Operation Endgame Disruption & Emerging Access Brokers: Stealc, Woodgnat, and JINX-0164 Analysis

Threat Summary

Recent OTX Pulse data highlights a dual landscape of threat activity: significant disruption operations against established Infostealer families (Operation Endgame targeting Stealc, Amadey, Lumma, and Danabot) and the emergence of sophisticated, targeted campaigns by Initial Access Brokers (IABs) and nation-state actors. While Operation Endgame has successfully seized nearly 200 C2 servers associated with major MaaS offerings, threat actors like Woodgnat and JINX-0164 are actively filling the void with specialized tools such as Mistic Backdoor, ModeloRAT, and AUDIOFIX. These actors heavily leverage social engineering (LinkedIn recruitment), supply chain compromises (npm packages), and legitimate service abuse (GitHub) to deliver payloads aimed at credential theft and establishing persistence within cryptocurrency and technology sectors.

Threat Actor / Malware Profile

Woodgnat (IAB)

Malware: Backdoor.Mistic, ModeloRAT, MintsLoader, D3F@ck Loader.
Distribution: Sideloading techniques via signed binaries (e.g., GateKeeper) and social engineering.
Behavior: Mistic provides stealthy remote access, often deployed alongside ModeloRAT. Acts as an access broker for ransomware gangs like Qilin, Akira, and Black Basta.
Targets: Insurance, Education, Technology.

JINX-0164

Malware: AUDIOFIX (Python-based Infostealer/RAT), MINIRAT (Go backdoor).
Distribution: LinkedIn phishing (posing as recruiters), malicious npm packages (driver-updater.net), and trojanized CI/CD scripts.
Behavior: Focuses on stealing cryptocurrency keys and developer credentials. Uses macOS-specific payloads.

Kimsuky (APT)

Malware: KimJongRAT, MeshAgent.
Distribution: Phishing emails with shortened URLs pointing to GitHub Releases hosting malicious ZIPs.
Behavior: Intelligence gathering and credential harvesting. Recently observed leveraging GitHub to distribute MeshAgent alongside KimJongRAT.

Operation Endgame Targets

Malware: Amadey (S1025), Stealc, Lumma Stealer, Danabot.
Status: Infrastructure disruption (IPs and domains sinkholed). SOC teams should still hunt for dormant infections or variants shifting to new infrastructure.

IOC Analysis

The provided IOCs are a mix of infrastructure and payload artifacts:

Network Infrastructure (IPv4/Domains): A large volume of C2 infrastructure is listed (e.g., 176.124.199.207, login.teamicrosoft.com). SOC teams should block these at the firewall and proxy level. Note the use of typosquatting (e.g., login.teamicrosoft.com vs legitimate).
File Hashes: SHA1 and SHA256 hashes representing payloads like Mistic, AUDIOFIX, and KimJongRAT. These should be added to EDR blocklists and used for retrospective hunting.
URLs: Specific download paths for scripts (e.g., install.sh) and GitHub repositories used in initial access vectors.

Operational Guidance: Prioritize blocking the typosquatted domains and the specific IP ranges associated with the Langflow exploitation and JINX-0164 infrastructure, as these represent active or very recent C2 nodes.

