Back to Intelligence

Operation Endgame Disruption & Woodgnat Access Brokers: StealC, Amadey, and Mistic Backdoor Intel — Detection Pack

SA
Security Arsenal Team
June 26, 2026
6 min read

Threat Summary

Recent intelligence reveals a dynamic shift in the credential theft and initial access broker (IAB) landscape. While "Operation Endgame"—a global coalition involving Microsoft and ESET—has successfully disrupted the command-and-control (C2) infrastructure of major Malware-as-a-Service (MaaS) families like StealC and Amadey, threat actors are rapidly pivoting. Active campaigns identified on 2026-06-27 show that while commodity infostealers are under pressure, sophisticated IABs like Woodgnat are deploying new backdoors (Mistic) to facilitate ransomware operations (Qilin, Black Basta). Simultaneously, nation-state actors (Kimsuky) continue to leverage legitimate services (GitHub) to distribute KimJongRAT, targeting credentials with high precision. The collective objective remains the harvest of session tokens and credentials to bypass authentication controls, indicating that credential hygiene remains the primary defensive failure point.

Threat Actor / Malware Profile

StealC & Amadey (Disrupted Infrastructure)

  • Type: Malware-as-a-Service (MaaS) Infostealers.
  • Distribution: Phishing campaigns, malicious payloads, secondary loaders.
  • Payload Behavior: Harvests browser cookies, passwords, cryptocurrency wallet data, and autofill information. StealC functions as a loader for subsequent payloads.
  • C2 Communication: Connects to hardcoded domains (e.g., microsoft-telemetry.at, svclsc.com) to exfiltrate data and receive updates.
  • Disruption Status: Approx. 50 domains and 200 IPs seized under Operation Endgame, though residual variants persist.

Woodgnat & Mistic Backdoor

  • Type: Initial Access Broker / Custom Backdoor.
  • Distribution: Social engineering, sideloading techniques.
  • Payload Behavior: Mistic is a stealthy backdoor providing remote access. Often deployed alongside ModeloRAT.
  • Affiliations: Linked to multiple ransomware operations including Qilin, Interlock, and Black Basta.
  • Persistence: Utilizes sideloading to maintain access and evade detection.

Kimsuky (KimJongRAT)

  • Type: APT / State-Sponsored Espionage.
  • Distribution: Phishing emails with shortened URLs redirecting to GitHub Releases hosting malicious ZIPs.
  • Payload Behavior: Combines info-stealing with remote access capabilities. Targets specific sectors (Japan focus observed).
  • C2 Communication: Uses infrastructure hosted on legitimate-looking domains (e.g., servequake.com, corpsecs.com).

GhostShell & Vidar

  • Type: Supply Chain Attack.
  • Target: Ukraine’s UAV (Drone) supply chain.
  • Method: Malicious archives impersonating legitimate manufacturer "Besomar". Deploys Vidar stealer.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple vectors suitable for immediate defensive action:

  • Network IOCs (Domains/IPv4): A key tactic observed is the use of typosquatting and lookalike domains for C2 communication (e.g., microsoft-telemetry.at mimicking Microsoft telemetry). IPs such as 176.124.199.207 and 104.200.67.46 represent active C2 nodes. SOC teams should block these at the perimeter and firewall level.
  • File Hashes (MD5, SHA1, SHA256): A significant volume of file hashes are provided for the payloads (e.g., StealC hash 8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea). These should be uploaded to EDR solutions for execution blocking.
  • URLs: Malicious download URLs (e.g., http://svclsc.com/ms/index.php) indicate active drop zones.

Operational Note: While Operation Endgame has disrupted domains, legacy indicators may remain in logs. Use the domains and IPs listed below for retrospective hunting to identify previously infected hosts that may still be beaconing to dead sinks or attempting fallback C2 connections.

