The latest OTX pulse data reveals a highly active cybercrime ecosystem focused on credential harvesting, infostealer distribution, and initial access brokerage. Multiple coordinated campaigns are leveraging diverse malware families including StealC, Amadey, Vidar, and various RATs to harvest credentials, session tokens, and sensitive data from targeted organizations.
Key developments include:
-
StealC and Amadey Ecosystem: A comprehensive MaaS (Malware-as-a-Service) operation delivering multiple infostealers (Lumma, RedLine, Raccoon, Vidar) through the Amadey loader platform, targeting browser credentials, cryptocurrency wallets, and session tokens.
-
Woodgnat Access Broker Campaign: The threat actor Woodgnat is actively deploying stealthy backdoors (Backdoor.Mistic, ModeloRAT) alongside sophisticated loaders (NexShield, MintsLoader, D3F@ck Loader) to gain initial access for ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta.
-
GhostShell Supply Chain Attack: A newly identified threat group targeting Ukraine's UAV supply chain through Besomar-themed decoys, deploying Vidar infostealer to compromise defense procurement networks.
-
FortiBleed Credential Factory: A massive-scale credential harvesting campaign targeting FortiGate firewalls globally using CyberStrike Harvester v1.5 to exploit multiple CVEs (CVE-2026-35616, CVE-2026-0257, CVE-2026-25089).
-
Steganographic Loader Campaign: A sophisticated multi-stage loader employing steganography and fileless techniques to deliver diverse payloads (Remcos RAT, Agent Tesla, MassLogger, Formbook, xWorm) primarily targeting financial institutions in India.
The collective objective of these campaigns is credential monetization, session hijacking, and selling initial access to ransomware operators. The attack chains consistently leverage social engineering, malicious documents, and legitimate-looking domains to evade detection.
Threat Actor / Malware Profile
StealC Infostealer
Distribution Method: Delivered primarily through the Amadey loader platform, often via malicious email attachments or exploit kits.
Payload Behavior: Written in C++, StealC harvests credentials from:
- Web browsers (Chrome, Firefox, Edge, Opera)
- Cryptocurrency wallets
- Messaging applications (Telegram, Discord)
- Email clients
- Gaming platforms
Functions as a secondary loader for additional malware deployment.
C2 Communication: Uses HTTPS to communicate with C2 servers, employing domain names mimicking legitimate Microsoft services (e.g., microsoft-telemetry.at).
Persistence Mechanism: Registry run keys, scheduled tasks, and startup folder modifications.
Anti-Analysis Techniques: Code obfuscation, anti-debugging checks, and environment detection.
Amadey Loader
Distribution Method: MaaS platform distributed through exploit kits, phishing campaigns, and malvertising.
Payload Behavior: Acts as a primary loader for multiple infostealer families. Conducts system reconnaissance, steals system information, and downloads secondary payloads based on C2 instructions.
C2 Communication: HTTP/HTTPS with custom protocol for command reception and data exfiltration.
Persistence Mechanism: Registry persistence, scheduled tasks, and service creation.
Anti-Analysis Techniques: VM detection, sandbox evasion, and encrypted traffic.
Woodgnat Threat Actor
Profile: Initial access broker with confirmed connections to multiple ransomware operations.
Malware Portfolio:
- Backdoor.Mistic: Stealthy backdoor using DLL sideloading techniques
- ModeloRAT: Custom-developed RAT for lateral movement and data exfiltration
- NexShield: Sophisticated loader with anti-VM capabilities
- MintsLoader & D3F@ck Loader: Multi-stage loaders for payload delivery
Targeted Industries: Insurance, Education, Technology sectors.
Tactics: Social engineering, sideloading, legitimate service impersonation.
FortiBleed / CyberStrike Harvester
Distribution Method: Direct exploitation of internet-facing FortiGate devices.
Payload Behavior:
- Credential harvesting from SSL VPN portals
- Configuration extraction
- Kerberos ticket extraction
- Password spraying and credential stuffing
C2 Communication: Encrypted channels to C2 infrastructure for exfiltration of harvested credentials.
Persistence Mechanism: Establishes persistence on compromised devices for continued credential harvesting.
Anti-Analysis Techniques: Obfuscated binary, encrypted configuration, anti-debugging.
