Recent OTX pulses indicate a coordinated spike in credential theft and initial access facilitation across multiple threat vectors. The landscape features the "StealC" and "Amadey" infostealers operating as Malware-as-a-Service (MaaS), the "Woodgnat" threat group deploying the "Mistic" backdoor for ransomware pre-positioning (linked to Qilin and Black Basta), and the "FortiBleed" operation utilizing "CyberStrike Harvester" to mass-harvest FortiGate credentials. Additionally, the "GhostShell" actor is targeting Ukraine's UAV supply chain with Vidar, while a fileless steganographic loader campaign targets the finance sector with Remcos and Agent Tesla. Collectively, these campaigns aim to harvest credentials, establish persistence, and facilitate downstream extortion.
Threat Actor / Malware Profile
- StealC & Amadey: MaaS infostealers targeting browser credentials, cookies, and crypto wallets. StealC (C++) functions as a secondary loader. Distributed via cybercrime services.
- Woodgnat (Mistic / ModeloRAT): An initial access broker linked to major ransomware gangs. Uses Mistic backdoor deployed via DLL sideloading for stealthy persistence. Often paired with ModeloRAT.
- GhostShell: Targeted adversary against Ukrainian defense entities. Uses malicious archives impersonating "Besomar" UAV manufacturer to deliver Vidar infostealer.
- FortiBleed / CyberStrike Harvester: A credential factory targeting FortiGate firewalls. Employs credential stuffing, password spraying, and exploits (CVE-2026-35616, CVE-2026-0257) to harvest credentials for offline cracking.
- Steganographic Loader: A fileless campaign targeting finance. Uses steganography to hide payloads in images, deploying Remcos RAT, Agent Tesla, and Formbook.
IOC Analysis
- Domains:
microsoft-telemetry.at,svclsc.com,mueleer.com,grande-luna.top. C2 infrastructure for StealC and Mistic. - IPs:
85.11.187.8,193.8.187.42. Known CyberStrike Harvester nodes. - Hashes: Multiple SHA256/MD5 hashes associated with StealC, Mistic, and GhostShell loaders (e.g.,
8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea). - CVEs: CVE-2026-35616, CVE-2026-0257.
- Operationalization: Block domains/IPs at perimeter. Ingest file hashes into EDR for immediate scanning. Prioritize patching identified CVEs on FortiGate devices.
Detection Engineering
Sigma Rules
YAML
---
title: Potential StealC or Amadey Infostealer Activity
id: 8cef760d-11d2-4fc2-e9bb-9f770dca5105
status: experimental
description: Detects suspicious process execution patterns associated with StealC and Amadey infostealers accessing browser data.
references:
- https://otx.alienvault.com/pulse/6265c7f8e1c8e9f7e2d1c0d5/
author: Security Arsenal
date: 2026/06/24
tags:
- attack.credential_access
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\stealc.exe'
- '\amadey.exe'
condition: selection
falsepositives:
- Unknown
level: high
---
title: Mistic Backdoor Sideloading via Control Panel
id: 3f797a63-9bc8-55bc-6d54-71f327924b62
status: experimental
description: Detects potential sideloading of Mistic Backdoor via control.exe executing DLLs.
references:
- https://otx.alienvault.com/pulse/6265c7f8e1c8e9f7e2d1c0d6/
author: Security Arsenal
date: 2026/06/24
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\control.exe'
CommandLine|contains: '.cpl'
condition: selection
falsepositives:
- Legitimate Control Panel usage
level: medium
---
title: FortiBleed / CyberStrike Harvester Brute Force Activity
id: 2758f4d7-1a2a-2dfd-efab-81737c2d776b
status: experimental
description: Detects potential brute force attempts indicative of FortiBleed targeting FortiGate SSL VPNs.
references:
- https://otx.alienvault.com/pulse/6265c7f8e1c8e9f7e2d1c0d7/
author: Security Arsenal
date: 2026/06/24
tags:
- attack.initial_access
logsource:
product: firewall
detection:
selection:
dst_port: 443
app|contains: 'sslvpn'
action: 'accept'
filter:
src_ip|cidr:
- '10.0.0.0/8'
- '192.168.0.0/16'
timeframe: 1m
condition: selection | count() > 20 and not filter
falsepositives:
- High volume legitimate login traffic
level: high
**KQL (Microsoft Sentinel)**
kql
// Hunt for StealC/Amadey C2 Domains
DeviceNetworkEvents
| where RemoteUrl has_any (
"microsoft-telemetry.at",
"svclsc.com",
"mueleer.com"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| order by Timestamp desc
;
// Hunt for Mistic/FortiBleed File Hashes
DeviceProcessEvents
| where SHA256 in (
"8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
"3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be"
)
| project Timestamp, DeviceName, FolderPath, SHA256
| order by Timestamp desc
**PowerShell Hunt Script**
powershell
# IOC Hunt Script for StealC, Mistic, and FortiBleed Artifacts
$IOCs = @{
Hashes = @(
"8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
"3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be"
)
}
Write-Host "Scanning C: drive for malicious file hashes..."
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
$fileHash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($IOCs.Hashes -contains $fileHash.Hash) {
Write-Host "Match found: $($_.FullName)" -ForegroundColor Red
}
}
Response Priorities
- Immediate: Block listed IOCs (domains/IPs) on network perimeter. Isolate endpoints with matching file hashes.
- 24h: Reset credentials for FortiGate VPN users and accounts on infected endpoints. Investigate session token theft.
- 1 Week: Apply patches for CVE-2026-35616 and CVE-2026-0257. Harden VPN access policies with MFA.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsstealcfortibleedmistic-backdoorinfostealerransomware-access
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.