StealC, Mistic, and Vidar: OTX Pulse Analysis of Multi-Vector Infostealer Operations — Enterprise Detection Pack | Security Arsenal

Threat Summary

Recent OTX pulses indicate a disturbing convergence between commoditized Malware-as-a-Service (MaaS) infostealers and sophisticated initial access brokers (IABs) and state-sponsored actors. The ecosystem is dominated by StealC and Amadey, which are actively harvesting browser sessions and cryptocurrency wallets to facilitate enterprise breaches. These commodity threats are being supplemented by targeted operations: Woodgnat is deploying the new Mistic backdoor alongside ModeloRAT to facilitate ransomware, while the North Korean Kimsuky group continues to evolve KimJongRAT using GitHub for distribution. Simultaneously, the new GhostShell group is targeting Ukraine's UAV supply chain using Vidar. The common objective across all these disparate actors is the theft of valid credentials and session tokens to bypass authentication controls.

Threat Actor / Malware Profile

StealC & Amadey (Commodity MaaS)

Distribution: Phishing attachments, malicious downloads, fake software updates.
Behavior: StealC is a C++ based infostealer targeting browsers, wallets, and 2FA extensions. Amadey functions as a botnet and loader, often used to deploy second-stage payloads like StealC.
C2: Communicates with hard-coded domains (e.g., microsoft-telemetry.at) to exfiltrate data and receive commands.
Persistence: Often utilizes scheduled tasks or registry run keys.

Woodgnat & Mistic Backdoor (Ransomware IAB)

Actor Profile: Access broker associated with Qilin, Black Basta, and Akira ransomware operations.
Behavior: Mistic is a stealthy backdoor deployed alongside ModeloRAT. It uses DLL sideloading to evade detection and establishes persistence for long-term access.
Techniques: Heavy reliance on social engineering and sideloading to bypass security controls.

Kimsuky & KimJongRAT (State-Sponsored)

Targeting: Japan and broader intelligence gathering.
Behavior: KimJongRAT combines remote access capabilities with information stealing. Recent campaigns use shortened URLs pointing to GitHub Releases hosting malicious ZIP files.
C2: Uses domains mimicking legitimate services (e.g., googleoba.servequake.com) to blend in with traffic.

GhostShell & Vidar (Targeted Espionage)

Targeting: Ukraine's defense and UAV supply chain.
Behavior: Uses malicious archives with decoy documents impersonating legitimate manufacturers (Besomar). Deploys Vidar to steal credentials and system information.

IOC Analysis

The provided indicators reveal a clear pattern of infrastructure abuse:

Domains: Typosquatting and spoofing are prevalent (e.g., microsoft-telemetry.at, update.update-fall.com). These should be immediately blocked at the DNS layer.
File Hashes: Numerous SHA256, MD5, and SHA1 hashes are provided for the payload executables. These should be added to EDR blocklists.
IPs: C2 infrastructure spans various geolocations, often hosted on VPS providers. Blocklisting these IPs at the perimeter is recommended, though IP shifting is common for these actors.

Detection Engineering

Sigma Rules

YAML

---
title: Potential Infostealer Browser Data Access
id: 422f1c11-8a77-4c47-9b17-1a8c3d3c4f8e
status: experimental
description: Detects processes accessing browser credential databases characteristic of StealC, Vidar, or RedLine infostealers.
author: Security Arsenal
date: 2026/06/26
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Login Data'
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Mozilla\Firefox\Profiles\'
      - '\AppData\Local\BraveSoftware\'
  filter_main_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\brave.exe'
      - '\msedge.exe'
  condition: selection and not filter_main_browsers
falsepositives:
  - Legitimate password managers accessing browser storage
level: high
---
title: Malicious C2 Domain Connection - StealC & KimJongRAT
id: 550e8400-e29b-41d4-a716-446655440002
status: experimental
description: Detects network connections to known C2 domains associated with StealC, Amadey, and KimJongRAT campaigns.
author: Security Arsenal
date: 2026/06/26
tags:
  - attack.command_and_control
  - attack.c2
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'microsoft-telemetry.at'
      - 'svclsc.com'
      - 'googleoba.servequake.com'
      - 'corpsecs.com'
  condition: selection
falsepositives:
  - Unknown
level: critical
---
title: Suspicious Scheduled Task Creation - Amadey & Mistic
id: 666f7200-e29b-41d4-a716-446655440003
status: experimental
description: Detects the creation of scheduled tasks with suspicious command lines often used by Amadey botnet and Mistic backdoor for persistence.
author: Security Arsenal
date: 2026/06/26
tags:
  - attack.persistence
  - attack.t1053.005
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4698
  filter_suspicious_cmds:
    CommandLine|contains:
      - '/c powershell'
      - 'regsvr32.exe'
      - 'AppData\Roaming\'
      - 'AppData\Local\Temp'
  condition: selection and filter_suspicious_cmds
falsepositives:
  - Legitimate software update tasks
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for connections to known malicious domains from DeviceNetworkEvents
DeviceNetworkEvents
| where RemoteUrl in ("microsoft-telemetry.at", "svclsc.com", "googleoba.servequake.com", "corpsecs.com", "update.update-fall.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP

// Hunt for file hashes associated with the malware families
DeviceFileEvents
| where SHA256 in ("8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea", "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

# IOC Hunt Script for StealC, Mistic, KimJongRAT, and Vidar
$MaliciousHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3",
    "8de34006dafd990853a45cbe9aaab4ee18c8cd4c1ad0a98fe71f8d63cd60db25",
    "b1834634820ae696f0514ca2b6723061f115857232306e573f4d115bc6ead012"
)

Write-Host "Scanning system for known malicious file hashes..." -ForegroundColor Cyan

# Search common user directories and temp
$PathsToScan = @("$env:USERPROFILE", "$env:APPDATA", "$env:LOCALAPPDATA\Temp", "C:\ProgramData")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($FileHash -in $MaliciousHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}
Write-Host "Scan complete." -ForegroundColor Green

Response Priorities

Immediate:
- Block all listed domains and IPs at the firewall and proxy level.
- Add all file hashes to EDR blocklists and initiate a scan for existing artifacts.
- Isolate any endpoints alerting on the Sigma rules provided above.
24h:
- Conduct credential auditing for accounts accessed from the same geographic locations as the C2 infrastructure.
- Force password resets and session invalidation for users potentially affected by infostealers (especially if browser data was compromised).
- Review browser extension logs for unauthorized installs (Lumma Stealer vector).
1 week:
- Implement application control (AppLocker) to prevent execution of binaries from user directories (%AppData%, %LocalAppData%\Temp).
- Review and harden supply chain email filtering to detect malicious archives impersonating business partners (GhostShell vector).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

StealC, Mistic, and Vidar: OTX Pulse Analysis of Multi-Vector Infostealer Operations — Enterprise Detection Pack