IOC Analysis
The provided indicators represent a comprehensive set of artifacts associated with active threat campaigns:
Domain Indicators
Operational Guidance:
- Block all identified malicious domains at DNS resolvers and proxy servers
- Monitor for DNS queries to these domains across all network segments
- Investigate any historical communication with these domains
Example Domains:
microsoft-telemetry.at(mimicking legitimate Microsoft telemetry)svclsc.comgoodpanelforgoodjob.commail.authorized-logins.netmueleer.com,grande-luna.top,oeannon.com,thomphon.com
File Hash Indicators
Operational Guidance:
- Implement hash-based blocking at endpoints and perimeter
- Scan historical file systems for matching hashes
- Correlate hash matches with user activity logs
- Submit unknown hashes to sandbox environments for analysis
Tooling Recommendations:
- YARA rules for hash-based detection
- CrowdStrike Falcon, Carbon Black, or similar EDR solutions
- VirusTotal for hash reputation checks
URL Indicators
Operational Guidance:
- Block at web proxies and secure web gateways
- Monitor for any HTTP/HTTPS connections to these URLs
- Analyze URL patterns for additional related malicious infrastructure
CVE Indicators
Operational Guidance:
- Prioritize patching of CVE-2026-35616, CVE-2026-0257, CVE-2026-25089
- Scan all FortiGate devices for exploitation attempts
- Monitor for anomalous authentication patterns on VPN gateways
Detection Engineering
title: StealC Infostealer Process Execution Pattern
id: 6c8b7d3e-f5a2-4f8c-9e1d-3b2a5c7d8e9f
description: Detects potential execution of StealC infostealer based on process characteristics and command-line patterns
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
- https://otx.alienvault.com/pulse/672e8f6c7c26c40812345678
tags:
- attack.credential_access
- attack.collection
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\stealc.exe'
- '\client.exe'
- '\build.exe'
CommandLine|contains:
- 'browser'
- 'wallet'
- 'password'
condition: selection
falsepositives:
- Legitimate password managers
- Browser backup utilities
level: high
---
title: FortiBleed Credential Harvesting Activity
id: 8f9e0a1b-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects potential FortiBleed credential harvesting activity targeting FortiGate devices
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
- https://otx.alienvault.com/pulse/672e8f6c7c26c40812345679
tags:
- attack.initial_access
- attack.credential_access
- attack.exploitation
logsource:
category: network_connection
product: zeek
detection:
selection_ip:
DestinationIp:
- '85.11.187.8'
- '193.8.187.42'
selection_port:
DestinationPort: 443
selection_ua:
UserAgent|contains:
- 'FortiGate'
- 'SSL-VPN'
condition: 1 of selection*
falsepositives:
- Legitimate FortiGate management access
- Known VPN connections
level: critical
---
title: Woodgnat Mistic Backdoor Sideloading
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects potential Backdoor.Mistic execution via DLL sideloading techniques used by Woodgnat
status: experimental
author: Security Arsenal
date: 2026/06/25
references:
- https://otx.alienvault.com/pulse/672e8f6c7c26c4081234567a
tags:
- attack.defense_evasion
- attack.persistence
- attack.execution
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|contains:
- 'mistic'
- 'modelorat'
- 'nexshield'
Image|endswith:
- '\rundll32.exe'
- '\svchost.exe'
- '\explorer.exe'
condition: selection
falsepositives:
- Legitimate application updates
- System maintenance activities
level: high
kql
// Hunt for StealC and Amadey infostealer activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName has "stealc" or ProcessName has "amadey" or
CommandLine has "browser" and CommandLine has "wallet" or
FileName has_any ("stealc", "amadey", "lumma", "vidar", "redline")
| project Timestamp, DeviceName, AccountName, ProcessName, CommandLine, InitiatingProcessFileName
| order by Timestamp desc
// FortiBleed credential harvesting detection
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("85.11.187.8", "193.8.187.42") or
RemoteUrl has_any ("fortigate", "ssl-vpn", "fortibleed")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
| order by Timestamp desc
// Woodgnat backdoor and sideloading activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("mistic", "modelorat", "nexshield", "mintsloader") or
(ProcessName in ("rundll32.exe", "regsvr32.exe") and ProcessCommandLine has ".dll")
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
// Steganographic loader campaign detection
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName has_any (".jpg", ".png", ".bmp", ".gif") and
(ProcessName has "powershell" or ProcessName has "cmd") or
SHA256 in ("372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985")
| project Timestamp, DeviceName, FileName,FolderPath, SHA256, ProcessName
| order by Timestamp desc
powershell
# IOC Hunt Script for Infostealer and Credential Harvesting Campaigns
# Run with administrative privileges
param(
[string]$OutputPath = "C:\Temp\IOCHunt_$(Get-Date -Format 'yyyyMMdd').csv"
)
$Results = @()
# Known malicious file hashes from OTX pulses
$MaliciousHashes = @(
"f89ad7e92c7de6945ce0878e470e388b",
"8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
"3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
"ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
"2758f4d71a2a2dfdefab81737c2d776b2a3dafe5844fdd2157e089a28447ca98",
"372f19a45d0eb4c8c52117c6ae2bb8040a91bc72be8670623f957a18c2166985"
