Back to Intelligence

Infostealer Surge & Access Broker Operations: StealC, Amadey, and Mistic Backdoor Analysis

SA
Security Arsenal Team
June 28, 2026
7 min read

Excerpt

OTX pulses reveal active StealC, Amadey, and Mistic campaigns targeting credentials. Urgent detection engineering for infostealers and access brokers.

Threat Summary

Recent OTX pulses paint a concerning picture of a converged threat landscape where commoditized infostealers operate alongside sophisticated access brokers. The data highlights a dual-track campaign: widespread distribution of StealC and Amadey—malware-as-a-service (MaaS) platforms designed for bulk credential harvesting—and targeted intrusions by Woodgnat, an initial access broker deploying the stealthy Mistic backdoor and ModeloRAT to pave the way for ransomware affiliates (Qilin, Black Basta).

While Operation Endgame has disrupted portions of the Amadey and Stealc infrastructure, the resilience of these MaaS operations is evident in the continued activity. Concurrently, threat actor JINX-0164 is actively targeting cryptocurrency developers via LinkedIn phishing and compromised NPM packages (AUDIOFIX, MINIRAT), while the North Korean group Kimsuky continues to evolve KimJongRAT through GitHub lures targeting Japan. The common objective across these disparate actors is the theft of session tokens and credentials to facilitate lateral movement and financial theft.

Threat Actor / Malware Profile

StealC & Amadey

  • Actor: Unknown Cybercrime Syndicates (MaaS).
  • Distribution: Phishing attachments, fake software updates, and malvertising.
  • Behavior: StealC (C++) targets browsers, wallets, and 2FA extensions. Amadey (S1025) acts as a botnet/loader, downloading additional payloads.
  • C2: HTTP/HTTPS communication to hardcoded domains (e.g., microsoft-telemetry.at, svclsc.com).
  • Persistence: Scheduled tasks, Registry Run keys.
  • Technique: Steals cookies and session tokens to bypass MFA.

Woodgnat (Mistic & ModeloRAT)

  • Actor: Woodgnat (Access Broker).
  • Affiliation: Linked to Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
  • Distribution: Social engineering and sideloading.
  • Behavior: Mistic is a stealthy backdoor; ModeloRAT provides remote access. Used specifically to sell access to networks for ransomware operators.
  • Targeting: Insurance, Education, Technology sectors.

JINX-0164

  • Actor: Financially motivated group.
  • Targeting: Cryptocurrency industry (DevOps/Developers).
  • Payloads: AUDIOFIX (Python RAT), MINIRAT (Go backdoor).
  • Vector: Supply chain compromise (NPM), LinkedIn recruitment scams.

Kimsuky

  • Actor: North Korean APT.
  • Tool: KimJongRAT (evolving via LOTS).
  • Vector: GitHub phishing repositories and shortened URLs.

IOC Analysis

The pulses provide a rich set of indicators spanning the full attack chain:

  • Domains & URLs: Typosquatting domains like microsoft-telemetry.at and svclsc.com are used for C2 and payload delivery. JINX-0164 uses login.teamicrosoft.com and teams.live.us.org for credential phishing.
  • IP Addresses: Specific C2 infrastructure (e.g., 176.124.199.207, 94.154.35.25) associated with the disrupted Amadey/Stealc botnets, which should be blocked immediately despite disruption efforts to catch stragglers.
  • File Hashes: SHA256 hashes for StealC (8cef760d...), Mistic (3f797a6...), and KimJongRAT (9758e76...).
  • Operationalization: SOC teams should load these hashes into EDR quarantine lists and block the domains on secure web gateways. The URLs suggest specific infection paths (e.g., /ms/index.php) which can be used in IDS signatures.