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious Connection to StealC/Amadey C2 Domains
id: 1e2d3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a
description: Detects network connections to known StealC and Amadey C2 infrastructure identified in recent pulses.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        Initiated: 'true'
        destination|endswith:
            - 'microsoft-telemetry.at'
            - 'svclsc.com'
            - 'goodpanelforgoodjob.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Potential Sideloading via Mistic Backdoor Parent Process
id: 2f3e4g5h-6i7j-8k9l-0m1n-2o3p4q5r6s7t
description: Detects suspicious process execution patterns consistent with Woodgnat's Mistic backdoor deployment via sideloading.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\svchost.exe'
            - '\rundll32.exe'
        Image|contains:
            - '\AppData\Local\Temp\'
            - '\AppData\Roaming\'
    condition: selection
falsepositives:
    - Legitimate software updates
level: high
---
title: KimJongRAT GitHub LOTS Download Pattern
id: 3g4h5i6j-7k8l-9m0n-1o2p-3q4r5s6t7u8v
description: Detects process execution involving PowerShell or Curl downloading archives from GitHub, associated with Kimsuky campaigns.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
    - https://sect.iij.ad.jp/blog/2026/06/continuous-evolution-of-kimjongrat-2026/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\powershell.exe'
            - '\curl.exe'
            - '\wget.exe'
    selection_cli:
        CommandLine|contains:
            - 'githubusercontent.com'
            - 'github.com'
            - 'servequake.com'
    condition: all of selection_*
falsepositives:
    - Legitimate developer tooling
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for StealC/Amadey and KimJongRAT Network Indicators
let NetworkIOCs = dynamic([
    "microsoft-telemetry.at", "svclsc.com", "goodpanelforgoodjob.com",
    "googleoba.servequake.com", "lutkdd.corpsecs.com", "pxqtkc.corpsecs.com",
    "176.124.199.207", "176.111.174.140", "62.60.226.159", 
    "94.154.35.25", "64.188.91.237", "196.251.107.130", "104.200.67.46"
]);
DeviceNetworkEvents
| where RemoteUrl has_any (NetworkIOCs) or RemoteIP has_any (NetworkIOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by Timestamp desc


kql
// Hunt for Mistic/Vidar/StealC File Hashes
let FileHashes = pack_array(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9",
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25"
);
DeviceProcessEvents
| where SHA256 in (FileHashes) or MD5 in (FileHashes) or SHA1 in (FileHashes)
| project Timestamp, DeviceName, FolderPath, FileName, ProcessCommandLine, AccountName
| extend timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt for persistence and artifacts associated with StealC, Amadey, and Woodgnat Mistic campaigns.
.DESCRIPTION
    Checks for specific suspicious file paths, registry run keys associated with generic malware,
    and active network connections to known C2 IPs.
#>

$C2IPs = @(
    "176.124.199.207", "176.111.174.140", "62.60.226.159",
    "94.154.35.25", "64.188.91.237", "196.251.107.130"
)

$MaliciousHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be"
)

Write-Host "[+] Checking for active network connections to known C2 infrastructure..."
$ActiveConnections = Get-NetTCPConnection -State Established
foreach ($IP in $C2IPs) {
    if ($ActiveConnections.RemoteAddress -contains $IP) {
        Write-Host "[!] ALERT: Found connection to malicious IP: $IP" -ForegroundColor Red
        Get-Process -Id (Get-NetTCPConnection -RemoteAddress $IP).OwningProcess | Select-Object ProcessName, Id, Path
    }
}

Write-Host "[+] Scanning user directories for suspicious executables (Amadey/StealC common paths)..."
$Users = Get-ChildItem "C:\Users"
foreach ($User in $Users) {
    $Paths = @(
        "$($User.FullName)\AppData\Roaming",
        "$($User.FullName)\AppData\Local\Temp"
    )
    foreach ($Path in $Paths) {
        if (Test-Path $Path) {
            Get-ChildItem $Path -Recurse -Include *.exe, *.dll -ErrorAction SilentlyContinue | ForEach-Object {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash
                if ($MaliciousHashes -contains $Hash) {
                    Write-Host "[!] ALERT: Malicious file found at $($_.FullName)" -ForegroundColor Red
                }
            }
        }
    }
}

Write-Host "[+] Checking Registry Run Keys for persistence..."
$RunKeys = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-ItemProperty $Key | ForEach-Object {
            if ($_.PSObject.Properties -match "Update" -or $_.PSObject.Properties -match "Telemetry") {
                Write-Host "[!] Suspicious persistence entry found in $Key" -ForegroundColor Yellow
                $_ | Format-List
            }
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses on perimeter firewalls and proxy servers.
    • Block file hashes via EDR isolation policies.
    • Initiate a hunt for active outbound connections to microsoft-telemetry.at and servequake.com.

  • 24 Hours:

    • Validate identity sessions for users with potential credential exposure (browser cookie theft). Revoke session tokens for sensitive accounts (SaaS, Email).
    • Investigate endpoints that communicated with the disrupted Operation Endgame infrastructure to determine lateral movement scope.

  • 1 Week:

    • Review and restrict access to legitimate file-sharing services (e.g., GitHub) used for malware delivery (LOTTs technique). Implement application control policies.
    • Patch and harden supply chain partners, specifically focusing on email filtering for targeted sectors (Defense, UAV manufacturing).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealeroperation-endgamewoodgnatkimsukymistic-backdoor

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action