)
# Known malicious processes
$MaliciousProcesses = @(
"stealc.exe",
"amadey.exe",
"mistic.exe",
"modelorat.exe",
"cyberstrike.exe"
)
# Known malicious domains in hosts file
$MaliciousDomains = @(
"microsoft-telemetry.at",
"svclsc.com",
"goodpanelforgoodjob.com",
"mail.authorized-logins.net",
"mueleer.com",
"grande-luna.top"
)
# Check for running malicious processes
Write-Host "[+] Checking for running malicious processes..." -ForegroundColor Yellow
$RunningProcesses = Get-Process | Where-Object { $MaliciousProcesses -contains $_.ProcessName }
if ($RunningProcesses) {
foreach ($Process in $RunningProcesses) {
$Results += [PSCustomObject]@{
Type = "Running Process"
Indicator = $Process.ProcessName
PID = $Process.Id
Path = $Process.Path
Timestamp = Get-Date
}
}
}
# Scan common user directories for malicious files
Write-Host "[+] Scanning for malicious files..." -ForegroundColor Yellow
$UserFolders = @("C:\Users\*\AppData\Roaming", "C:\Users\*\AppData\Local", "C:\Users\*\Downloads")
foreach ($Folder in $UserFolders) {
if (Test-Path $Folder) {
Get-ChildItem -Path $Folder -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $FileHash) {
$Results += [PSCustomObject]@{
Type = "Malicious File"
Indicator = $_.Name
Path = $_.FullName
Hash = $FileHash
Timestamp = $_.LastWriteTime
}
}
}
}
}
# Check for suspicious scheduled tasks
Write-Host "[+] Checking scheduled tasks..." -ForegroundColor Yellow
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
$_.TaskName -match "update|service|system" -and
$_.Actions.Execute -match "\.exe$|\.dll$|\.ps1$" -and
$_.Actions.Execute -notmatch "Windows|Program Files"
}
foreach ($Task in $SuspiciousTasks) {
$Results += [PSCustomObject]@{
Type = "Suspicious Scheduled Task"
Indicator = $Task.TaskName
Path = $Task.Actions.Execute
Arguments = $Task.Actions.Arguments
Timestamp = Get-Date
}
}
# Check for malicious entries in hosts file
Write-Host "[+] Checking hosts file..." -ForegroundColor Yellow
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
$HostsContent = Get-Content $HostsPath
foreach ($Domain in $MaliciousDomains) {
if ($HostsContent -match $Domain) {
$Results += [PSCustomObject]@{
Type = "Hosts File Entry"
Indicator = $Domain
Path = $HostsPath
Timestamp = Get-Date
}
}
}
}
# Check for suspicious registry persistence
Write-Host "[+] Checking registry persistence..." -ForegroundColor Yellow
$RegistryPaths = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
foreach ($Path in $RegistryPaths) {
if (Test-Path $Path) {
Get-Item -Path $Path -ErrorAction SilentlyContinue | ForEach-Object {
$_.Property | ForEach-Object {
$Value = (Get-ItemProperty -Path $Path -Name $_ -ErrorAction SilentlyContinue).$_
if ($MaliciousProcesses -contains (Split-Path $Value -Leaf) -or $Value -match "Temp|AppData|Downloads") {
$Results += [PSCustomObject]@{
Type = "Registry Persistence"
Indicator = $_
Path = $Value
RegistryPath = $Path
Timestamp = Get-Date
}
}
}
}
}
}
# Check for network connections to malicious IPs
Write-Host "[+] Checking network connections..." -ForegroundColor Yellow
$MaliciousIPs = @("85.11.187.8", "193.8.187.42")
$NetworkConnections = Get-NetTCPConnection -ErrorAction SilentlyContinue |
Where-Object { $MaliciousIPs -contains $_.RemoteAddress }
foreach ($Connection in $NetworkConnections) {
$Process = Get-Process -Id $Connection.OwningProcess -ErrorAction SilentlyContinue
if ($Process) {
$Results += [PSCustomObject]@{
Type = "Network Connection"
Indicator = $Connection.RemoteAddress
Process = $Process.ProcessName
PID = $Connection.OwningProcess
Port = $Connection.RemotePort
Timestamp = Get-Date
}
}
}
# Output results
if ($Results) {
$Results | Export-Csv -Path $OutputPath -NoTypeInformation
Write-Host "[!] $($Results.Count) suspicious indicators found. Results saved to: $OutputPath" -ForegroundColor Red
$Results | Format-Table -AutoSize
} else {
Write-Host "[+] No suspicious indicators found." -ForegroundColor Green
}
---
# Response Priorities
Immediate (0-4 hours)
- Block all identified malicious domains, URLs, and IP addresses at perimeter defenses
- Initiate endpoint hunts for file hash matches across all managed systems
- Isolate any endpoints with confirmed IOC matches
- Review and block outbound connections to C2 infrastructure (85.11.187.8, 193.8.187.42)
- Deploy emergency signatures for StealC, Amadey, Mistic, and FortiBleed indicators
24 Hours
- Conduct full credential audit for any systems potentially compromised by infostealers
- Force password resets for accounts with potential credential exposure
- Review VPN and remote access logs for FortiGate-related anomalies
- Analyze session tokens for potential hijacking attempts
- Implement network segmentation to contain lateral movement
- Validate that FortiGate devices are patched against CVE-2026-35616, CVE-2026-0257, CVE-2026-25089
1 Week
- Implement application allowlisting for known-good browser extensions and wallet software
- Deploy enhanced browser security configurations to detect credential harvesting
- Conduct security awareness training focused on infostealer delivery vectors
- Review and update SSL VPN authentication policies
- Implement continuous monitoring for dark web exposure of stolen credentials
- Architecture hardening: enforce MFA for all remote access and VPN connections
- Deploy deception technology (honeytokens) in sensitive directories and credential stores
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.