Back to Intelligence

StealC, Amadey, and Mistic Backdoor: Active Infostealer & Access Broker Campaigns — Detection Engineering

SA
Security Arsenal Team
June 26, 2026
5 min read

The current threat landscape reflects a high volume of credential theft operations driven by both commodity infostealers and sophisticated access brokers. While Operation Endgame has disrupted significant infrastructure for the Amadey and Stealc botnets, active campaigns persist. Adversaries are pivoting to stealthy loaders like MintsLoader and D3F@ck to deliver the new Mistic backdoor and ModeloRAT, linked to the Woodgnat access broker. This actor specifically targets Insurance, Education, and Technology sectors to facilitate ransomware operations (Qilin, Black Basta).

Simultaneously, state-sponsored actors are leveraging legitimate services for distribution. Kimsuky (North Korea) continues to evolve KimJongRAT, using GitHub and shortened URLs to target Japanese entities. Separately, the GhostShell group is targeting Ukraine's defense supply chain with Vidar infostealers via malicious archives impersonating the Besomar UAV manufacturer. The collective objective across these pulses is the acquisition of credentials, session tokens, and initial access for enterprise espionage or ransomware deployment.

Threat Actor / Malware Profile

1. StealC & Amadey (Commodity Infostealers)

  • Distribution: Malware-as-a-Service (MaaS) distributed via phishing and loader services.
  • Behavior: Written in C++, StealC harvests credentials from browsers, crypto wallets, and messaging apps. Amadey functions as a botnet and loader.
  • C2: Communication with domains like microsoft-telemetry.at and svclsc.com. Operation Endgame has disrupted ~50 domains and 200 IP servers.

2. Woodgnat (Access Broker)

  • Distribution: Sideloading and social engineering.
  • Behavior: Deploys Backdoor.Mistic and ModeloRAT. Mistic uses stealthy persistence mechanisms to serve as a beachhead for ransomware gangs (Qilin, Akira).
  • Infrastructure: Uses deceptive domains like authorized-logins.net and human-check.top for C2.

3. Kimsuky (APT Actor)

  • Distribution: Phishing emails with GitHub-hosted malicious ZIP files.
  • Behavior: Delivers KimJongRAT, combining info-stealing with remote access. Targeting Japan specifically.
  • Infrastructure: Abuses legitimate hosting (Servequake) with domains like googleoba.servequake.com.

4. GhostShell

  • Distribution: Malicious archives containing decoy documents related to UAV/Drone manufacturing.
  • Behavior: Deploys Vidar infostealer to harvest data from defense and procurement networks in Ukraine.

IOC Analysis

The provided indicators primarily consist of C2 Domains, Hostnames, IPv4 addresses, and Payload File Hashes (SHA256/MD5).

  • Operational Guidance:
    • Network: Immediate blocking of listed IPs and domains (e.g., 176.124.199.207, microsoft-telemetry.at, authorized-logins.net) on firewalls and Secure Web Gateways (SWG).
    • Endpoint: EDR solutions should be configured to hunt for the specific SHA256 hashes provided (e.g., 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be associated with Mistic).
    • Decoding: URLs in pulses 1 and 4 suggest simple HTTP GET requests for payload delivery or C2 check-ins. DNS logs should be queried for these domains to identify infected hosts.

Detection Engineering

Sigma Rules

YAML
title: StealC Amadey Infostealer C2 Traffic
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects network connections to known StealC and Amadey C2 infrastructure identified in OTX pulses.
status: experimental
date: 2026/06/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/12345678
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'microsoft-telemetry.at'
            - 'svclsc.com'
            - 'goodpanelforgoodjob.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Woodgnat Mistic Backdoor C2 Activity
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
description: Detects DNS queries or network connections to domains associated with the Woodgnat group and Mistic backdoor.
status: experimental
date: 2026/06/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/87654321
tags:
    - attack.command_and_control
    - attack.t1071.004
logsource:
    category: dns
product: windows
detection:
    selection:
        QueryName|contains:
            - 'authorized-logins.net'
            - 'mueleer.com'
            - 'grande-luna.top'
            - 'human-check.top'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Kimsuky KimJongRAT GitHub and C2 Connection
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
description: Detects connections to Servequake infrastructure or GitHub endpoints often abused by Kimsuky for KimJongRAT delivery.
status: experimental
date: 2026/06/26
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/11223344
tags:
    - attack.command_and_control
    - attack.t1102.002
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'servequake.com'
            - 'corpsecs.com'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Infostealer and C2 Network Traffic
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "microsoft-telemetry.at", "svclsc.com", "goodpanelforgoodjob.com",
    "authorized-logins.net", "mueleer.com", "grande-luna.top",
    "googleoba.servequake.com", "corpsecs.com"
)
| summarize count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteUrl, RemoteIP
| extend risk_score = iff(RemoteUrl contains "corpsecs.com" or RemoteUrl contains "authorized-logins.net", 80, 50)

PowerShell Hunt Script

PowerShell
# IOC Hunter for StealC, Mistic, and KimJongRAT
# Checks DNS Cache and Active Connections for C2 indicators

$MaliciousDomains = @(
    "microsoft-telemetry.at",
    "svclsc.com",
    "authorized-logins.net",
    "googleoba.servequake.com"
)

Write-Host "Checking DNS Cache for malicious indicators..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry }

if ($DnsCache) {
    Write-Host "WARNING: Suspicious DNS entries found!" -ForegroundColor Red
    $DnsCache | Format-Table Entry, Data, TimeToLive
} else {
    Write-Host "No malicious DNS entries found in cache." -ForegroundColor Green
}

Write-Host "Checking Active TCP Connections for indicators..." -ForegroundColor Cyan
$ActiveConnections = Get-NetTCPConnection -State Established | 
    ForEach-Object { 
        $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        if ($Process) {
            [PSCustomObject]@{
                RemoteAddress = $_.RemoteAddress
                RemotePort    = $_.RemotePort
                ProcessName   = $Process.ProcessName
                PID           = $_.OwningProcess
            }
        }
    } | Where-Object { 
        # Filter for known C2 IPs or generic high ports often used by RATs
        $_.RemotePort -gt 1024 
    }

$SuspiciousIPs = @("176.124.199.207", "104.200.67.46")
$FoundConnections = $ActiveConnections | Where-Object { $SuspiciousIPs -contains $_.RemoteAddress }

if ($FoundConnections) {
    Write-Host "WARNING: Active connections to known malicious IPs detected!" -ForegroundColor Red
    $FoundConnections | Format-Table -AutoSize
} else {
    Write-Host "No active connections to known malicious IPs found." -ForegroundColor Green
}


# Response Priorities

*   **Immediate**: Block all listed domains (`microsoft-telemetry.at`, `authorized-logins.net`, `servequake.com`) and IPs at the perimeter firewall and proxy. Isolate hosts matching the SHA256 file hashes for the **Mistic** backdoor and **Vidar** infostealer.
*   **24h**: Conduct credential audits for users on devices that communicated with the C2 infrastructure. Force password resets and invalidate session tokens if **StealC** or **RedLine** infection is suspected.
*   **1 week**: Review email gateway logs for messages containing GitHub links or shortened URLs (Kimsuky vector). Implement application controls to restrict execution of unsigned binaries often used as sideloading targets by Woodgnat.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerinitial-access-brokeraptransomware-precursorcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action