Back to Intelligence

Stealc, Amadey & Mistic Backdoor: Dark Web Infostealer & Access Broker Surge — OTX Pulse Analysis

SA
Security Arsenal Team
June 28, 2026
7 min read

Recent intelligence from AlienVault OTX highlights a convergence of sophisticated infostealer operations and access broker activity directly linked to potential ransomware deployment. The data exposes active campaigns leveraging Stealc and Amadey as Malware-as-a-Service (MaaS) platforms, alongside the emergence of Mistic, a new stealthy backdoor attributed to the threat actor Woodgnat.

While Stealc and Amadey focus on bulk harvesting of credentials, cookies, and session tokens—fueling the initial access broker economy—Woodgnat's Mistic represents a more targeted, "high-touch" approach, likely serving as a bridge between initial compromise and ransomware execution (Qilin, Black Basta). Additionally, threat actor JINX-0164 and Kimsuky continue to leverage social engineering and supply chain attacks to deliver customized malware (AUDIOFIX, KimJongRAT) targeting cryptocurrency and specific regional sectors (Japan). Collectively, these pulses indicate a highly active dark web marketplace where access is commoditized and malware delivery is increasingly automated via legitimate platform abuse (GitHub, LinkedIn).

The primary objective across these campaigns is financial gain, either through direct credential monetization (Stealc/Amadey) or by selling high-value network access to ransomware affiliates (Woodgnat/Mistic).

Threat Actor / Malware Profile

1. StealC & Amadey (MaaS Ecosystem)

  • Attribution: Unknown (Cybercrime-as-a-Service)
  • Malware Families: StealC, Amadey, Lumma Stealer, RedLine, Vidar.
  • Distribution: Primarily distributed via phishing campaigns, cracked software downloads, and malvertising. Often utilizes secondary loaders or dropped by other botnets.
  • Payload Behavior:
    • StealC: C++-based infostealer targeting browsers, crypto wallets, 2FA extensions, and messaging apps. Functions as a loader for subsequent payloads.
    • Amadey: Modular botnet/infostealer capable of downloading and executing arbitrary plugins.
  • C2 Communication: Utilizes HTTP/HTTPS to communicate with command and control (C2) servers. Recent "Operation Endgame" disrupted nearly 200 IP-based C2 servers, but the infrastructure is resilient.
  • Persistence: Established via Scheduled Tasks, Registry Run keys, or folder junctions to maintain access.

2. Woodgnat (Initial Access Broker)

  • Threat Actor: Woodgnat
  • Malware Families: Mistic Backdoor, ModeloRAT, GateKeeper.
  • Distribution: Sophisticated social engineering and sideloading techniques. Targeted at Insurance, Education, and Technology sectors.
  • Payload Behavior:
    • Mistic: A stealthy backdoor used for reconnaissance and lateral movement. Often deployed alongside ModeloRAT.
  • C2 Communication: Encrypted channels to bespoke C2 domains (e.g., authorized-logins.net).
  • Persistence: Likely uses Service registration or hijacking legitimate signed binaries (sideloading).

3. JINX-0164 (Crypto-focused)

  • Threat Actor: JINX-0164
  • Malware Families: AUDIOFIX (Python RAT), MINIRAT (Go backdoor).
  • Distribution: LinkedIn social engineering (posing as recruiters) and supply chain attacks (NPM trojan, CI/CD hijacking). Targets macOS developers.

4. Kimsuky (APT)

  • Threat Actor: Kimsuky (North Korea)
  • Malware Families: KimJongRAT, MeshAgent.
  • Distribution: Phishing emails with shortened URLs pointing to GitHub Releases.
  • Objective: Intelligence gathering and long-term persistence in targets, specifically in Japan.

IOC Analysis

The provided OTX pulses offer a mix of network and file-based indicators crucial for detection and containment:

  • Domains & Hostnames: Includes typosquatting (e.g., microsoft-telemetry.at, login.teamicrosoft.com) and C2 domains (e.g., authorized-logins.net). SOC teams should immediately block these at the perimeter (DNS Firewall) and inspect internal logs for any historical resolution requests.
  • IP Addresses: Specific C2 IPs such as 176.124.199.207 (Amadey) and 104.200.67.46 (Kimsuky) should be blocked. These are critical for identifying active callback traffic from infected endpoints.
  • File Hashes: Numerous MD5, SHA1, and SHA256 hashes for the malware binaries. EDR solutions should be configured to quarantine any process matching these hashes.
  • URLs: Malicious download URLs and C2 callback paths (e.g., /cvdfnaFJBmC0/index.php, /agent.ashx). Proxy logs should be queried for these specific paths.

