Back to Intelligence

StealC, Amadey, and Mistic Backdoor: OTX Pulse Analysis — Enterprise Credential Theft & Access Brokerage

SA
Security Arsenal Team
June 25, 2026
6 min read

Recent OTX pulses indicate a surge in credential theft and initial access brokerage (IAB) operations. The intelligence highlights a dual-threat landscape: pervasive, commodity Infostealer-as-a-Service (StealC, Amadey, Vidar) and targeted operations using custom backdoors (Mistic, KimJongRAT).

  • Commodity Threats: StealC and Amadey continue to dominate the cybercrime ecosystem, harvesting browser data and crypto-wallets to facilitate enterprise breaches. While Operation Endgame has disrupted significant C2 infrastructure, residual activity and variant campaigns persist.
  • Targeted Intrusions: The Woodgnat threat actor is leveraging the new Mistic backdoor alongside ModeloRAT to facilitate access for ransomware gangs (Qilin, Akira). Concurrently, the GhostShell group is targeting Ukraine's defense supply chain using Vidar, and Kimsuky is evolving KimJongRAT via GitHub abuse to target Japanese entities.

The collective objective is clear: acquire valid credentials and session tokens to bypass authentication controls, enabling secondary infections, data exfiltration, and ransomware deployment.

Threat Actor / Malware Profile

StealC & Amadey (Infostealers)

  • Distribution: Delivered via phishing emails, malicious downloads, and loader services.
  • Behavior: StealC (C++) targets browsers, crypto wallets, and messaging apps. Amadey functions as a botnet and loader for subsequent payloads.
  • C2: Communication with HTTP-based C2 servers to exfiltrate logs (cookies, passwords) and receive commands.
  • Persistence: Registry run keys or scheduled tasks.

Mistic Backdoor & ModeloRAT (Woodgnat)

  • Actor: Woodgnat (Initial Access Broker).
  • Behavior: Mistic is a stealthy backdoor utilizing DLL sideloading to execute code. Often paired with ModeloRAT.
  • Affiliations: Linked to multiple ransomware operations including Qilin, Interlock, and Black Basta.
  • Technique: Sideloading via legitimate signed binaries to evade detection.

KimJongRAT (Kimsuky)

  • Actor: Kimsuky (North Korean APT).
  • Target: Japan (primarily).
  • Distribution: Phishing emails with shortened URLs pointing to GitHub Releases hosting malicious ZIPs.
  • Behavior: Information stealing and remote access.

GhostShell (Vidar)

  • Actor: GhostShell.
  • Target: Ukraine Defense / UAV Supply Chain.
  • Distribution: Malicious archives impersonating "Besomar" drone manufacturer documents.
  • Behavior: Deploys Vidar infostealer to harvest sensitive data.

IOC Analysis

The provided pulses yield a mix of network and file-based indicators critical for detection:

  • Domains & URLs: Several domains mimic legitimate services (e.g., microsoft-telemetry.at, googleoba.servequake.com). These should be blocked at the proxy/DNS level.
  • IP Addresses: Multiple C2 IPs (e.g., 176.124.199.207, 104.200.67.46) are associated with active botnets.
  • File Hashes: Numerous SHA256 and MD5 hashes for the malware payloads (StealC, Amadey, Mistic, Vidar).

Operationalization: SOC teams should ingest these IOCs into SIEM correlation engines and EDR threat feeds. Focus specifically on the domain names associated with "telemetry" spoofing and the GitHub-related URLs used by Kimsuky. Decoding tools like CyberChef can assist in analyzing the PowerShell droppers often associated with these campaigns.

Detection Engineering

Sigma Rules

YAML
title: Potential StealC or Amadey Infostealer Activity
id: 9b8f7e3a-1d2c-4b5a-9a6b-3c7d8e9f0a1b
description: Detects potential execution of StealC or Amadey infostealers based on common process trees and file access patterns.
status: experimental
date: 2026/06/25
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667a8b8e9b8f7e3a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\\explorer.exe'
            - '\\cmd.exe'
            - '\\powershell.exe'
        Image|endswith:
            - '\\cmd.exe'
            - '\\powershell.exe'
            - '\\rundll32.exe'
        CommandLine|contains:
            - 'cookies'
            - 'login_data'
            - 'WebData'
            - 'wallet.dat'
    condition: selection
falsepositives:
    - Legitimate administrative scripts accessing browser data
level: high
tags:
    - attack.credential_access
    - attack.execution
    - malware.stealc
    - malware.amadey

