Back to Intelligence

Operation Endgame Aftermath, Woodgnat & JINX-0164: Multi-Vector Infostealer & AI Infrastructure Exploitation

SA
Security Arsenal Team
June 29, 2026
6 min read

Current OTX pulse data reveals a highly volatile threat landscape characterized by the convergence of ransomware initial access brokers, state-sponsored espionage, and financially motivated supply chain attacks. The intelligence highlights three distinct but overlapping campaigns:

  1. The Operation Endgame Aftermath: Following the disruption of the Amadey botnet and Stealc infostealer infrastructure, residual command and control (C2) servers remain active, posing continued risks of credential exfiltration.
  2. Woodgnat & IAB Escalation: The threat actor "Woodgnat" is actively deploying the new "Mistic" backdoor alongside ModeloRAT, specifically targeting the Insurance, Education, and Technology sectors to facilitate ransomware deployment (Qilin, Black Basta).
  3. Emerging Infrastructure Threats: The financially motivated actor JINX-0164 is exploiting the cryptocurrency software supply chain via LinkedIn, while a new active exploitation campaign targets Langflow AI pipelines (CVE-2026-55255) to deploy botnets and steal credentials from multi-tenant environments.

Collectively, these actors prioritize credential harvesting and initial access persistence.

Threat Actor / Malware Profile

  • Woodgnat (Threat Actor):

    • Objective: Initial Access Broker (IAB) for ransomware gangs (Qilin, Akira).
    • Malware: Backdoor.Mistic, ModeloRAT, MintsLoader.
    • Behavior: Uses sideloading and social engineering. Mistic provides stealthy remote access, while ModeloRAT acts as a secondary payload.
    • C2: Uses domains mimicking legitimate services (e.g., authorized-logins.net).

  • Kimsuky (APT Actor):

    • Objective: Espionage and credential theft (targeting Japan).
    • Malware: KimJongRAT, MeshAgent.
    • Behavior: Leverages GitHub and LOTS (Living Off The Trusted Sites) for distribution. Delivers via phishing emails with shortened URLs to malicious GitHub Releases.
    • C2: Communicates via custom C2 domains (e.g., servequake.com).

  • JINX-0164 (Threat Actor):

    • Objective: Financial theft via Crypto-industry compromise.
    • Malware: AUDIOFIX (Python Infostealer), MINIRAT (Go Backdoor).
    • Behavior: LinkedIn social engineering posing as recruiters, delivering malicious packages/software updates.
    • C2: Uses typosquatting domains (e.g., teamicrosoft.com).

  • Stealc / Amadey (Malware-as-a-Service):

    • Objective: Bulk credential harvesting.
    • Behavior: Despite Operation Endgame disruption, active IP infrastructure persists.
    • C2: Hardcoded IP lists and hostnames.

IOC Analysis

The provided intelligence consists of 171 total indicators of compromise (IOCs):

  • Network Infrastructure (IPv4/Hostname):

    • Operationalization: Block these IPs at the perimeter firewall and proxy. Blocklist the associated hostnames on internal DNS resolvers (Sinkhole).
    • Specifics: Watch for traffic to 45.207.216.55 (Langflow exploit) and 104.200.67.46 (Kimsuky).
    • Decoding: Several domains utilize DNS evasion techniques (e.g., live.ong). Automated reverse lookup is recommended to identify co-hosted services.

  • File Hashes (SHA1/SHA256):

    • Operationalization: Load into EDR solutions (CrowdStrike, SentinelOne, MDE) for immediate quarantine.
    • Specifics: The SHA256 hash 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be is associated with the Mistic backdoor dropper.

  • CVEs:

    • Operationalization: Patch CVE-2026-55255 (Langflow IDOR) and CVE-2026-33017 (Langflow RCE) immediately on all AI development environments.

