Back to Intelligence

StealC, Woodgnat, and Crypto Supply Chain Assaults: OTX Pulse Analysis

SA
Security Arsenal Team
June 27, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a highly volatile threat landscape characterized by the simultaneous operation of high-volume Malware-as-a-Service (MaaS) campaigns and sophisticated, targeted supply chain attacks. While global law enforcement efforts (Operation Endgame) have disrupted infrastructure for commodity infostealers like Stealc and Amadey, new actors like JINX-0164 are aggressively targeting cryptocurrency development infrastructure. Concurrently, the Woodgnat access broker has deployed the Mistic backdoor to facilitate ransomware operations, and the North Korean Kimsuky group continues to evolve KimJongRAT by abusing legitimate services like GitHub. The collective objective across these pulses is credential theft, initial access brokering, and the establishment of persistent C2 channels within corporate environments.

Threat Actor / Malware Profile

StealC & Amadey (Commodity Infostealers)

  • Distribution: Delivered via cybercrime services; often masquerading as legitimate telemetry domains (e.g., microsoft-telemetry.at).
  • Behavior: StealC (C++) harvests credentials from browsers, crypto wallets, and messaging apps. Amadey functions as a botnet loader and stealer.
  • C2: HTTP-based communication to compromised domains; recent pulses indicate disruption of approx. 200 active IP-based C2 servers.

Woodgnat (Mistic Backdoor & ModeloRAT)

  • Distribution: Sideloading and social engineering.
  • Behavior: Mistic is a stealthy backdoor used to establish persistence for ransomware gangs (Qilin, Black Basta). Often deployed alongside ModeloRAT.
  • Persistence: Likely uses DLL sideloading or scheduled tasks to maintain access within Insurance, Education, and Tech sectors.

JINX-0164 (Crypto Targeting)

  • Distribution: LinkedIn social engineering (posing as recruiters) and malicious NPM packages (supply chain).
  • Behavior: Deploys AUDIOFIX (Python infostealer) and MINIRAT (Go backdoor) specifically tailored for macOS and developer environments.
  • Objective: Hijacking CI/CD pipelines and stealing developer credentials.

Kimsuky (KimJongRAT)

  • Distribution: Phishing emails with shortened URLs pointing to GitHub Releases.
  • Behavior: Uses MeshAgent for remote access and KimJongRAT for data exfiltration. Leverages GitHub to host malicious ZIP files to bypass network defenses.

IOC Analysis

The provided pulses reveal a mix of infrastructure and file-based indicators:

  • Domains & URLs: Typosquatting is rampant (e.g., login.teamicrosoft.com, www.live.us.org). SOC teams should prioritize blocking these domains at the proxy/DNS level. The URL http://googleoba.servequake.com:8443/agent.ashx indicates a non-standard port usage for C2.
  • IP Addresses: Multiple C2 IPs (e.g., 176.124.199.207, 89.36.224.5) are associated with the Stealc/Amadey and JINX-0164 campaigns respectively. These should be added to Firewall blocklists immediately.
  • File Hashes: SHA256 hashes (e.g., 8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea) correspond to droppers and payload executables. EDR solutions should be configured to alert on execution matches.

Detection Engineering

Sigma Rules

YAML
---
title: Suspicious Telemetry Domain Connection - StealC/Amadey
id: 5a6b1c9d-4e3f-4a2b-9f1d-8c3b2a1d9e0f
description: Detects network connections to known spoofed telemetry domains associated with StealC and Amadey campaigns.
status: experimental
date: 2026/06/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000000/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'microsoft-telemetry.at'
            - 'svclsc.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Potentially Malicious NPM or Python Execution - JINX-0164
id: 7b8c2d0e-5f4a-3b2c-0e2d-9d4e3f2a1b0c
description: Detects execution of npm or python scripts from suspicious developer-focused domains or unusual child processes associated with JINX-0164.
status: experimental
date: 2026/06/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000004/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
product: windows
detection:
    selection_img:
        Image|endswith:
            - '\node.exe'
            - '\python.exe'
    selection_cli:
        CommandLine|contains:
            - 'driver-updater.net'
            - 'live.ong'
            - 'teamicrosoft.com'
    condition: all of selection_*
falsepositives:
    - Legitimate developer scripts
level: high
---
title: Kimsuky KimJongRAT GitHub Download Pattern
id: 8c9d3e1f-0g5b-4c3d-1f3e-0e5f4a3b2c1d
description: Detects download patterns consistent with Kimsuky using GitHub to deliver KimJongRAT via PowerShell.
status: experimental
date: 2026/06/28
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000008/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_url:
        CommandLine|contains:
            - 'github.com'
            - 'githubusercontent.com'
    selection_ext:
        CommandLine|contains: '.zip'
    condition: all of selection_*
falsepositives:
    - Administrative software deployment
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for StealC and Amadey C2 indicators
let IoC_Domains = dynamic(['microsoft-telemetry.at', 'svclsc.com', 'goodpanelforgoodjob.com', 'overlapsnowbound.com', 'authorized-logins.net', 'mueleer.com']);
let IoC_IPs = dynamic(['176.124.199.207', '176.111.174.140', '62.60.226.159', '94.154.35.25', '64.188.91.237', '196.251.107.130', '89.36.224.5', '104.200.67.46']);
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteIP in (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IoC_Type = iff(RemoteIP in (IoC_IPs), "IP_Address", "Domain")

// Hunt for JINX-0164 and Woodgnat suspicious process execution
union DeviceProcessEvents, DeviceNetworkEvents
| where (ProcessCommandLine has_any('driver-updater.net', 'live.ong', 'teamicrosoft.com', 'authorized-logins.net')) 
       or (ProcessCommandLine has_any('npm', 'python') and ProcessCommandLine has_any('install', 'troubleshoot'))
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for StealC, Amadey, and JINX-0164 Activity
# Requires Administrative Privileges

$TargetHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be",
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470"
)

$MaliciousDomains = @(
    "microsoft-telemetry.at",
    "svclsc.com",
    "authorized-logins.net",
    "driver-updater.net"
)

Write-Host "[+] Checking for active network connections to known C2 domains..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($Conn in $Connections) {
    try {
        $RemoteHost = [System.Net.Dns]::GetHostEntry($Conn.RemoteAddress).HostName
        if ($MaliciousDomains -contains $RemoteHost) {
            Write-Host "[!] Suspicious connection found: $($RemoteHost) (PID: $($Conn.OwningProcess))" -ForegroundColor Red
            Get-Process -Id $Conn.OwningProcess | Select-Object ProcessName, Path
        }
    } catch {
        # Ignore resolution failures
    }
}

Write-Host "[+] Scanning for specific file hashes in common download folders..." -ForegroundColor Cyan
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP")
foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] Malicious file detected: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Hunt Complete."

Response Priorities

  • Immediate:
    • Block all IOCs (Domains, IPs, Hashes) at the perimeter and endpoint level.
    • Isolate hosts with confirmed alerts on the provided SHA256 hashes.
  • 24 Hours:
    • Initiate credential rotation for accounts accessed from endpoints flagged by KQL/Sigma queries, specifically targeting developers and high-privilege users (due to JINX-0164 targeting).
    • Investigate browser cookie theft artifacts on endpoints potentially impacted by StealC/Amadey.
  • 1 Week:
    • Review and restrict LinkedIn social engineering attack surfaces (implement strict external messaging policies).
    • Audit CI/CD pipelines and NPM package usage for signs of the AUDIOFIX or MINIRAT trojan signatures.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chainkimsukystealcaccess-broker

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action