---
title: Suspicious Sideloading via Rundll32 (Mistic Backdoor Pattern)
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects suspicious DLL sideloading activity often associated with Mistic backdoor and similar IAB tools.
status: experimental
date: 2026/06/25
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/667a8b8e9b8f7e3c
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\rundll32.exe'
        CommandLine|contains: '.dll,'
        CommandLine|contains:
            - 'javascript:'
            - 'DllRegisterServer'
            - 'DllInstall'
    filter_legitimate:
        CommandLine|contains:
            - '\\Windows\\System32\\'
            - '\\Windows\\SysWOW64\\'
    condition: selection and not filter_legitimate
falsepositives:
    - Legitimate software installers
level: high
tags:
    - attack.defense_evasion
    - attack.persistence
    - malware.mistic

---
title: Kimsuky KimJongRAT GitHub Download Pattern
date: 2026/06/25
author: Security Arsenal
status: experimental
description: Detects potential KimJongRAT infection vectors involving downloads from GitHub URLs or shortened links resolving there.
references:
    - https://otx.alienvault.com/pulse/667a8b8e9b8f7e3d
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'github.com'
            - 'githubusercontent.com'
    filter_ports:
        DestinationPort:
            - 80
            - 443
    condition: selection and filter_ports
falsepositives:
    - Legitimate developer activity
level: medium
tags:
    - attack.initial_access
    - attack.command_and_control
    - apt.kimsuky

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for StealC/Amadey C2 Communication and Suspicious Processes
let IOC_Domains = dynamic(['microsoft-telemetry.at', 'svclsc.com', 'goodpanelforgoodjob.com', 'googleoba.servequake.com', 'corpsecs.com']);
let IOC_IPs = dynamic(['176.124.199.207', '176.111.174.140', '62.60.226.159', '94.154.35.25', '64.188.91.237', '196.251.107.130', '104.200.67.46']);
// Network Connections to IOCs
DeviceNetworkEvents
| where RemoteUrl in~ IOC_Domains or RemoteIP in IOC_IPs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
    // Process creation related to typical stealer behavior
    DeviceProcessEvents
    | where ProcessCommandLine has_any ('cookies', 'wallet.dat', 'WebData', 'steal', 'amadey')
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell
# IOC Hunter for StealC, Amadey, and Mistic
# Check for specific file hashes on disk
$TargetHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea", # StealC SHA256
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Mistic SHA256
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"  # KimJongRAT SHA256
)

Write-Host "[+] Scanning for known malicious file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) - Hash: $hash" -ForegroundColor Red
        }
    }

# Check Hosts File for C2 Domains
$MaliciousDomains = @(
    "microsoft-telemetry.at",
    "svclsc.com",
    "authorized-logins.net",
    "mueleer.com"
)

Write-Host "[+] Checking Hosts file for malicious domain redirects..."
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $Content = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($Content -match $Domain) {
            Write-Host "[!] SUSPICIOUS ENTRY FOUND in hosts file for: $Domain" -ForegroundColor Yellow
        }
    }
}
Write-Host "[+] Scan complete."


# Response Priorities

Immediate (0-12 hours)

  • Block IOCs: Immediately block all listed domains and IP addresses at network perimeter devices (Firewall, Proxy) and endpoints (EDR).
  • Hunt Compromise: Utilize the provided KQL and PowerShell scripts to scan endpoints for the presence of the specific file hashes and suspicious processes.
  • Isolate: Isolate any endpoints returning positive matches for Mistic, StealC, or KimJongRAT artifacts.

24 Hours

  • Credential Audit: If StealC or Amadey infection is confirmed, initiate a forced password reset for all browser-saved credentials and session tokens for affected users.
  • Supply Chain Review: For defense industry entities, validate the integrity of communications with suppliers (specifically UAV/Drone manufacturers) against the GhostShell indicators.

1 Week

  • Architecture Hardening: Implement strict allow-listing for scripting engines (PowerShell, Rundll32) and restrict access to GitHub-like services to only approved developer accounts.
  • Threat Intel Integration: Automate the ingestion of OTX pulses into your SIEM to ensure future alerts from Operation Endgame or similar disruptions are actioned automatically.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerstealcamadeymistic-backdoorkimjongrat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action