Detection Engineering

Sigma Rules

YAML
---
title: Potential StealC or Amadey Infostealer Activity
id: 867e2d0b-8d5f-4b6a-9e0b-1a2b3c4d5e6f
status: experimental
description: Detects behavior consistent with StealC or Amadey infostealers, specifically suspicious access to browser credential stores or SQLite databases by non-browser processes.
references:
    - https://otx.alienvault.com/pulse/667b1a9b9e4b0a8f8a0b1c2d
author: Security Arsenal Research
date: 2026/06/28
modified: 2026/06/28
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Cookies'
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Mozilla\Firefox\Profiles\'
            - '\AppData\Roaming\Opera Software\Opera Stable\Login Data'
    filter_main_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\opera.exe'
            - '\msedge.exe'
            - '\brave.exe'
    condition: selection and not filter_main_browsers
falsepositives:
    - Legitimate backup software accessing browser data
level: high
---
title: Suspicious Sideloading Behavior Linked to Woodgnat/Mistic
id: 92f3e1c4-7a6b-4d8e-9f1c-2b3c4d5e6f70
status: experimental
description: Detects potential DLL sideloading used by Mistic backdoor or similar tools, where a signed process loads a DLL from an unexpected location.
references:
    - https://otx.alienvault.com/pulse/667c2d9b9e4b0a8f8a0b1c2e
author: Security Arsenal Research
date: 2026/06/28
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection_signed:
        Signed: 'true'
        ImageLoaded|contains:
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
            - '\Downloads\'
            - '\Public\'
    selection_extensions:
        ImageLoaded|endswith: '.dll'
    filter_legit:
        Image|contains:
            - '\Windows\System32\'
            - '\Windows\SysWOW64\'
            - '\Program Files\'
    condition: selection_signed and selection_extensions and not filter_legit
falsepositives:
    - Legitimate software installers
level: high
---
title: JINX-0164 Cryptocurrency Dev Targeting via NPM or Script
id: 13a4b2d5-8c7e-5f9a-0g2h-3c4d5e6f7g80
status: experimental
description: Detects execution patterns associated with JINX-0164 targeting crypto devs, including npm installs from non-standard sources or script download anomalies.
references:
    - https://otx.alienvault.com/pulse/667e4f9b9e4b0a8f8a0b1c30
author: Security Arsenal Research
date: 2026/06/28
tags:
    - attack.initial_access
    - attack.t1190
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_npm:
        Image|endswith: '\npm.cmd'
        CommandLine|contains: 'install'
    selection_suspicious_url:
        CommandLine|contains:
            - 'driver-updater.net'
            - 'live.ong'
            - 'teamicrosoft.com'
    selection_script:
        Image|endswith:
            - '\powershell.exe'
            - '\python.exe'
        CommandLine|contains:
            - 'install.sh'
            - 'troubleshoot/mac/'
    condition: 1 of selection*
falsepositives:
    - Legitimate developer npm install workflows (verify domain)
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for StealC, Amadey, and Woodgnat C2 Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'microsoft-telemetry.at',
    'svclsc.com',
    'goodpanelforgoodjob.com',
    'authorized-logins.net',
    'mueleer.com',
    'grande-luna.top',
    'oeannon.com',
    'thomphon.com',
    'human-check.top',
    'update-fall.com',
    'driver-updater.net',
    'teamicrosoft.com',
    'live.ong',
    'live.us.org'
) or RemoteIP in (
    '176.124.199.207',
    '176.111.174.140',
    '62.60.226.159',
    '94.154.35.25',
    '64.188.91.237',
    '196.251.107.130',
    '89.36.224.5',
    '104.200.67.46'
)
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessAccountName
| project-reorder Count, DeviceName, RemoteUrl, RemoteIP

PowerShell Hunt Script

PowerShell
# Hunt for Mistic/StealC Persistence and C2 Connections
Write-Host "Checking for C2 Connections associated with OTX Pulses..." -ForegroundColor Cyan

$BadIPs = @(
    "176.124.199.207", "176.111.174.140", "62.60.226.159", 
    "94.154.35.25", "64.188.91.237", "196.251.107.130", 
    "89.36.224.5", "104.200.67.46"
)

$BadDomains = @(
    "microsoft-telemetry.at", "svclsc.com", "authorized-logins.net",
    "update-fall.com", "googleoba.servequake.com"
)

# Check Active TCP Connections
$Connections = Get-NetTCPConnection -State Established | 
    Where-Object { $BadIPs -contains $_.RemoteAddress } | 
    Select-Object LocalAddress, RemoteAddress, RemotePort, OwningProcess

if ($Connections) {
    Write-Host "[!] ALERT: Found connections to malicious IPs:" -ForegroundColor Red
    $Connections | Format-Table
} else {
    Write-Host "No connections to known malicious IPs found." -ForegroundColor Green
}

# Check for Suspicious Scheduled Tasks (Common in StealC/Amadey)
Write-Host "`nChecking for Suspicious Scheduled Tasks..." -ForegroundColor Cyan
$SuspiciousTasks = Get-ScheduledTask | 
    Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } |
    Where-Object { $_.Actions.Arguments -match "http(s)?://(microsoft-telemetry|svclsc|authorized-logins)" }

if ($SuspiciousTasks) {
    Write-Host "[!] ALERT: Found suspicious scheduled tasks:" -ForegroundColor Red
    $SuspiciousTasks | Select-Object TaskName, Actions | Format-List
} else {
    Write-Host "No suspicious scheduled tasks found." -ForegroundColor Green
}

# File Hash Check for Known Malware Samples
Write-Host "`nScanning for known malware file hashes in user directories..." -ForegroundColor Cyan
$KnownHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea", # StealC
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Mistic
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", # AUDIOFIX
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"  # KimJongRAT
)

$UserDirs = @("C:\Users\*\Downloads", "C:\Users\*\AppData\Local\Temp", "C:\Users\*\AppData\Roaming")
$FoundFiles = @()

foreach ($dir in $UserDirs) {
    if (Test-Path $dir) {
        Get-ChildItem -Path $dir -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            if ($_.Length -gt 0 -and $_.Length -lt 10MB) {
                $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
                if ($KnownHashes -contains $hash) {
                    $FoundFiles += $_
                }
            }
        }
    }
}

if ($FoundFiles) {
    Write-Host "[!] CRITICAL: Found known malware samples!" -ForegroundColor Red
    $FoundFiles | Select-Object FullName, Length | Format-Table
} else {
    Write-Host "No known malware files found in common directories." -ForegroundColor Green
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the perimeter and proxy level.
    • Quarantine endpoints matching the provided file hashes.
    • Hunt for active network connections to the identified C2 IPs (176.124.199.207, 104.200.67.46).

  • 24 Hours:

    • Conduct a credential audit for users who may have interacted with the phishing lures (LinkedIn, GitHub, Email).
    • Force reset of passwords and revoke session tokens for accounts potentially accessed via infostealers (specifically targeting admin/privileged accounts).
    • Review software development environments for unauthorized NPM packages or script modifications (JINX-0164).

  • 1 Week:

    • Implement Application Signing enforcement to prevent sideloading (Mistic/ModeloRAT vector).
    • Review and restrict access to GitHub Releases and unverified NPM repositories for developer workstations.
    • Enhance EDR telemetry to detect browser database access by non-browser processes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerstealcamadeywoodgnataccess-broker

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action