Operationalizing IOCs: SOC teams should ingest these IOCs into their SIEM (e.g., Splunk, Sentinel) and EDR (e.g., CrowdStrike, Defender) to generate alerts for matches. Network tools like Zeek or Suricata can use the domain/IP lists for real-time blocking.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Stealc Infostealer Execution
description: Detects execution patterns associated with Stealc infostealer, including suspicious process execution and C2 communication patterns observed in recent campaigns.
references:
  - https://otx.alienvault.com/pulse/667b0e3d7c1b3c4c6d8e9f0a
author: Security Arsenal Research
date: 2026/06/28
tags:
  - attack.credential_access
  - attack.collection
  - attack.t1056
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\cmd.exe'
    Image|endswith:
      - '\StealC.exe'
      - '\svchost.exe' # Often masquerades as svchost
      - '\msupdate.exe'
    CommandLine|contains:
      - 'token'
      - 'cookies'
      - 'wallets'
  condition: selection
falsepositives:
  - Legitimate administration tools
level: critical
---
title: Amadey Botnet C2 Traffic
description: Detects potential network traffic to Amadey Command and Control servers based on suspicious host headers and URI structures.
references:
  - https://otx.alienvault.com/pulse/667c1f4e8d2a5d7e0f1a2b3c
author: Security Arsenal Research
date: 2026/06/28
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort:
      - 80
      - 443
    Initiated: 'true'
    DestinationHostname|contains:
      - 'microsoft-telemetry.at'
      - 'svclsc.com'
    RequestUri|contains:
      - '/ms/index.php'
  condition: selection
falsepositives:
  - Rare
level: high
---
title: Mistic Backdoor Persistence via Scheduled Task
description: Detects the creation of a scheduled task that may be used by Mistic backdoor for persistence, often using obscure names.
references:
  - https://otx.alienvault.com/pulse/667d2a5f9e3b6e8f1a2b3c4d
author: Security Arsenal Research
date: 2026/06/28
tags:
  - attack.persistence
  - attack.t1053
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4698
    TaskName|contains:
      - 'Update'
      - 'Service'
    Command|contains:
      - 'powershell.exe -Enc'
      - 'rundll32.exe'
      - 'regsvr32.exe /s'
    SubjectUserName|contains:
      - 'SYSTEM'
      - 'ADMIN'
  condition: selection
falsepositives:
  - Legitimate software updates
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known Stealc/Amadey C2 infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("microsoft-telemetry.at", "svclsc.com", "goodpanelforgoodjob.com", "authorized-logins.net", "corpsecs.com", "servequake.com")
  or RemoteIP in ("176.124.199.207", "176.111.174.140", "62.60.226.159", "104.200.67.46", "89.36.224.5")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort, ActionType
| summarize count() by DeviceName, RemoteUrl

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Stealc, Amadey, and Mistic Artifacts
# Run as Administrator

$IOC_Hashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e56d2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"
)

$IOC_Domains = @(
    "microsoft-telemetry.at",
    "svclsc.com",
    "authorized-logins.net",
    "driver-updater.net",
    "teamicrosoft.com",
    "corpsecs.com"
)

Write-Host "[+] Scanning for file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 5mb } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -in $IOC_Hashes) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $hash" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking DNS cache for malicious domains..." -ForegroundColor Cyan
Get-DnsClientCache -ErrorAction SilentlyContinue | 
    Where-Object { $IOC_Domains -icontains $_.Entry } | 
    ForEach-Object {
        Write-Host "[!] MALICIOUS DOMAIN RESOLUTION: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
    }

Write-Host "[+] Checking for suspicious scheduled tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.State -eq "Ready" } | ForEach-Object {
    $taskInfo = Export-ScheduledTask -TaskName $_.TaskName -TaskPath $_.TaskPath
    if ($taskInfo -match "(rundll32|powershell -Enc|regsvr32)") {
        Write-Host "[!] SUSPICIOUS TASK: $($_.TaskName) at $($_.TaskPath)" -ForegroundColor Yellow
        Write-Host $taskInfo.Actions.Execute
    }
}
Write-Host "[*] Scan complete." -ForegroundColor Green


# Response Priorities

**Immediate:**
*   Block all identified IOCs (IPs, Domains, URLs) at the firewall, proxy, and DNS levels.
*   Initiate a hunt for the file hashes provided across all endpoints using EDR.
*   Isolate any endpoints with confirmed matches or suspicious behavior.

**24h:**
*   If credential-stealing malware (Stealc, Amadey) is suspected or confirmed, force a password reset for all affected users and revoke session tokens.
*   Review VPN and remote access logs for connections originating from infected IPs.
*   Conduct a forensic analysis of the "Mistic" backdoor indicators if targeting matches the sector profile (Insurance, Education, Tech).

**1 week:**
*   Implement application allowlisting to prevent the execution of unsigned binaries in user directories.
*   Harden browser security policies to mitigate cookie/session theft (disable third-party cookies, enforce hardware-bound tokens).
*   Conduct security awareness training focusing on identifying sophisticated social engineering (LinkedIn recruiting scams) and phishing.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerinitial-access-brokerransomwarestealcamadey

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action