Detection Engineering

YAML

title: Potential Mistic Backdoor or ModeloRAT Sideloading Activity
id: 2368d24b-1a3f-4b5c-9c6d-1e9f8a2b3c4d
description: Detects potential sideloading behavior associated with Woodgnat campaigns where malicious DLLs are loaded by legitimate processes like GateKeeper or signed utilities.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/67575a8f1f4b46516b8e4b67
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\GateKeeper.exe'
            - '\update.exe'
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\powershell.exe'
    filter_legit:
        CommandLine|contains:
            - 'Windows'
            - 'System32'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software updates
level: high
tags:
    - attack.defense_evasion
    - attack.t1574.002
    - malware.modelorat
---
title: Suspicious Python Execution indicative of AUDIOFIX or Minirat
date: 2026/06/29
id: 45e3f78c-2d4a-4f5e-8b7d-3c9a0d4e5f6a
description: Detects execution of Python scripts with network connections or arguments often used by JINX-0164's AUDIOFIX malware on macOS or Windows.
status: experimental
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\python.exe'
    selection_cli:
        CommandLine|contains:
            - '-c'
            - 'base64'
            - 'http://'
            - 'import urllib'
    selection_network:
        CommandLine|contains:
            - '89.36.224.5'
            - 'live.us.org'
    condition: selection_img and (selection_cli or selection_network)
falsepositives:
    - Legitimate developer scripts
level: high
tags:
    - attack.execution
    - attack.t1059.006
    - malware.audiofix
---
title: Credential Stealer C2 Traffic (Stealc/Lumma/Amadey Post-Disruption)
date: 2026/06/29
id: 67890a1b-2c3d-4e5f-6a7b-8c9d0e1f2a3b
description: Detects network connections to known C2 infrastructure associated with Operation Endgame targets (Stealc, Amadey, Lumma) and related botnets.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66795a8f1f4b46516b8e4b60
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp|startswith:
            - '176.124.199.'
            - '176.111.174.'
            - '62.60.226.'
            - '94.154.35.'
    selection_domain:
        DestinationHostname|contains:
            - 'overlapsnowbound.com'
            - 'corpsecs.com'
            - 'servequake.com'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
tags:
    - attack.c2
    - attack.t1071.001
    - malware.stealc


kql
// Hunt for connections to known JINX-0164 and Woodgnat infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("teamicrosoft.com", "driver-updater.net", "live.us.org", "grande-luna.top", "authorized-logins.net")
   or RemoteIP in ("89.36.224.5", "45.207.216.55")
| summarize Count = count() by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by Count desc


powershell
# PowerShell Hunt Script for Persistence and Registry Keys associated with Woodgnat/Mistic
$MaliciousIPs = @(
    "176.124.199.207", "176.111.174.140", "62.60.226.159", "94.154.35.25",
    "64.188.91.237", "196.251.107.130", "104.200.67.46", "45.207.216.55"
)

$MaliciousDomains = @(
    "overlapsnowbound.com", "authorized-logins.net", "update-fall.com",
    "corpsecs.com", "servequake.com", "live.us.org"
)

# Check for active network connections
Write-Host "Checking Active Network Connections..."
Get-NetTCPConnection | Where-Object {
    $MaliciousIPs -contains $_.RemoteAddress -or 
    ($_.OwningProcess -and (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Path -match "Temp|AppData")
} | Select-Object LocalAddress, RemoteAddress, State, OwningProcess

# Check for suspicious scheduled tasks (common persistence for RATs)
Write-Host "Checking Suspicious Scheduled Tasks..."
Get-ScheduledTask | Where-Object {
    $_.TaskName -match "Update|Chrome|Driver" -and 
    $_.Actions.Execute -match "powershell|cmd|python" -and 
    $_.Actions.WorkingDirectory -match "Temp|AppData|Public"
} | Select-Object TaskName, Actions, Author

Response Priorities

Immediate:
- Block all listed IOCs (IPs, Domains, URLs) at the perimeter and endpoint.
- Isolate endpoints with confirmed hits on the provided file hashes (SHA1/SHA256).
- Hunt for the specific Python execution patterns indicative of the AUDIOFIX campaign.
24 Hours:
- Initiate credential reset and identity verification for users in targeted sectors (Crypto, Tech, Education) who may have interacted with LinkedIn recruiting messages or downloaded suspicious "driver updaters".
- Review GitHub repository access logs and CI/CD pipelines for unauthorized changes or inclusion of the driver-updater.net package.
1 Week:
- Patch the Langflow vulnerabilities (CVE-2026-55255 and CVE-2026-33017) in all AI development environments.
- Implement application control (AppLocker) to prevent sideloading techniques used by Woodgnat (blocking unsigned DLLs loading into signed binaries).
- Conduct a review of outbound traffic to new, recently registered domains (common in C2 shifting).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub