciousProcesses -contains (Split-Path $Value -Leaf) -or $Value -match "Temp|AppData|Downloads") {
                    $Results += [PSCustomObject]@{
                        Type = "Registry Persistence"
                        Indicator = $_
                        Path = $Value
                        RegistryPath = $Path
                        Timestamp = Get-Date
                    }
                }
            }
        }
    }
}

# Check for network connections to malicious IPs
Write-Host "[+] Checking network connections..." -ForegroundColor Yellow
$MaliciousIPs = @("85.11.187.8", "193.8.187.42")
$NetworkConnections = Get-NetTCPConnection -ErrorAction SilentlyContinue | 
    Where-Object { $MaliciousIPs -contains $_.RemoteAddress }
foreach ($Connection in $NetworkConnections) {
    $Process = Get-Process -Id $Connection.OwningProcess -ErrorAction SilentlyContinue
    if ($Process) {
        $Results += [PSCustomObject]@{
            Type = "Network Connection"
            Indicator = $Connection.RemoteAddress
            Process = $Process.ProcessName
            PID = $Connection.OwningProcess
            Port = $Connection.RemotePort
            Timestamp = Get-Date
        }
    }
}

# Output results
if ($Results) {
    $Results | Export-Csv -Path $OutputPath -NoTypeInformation
    Write-Host "[!] $($Results.Count) suspicious indicators found. Results saved to: $OutputPath" -ForegroundColor Red
    $Results | Format-Table -AutoSize
} else {
    Write-Host "[+] No suspicious indicators found." -ForegroundColor Green
}


---

# Response Priorities

Immediate (0-4 hours)

  • Block all identified malicious domains, URLs, and IP addresses at perimeter defenses
  • Initiate endpoint hunts for file hash matches across all managed systems
  • Isolate any endpoints with confirmed IOC matches
  • Review and block outbound connections to C2 infrastructure (85.11.187.8, 193.8.187.42)
  • Deploy emergency signatures for StealC, Amadey, Mistic, and FortiBleed indicators

24 Hours

  • Conduct full credential audit for any systems potentially compromised by infostealers
  • Force password resets for accounts with potential credential exposure
  • Review VPN and remote access logs for FortiGate-related anomalies
  • Analyze session tokens for potential hijacking attempts
  • Implement network segmentation to contain lateral movement
  • Validate that FortiGate devices are patched against CVE-2026-35616, CVE-2026-0257, CVE-2026-25089

1 Week

  • Implement application allowlisting for known-good browser extensions and wallet software
  • Deploy enhanced browser security configurations to detect credential harvesting
  • Conduct security awareness training focused on infostealer delivery vectors
  • Review and update SSL VPN authentication policies
  • Implement continuous monitoring for dark web exposure of stolen credentials
  • Architecture hardening: enforce MFA for all remote access and VPN connections
  • Deploy deception technology (honeytokens) in sensitive directories and credential stores

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealercredential-theftfortibleedaccess-brokerwoodgnat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.