Threat Summary
Analysis of the latest OTX pulses indicates a highly active threat landscape centered on credential theft and initial access brokerage. We are observing simultaneous operations involving commodity Infostealers (StealC, Amadey, Lumma) being disrupted by Operation Endgame, while new, sophisticated actors like JINX-0164 and Woodgnat are actively targeting specific verticals (Crypto/Finance) with custom MacOS malware and backdoors. Additionally, the Kimsuky APT group continues to evolve its KimJongRAT using GitHub infrastructure for espionage. The collective objective is clear: harvest session tokens, credentials, and persist within environments to facilitate ransomware deployment or financial theft.
Threat Actor / Malware Profile
1. StealC & Amadey (Commodity MaaS)
- Distribution: Delivered via malicious payloads often masquerading as legitimate telemetry (e.g.,
microsoft-telemetry.at). Amadey acts as a loader for StealC. - Payload Behavior: StealC (C++) harvests data from browsers, crypto wallets, and messaging apps. Amadey maintains a botnet structure for C2.
- C2 Communication: Utilizes HTTP/HTTPS to specific domains (e.g.,
svclsc.com) to exfiltrate logs and receive updates. - Persistence: Scheduled tasks or registry run keys.
2. Woodgnat (Access Broker)
- Distribution: Social engineering and sideloading.
- Malware: Deploys Mistic Backdoor and ModeloRAT.
- Objective: Initial access for ransomware affiliates (Qilin, Black Basta).
- IOCs: Uses domains like
authorized-logins.netandhuman-check.topfor C2.
3. JINX-0164 (Crypto Targeting)
- Distribution: LinkedIn phishing impersonating recruiters/business partners.
- Malware: AUDIOFIX (Python Infostealer) and MINIRAT (Go Backdoor) targeting macOS.
- Infrastructure: Uses typosquatted domains like
login.teamicrosoft.comandteams.live.us.org.
4. Kimsuky (APT)
- Malware: KimJongRAT, MeshAgent.
- TTPs: Abuses GitHub Releases and LOTS (Living Off The Trusted Sites) to distribute malicious ZIPs via shortened URLs.
IOC Analysis
The provided IOCs span multiple infrastructure types indicative of a robust C2 network:
- Domains & Hostnames: A mix of typosquatting (
microsoft-telemetry.at,svclsc.com) and fake legitimate services (login.teamicrosoft.com). SOC teams should prioritize these for DNS sinkholing. - IP Addresses: Several IPs (e.g.,
176.124.199.207,104.200.67.46) are associated with active C2 servers. - File Hashes: Multiple SHA256/MD5 hashes provided for the loaders and RATs. These should be blocked in EDR solutions and used for retrospective hunting.
- Operationalization: Load these IoCs into your SIEM for correlation within
DeviceNetworkEventsandDeviceFileEvents. Use threat intelligence platforms (TIPs) to automate the ingestion of these OTX pulses.
Detection Engineering
Sigma Rules
YAML
title: Potential StealC or Amadey Infostealer Activity
id: 89e67a88-1234-5678-9abc-def123456789
description: Detects processes accessing browser credential files characteristic of StealC and Amadey infostealers.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/672345a89b0c
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Login Data'
- '\Mozilla\Firefox\Profiles\'
- '\AppData\Local\Microsoft\Edge\User Data\Default\Login Data'
filter_legit:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\explorer.exe'
condition: selection and not filter_legit
falsepositives:
- Legitimate password managers accessing browser stores
level: high
tags:
- attack.credential_access
- attack.t1056.001
---
title: Connection to JINX-0164 or Woodgnat C2 Infrastructure
id: 21c43d11-9876-5432-10fe-cba987654321
description: Detects network connections to domains associated with JINX-0164 MacOS campaign and Woodgnat access brokers.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/672345a89b1c
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'microsoft-telemetry.at'
- 'svclsc.com'
- 'authorized-logins.net'
- 'login.teamicrosoft.com'
- 'teams.live.us.org'
- 'human-check.top'
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.command_and_control
- attack.t1071.001
---
title: Suspicious PowerShell GitHub Download Kimsuky Pattern
id: 33f54e22-1111-2222-3333-444455556666
description: Detects PowerShell commands downloading files from GitHub often used by Kimsuky KimJongRAT campaigns.
status: experimental
date: 2026/06/27
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/672345a89b2c
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cmd:
CommandLine|contains:
- 'github.com'
- 'Invoke-WebRequest'
- 'Invoke-RestMethod'
selection_ext:
CommandLine|contains:
- '.zip'
- '.rar'
condition: all of selection_*
falsepositives:
- Legitimate software installation scripts
level: medium
tags:
- attack.execution
- attack.t1059.001
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Network connections to malicious IOCs
let IOCs = dynamic(["microsoft-telemetry.at", "svclsc.com", "authorized-logins.net", "login.teamicrosoft.com", "teams.live.us.org", "driver-updater.net", "104.200.67.46", "176.124.199.207", "89.36.224.5"]);
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
# Check DNS Cache for malicious domains identified in OTX pulses
$MaliciousDomains = @(
"microsoft-telemetry.at",
"svclsc.com",
"goodpanelforgoodjob.com",
"authorized-logins.net",
"mueleer.com",
"grande-luna.top",
"driver-updater.net",
"live.ong",
"teamicrosoft.com",
"live.us.org",
"googleoba.servequake.com"
)
Write-Host "Checking DNS Cache for Malicious Domains..." -ForegroundColor Yellow
$DnsCache = Get-DnsClientCache
foreach ($Domain in $MaliciousDomains) {
$Entry = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
if ($Entry) {
Write-Host "[ALERT] Found malicious domain entry: $($Domain)" -ForegroundColor Red
$Entry | Format-List Entry, Data, TimeToLive
}
}
Write-Host "DNS Check Complete."
Response Priorities
-
Immediate:
- Block all listed domains and IPs at the perimeter firewall and proxy.
- Initiate hunts for the specific file hashes provided in the pulses (SHA256:
8cef760d...,3f797a6...,b6cab0b3...). - Isolate any endpoints communicating with
login.teamicrosoft.comormicrosoft-telemetry.at.
-
24 Hours:
- If StealC/Amadey is suspected, force a password reset for all corporate credentials and revoke session tokens for sensitive applications (SSO, Email).
- Review LinkedIn logs for interactions with suspicious recruiter profiles (JINX-0164 vector).
-
1 Week:
- Implement application control to prevent unsigned executables in user directories.
- Harden developer environments against supply chain attacks (JINX-0164 targets).
- Review and restrict access to GitHub Releases from non-corporate devices (Kimsuky mitigation).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealersaccess-brokermacos-malwarekimsukyoperation-endgame
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.