Detection Engineering

YAML
---
title: Potential KimJongRAT Activity via GitHub and MeshAgent
id: 69d8e41c-2c9f-45a0-8b8d-9e9a1b2c3d4f
description: Detects potential KimJongRAT activity based on IOCs and GitHub distribution patterns observed by Kimsuky.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6751a8b09d24b623981e52ca
tags:
    - attack.initial_access
    - attack.execution
logsource:
    category: network_connection
detection:
    selection_net:
        DestinationHostname|contains:
            - 'servequake.com'
            - 'corpsecs.com'
    selection_process:
        Image|endswith:
            - 'meshagent.exe'
            - 'meshsvc.exe'
        ParentImage|endswith:
            - 'powershell.exe'
            - 'cmd.exe'
    condition: 1 of selection*
falsepositives:
    - Legitimate use of MeshAgent in managed IT environments
level: high
---
title: Woodgnat Mistic Backdoor C2 Communication
id: 5f7b3d2a-1e4c-4b9f-8c7e-6d5f4a3b2c1d
description: Detects network connections to domains associated with the Woodgnat group and Mistic backdoor.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/675059980d9b623981e529d3
tags:
    - attack.c2
    - attack.command_and_control
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'authorized-logins.net'
            - 'grande-luna.top'
            - 'human-check.top'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Langflow AI Pipeline Exploitation Attempt
id: 8a9b2c3d-4e5f-6789-0abc-1def23456789
description: Detects exploitation attempts against Langflow vulnerabilities (CVE-2026-55255) involving specific URI paths and source IPs.
status: experimental
date: 2026/06/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6755d66509d24b623981e52c5
tags:
    - attack.initial_access
    - attack.exploitation_for_client_execution
logsource:
    category: webserver
detection:
    selection_uri:
        c-uri|contains: '/slt'
    selection_src:
        c-ip:
            - '45.207.216.55'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative access
level: high


kql
// Hunt for JINX-0164 and Woodgnat Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "driver-updater.net",
    "teamicrosoft.com",
    "authorized-logins.net",
    "overlapsnowbound.com",
    "servequake.com",
    "live.ong"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend ThreatContext = case(
    RemoteUrl has "driver-updater.net", "JINX-0164 Crypto Campaign",
    RemoteUrl has "authorized-logins.net", "Woodgnat Mistic C2",
    RemoteUrl has "servequake.com", "Kimsuky KimJongRAT",
    "Other Infostealer Infrastructure"
)


powershell
# IOC Hunt Script: Scan for File Hashes and Network Connections
# Run as Administrator

$TargetHashes = @(
    "ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed", # Amadey/Stealc
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Mistic Backdoor
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", # AUDIOFIX/MINIRAT
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"  # KimJongRAT
)

$SuspiciousDomains = @(
    "overlapsnowbound.com",
    "authorized-logins.net",
    "driver-updater.net",
    "servequake.com",
    "corpsecs.com"
)

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

# 1. Check Running Processes for Hashes
Write-Host "Checking process memory hashes..." -ForegroundColor Yellow
Get-Process | ForEach-Object {
    $proc = $_
    try {
        $path = $proc.Path
        if ($path -and (Test-Path $path)) {
            $hash = (Get-FileHash -Path $path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $hash) {
                Write-Host "[ALERT] Malicious process detected: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor Red
                Write-Host "  Path: $path"
                Write-Host "  Hash: $hash"
            }
        }
    } catch {}
}

# 2. Check DNS Cache / Connections for Domains
Write-Host "Checking active network connections for suspicious domains..." -ForegroundColor Yellow
Get-NetTCPConnection | ForEach-Object {
    $conn = $_
    if ($conn.State -eq 'Established') {
        try {
            $remoteHost = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress).HostName
            if ($SuspiciousDomains | Where-Object { $remoteHost -like "*$_*" }) {
                $proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
                Write-Host "[ALERT] Suspicious connection established by $($proc.ProcessName)" -ForegroundColor Red
                Write-Host "  Remote: $remoteHost ($($conn.RemoteAddress)):$($conn.RemotePort)"
            }
        } catch {}
    }
}

Write-Host "Hunt complete." -ForegroundColor Cyan

Response Priorities

  • Immediate:

    • Block all listed IPv4 addresses and Domains at the perimeter.
    • Quarantine endpoints matching the provided file hashes (SHA256/SHA1).
    • Patch Langflow instances for CVE-2026-55255 and CVE-2026-33017.

  • 24 Hours:

    • Initiate credential resets for any accounts that may have interacted with driver-updater.net or authorized-logins.net.
    • Review Active Directory logs for logs generated from MeshAgent or unusual PowerShell child processes associated with Mistic.

  • 1 Week:

    • Implement stricter egress filtering for GitHub Releases and NPM registries in developer environments (JINX-0164 mitigation).
    • Conduct a review of LinkedIn social engineering exposure for employees in Finance and Tech roles.
    • Honeypot or canary token deployment on AI development servers to detect CVE-2026-55255 recurrence.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerransomware-accessapt-kimsukyai-exploitationsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action