Back to Intelligence

StealC, Woodgnat & FortiBleed: Convergence of Infostealers and Access Brokers — OTX Pulse Analysis

SA
Security Arsenal Team
June 24, 2026
6 min read

The latest OTX pulses reveal a highly active threat landscape dominated by the commoditization of initial access via credential theft and service-based malware. We are observing a convergence of three distinct but interconnected campaigns:

  1. MaaS Proliferation: Widespread distribution of "Malware-as-a-Service" infostealers like StealC, Lumma, and RedLine. These campaigns (Pulse 1 & 5) utilize sophisticated loaders, including steganography and fileless techniques, to harvest browser data, crypto wallets, and session tokens for sale on dark web forums.
  2. Access Broker Aggression: The Woodgnat threat actor (Pulse 2) is actively pushing the Mistic backdoor and ModeloRAT. This group functions as an Initial Access Broker (IAB), explicitly facilitating entry for major ransomware operations (Qilin, Black Basta, Akira) by leveraging sideloading and social engineering.
  3. Infrastructure Exploitation: A massive campaign dubbed FortiBleed (Pulse 4) is actively targeting FortiGate SSL VPN infrastructure using the CyberStrike Harvester. This represents a shift from endpoint stealing to perimeter credential harvesting, utilizing password spraying and configuration extraction to bypass network defenses.

Collectively, these pulses indicate a surge in credential supply chain attacks aimed at bypassing MFA through session hijacking and harvesting legacy VPN authentication.

Threat Actor / Malware Profile

Woodgnat (Mistic / ModeloRAT)

  • TTPs: Utilizes DLL sideloading to execute the Mistic backdoor stealthily. Often deployed alongside ModeloRAT, a custom tool developed by the actor.
  • Objective: Establish persistent footholds for resale to ransomware affiliates.
  • Persistence: Likely via registry run keys or scheduled tasks invoking sideloaded binaries.

StealC & Lumma Stealer

  • Distribution: Phishing archives (Pulse 5) and fake update portals (eulse 1).
  • Behavior: StealC (C++ based) targets specific browser SQLite databases (Login Data, Cookies) and cryptocurrency extensions. It acts as a secondary loader, meaning it often downloads additional payloads like Amadey bot.
  • C2: HTTP/HTTPS communication to domains mimicking legitimate services (e.g., microsoft-telemetry.at).

CyberStrike Harvester (FortiBleed)

  • Target: Internet-facing Fortinet FortiGate firewalls.
  • Method: Password spraying and exploitation of specific CVEs (e.g., CVE-2026-35616, CVE-2026-0257) to harvest configuration files and SSL VPN credentials.

IOC Analysis

The provided pulses offer a mix of network and host-based indicators critical for defense:

  • Network IOCs (C2 & Infrastructure): Domains such as microsoft-telemetry.at and grande-luna.top are likely C2 servers or phishing droppers. The IP ranges 85.11.187.8 and 193.8.187.42 are associated with the FortiBleed harvesting operation. Action: Immediate blocklist addition to firewalls and secure web gateways (SWG).
  • File Hashes: Numerous MD5, SHA1, and SHA256 hashes correspond to loaders (e.g., StealC) and documents (malicious archives). Action: EDR correlation to detect execution of these known malicious binaries.
  • CVE Identifiers: CVE-2026-35616, CVE-2026-0257, CVE-2026-25089. Action: prioritized patching for FortiOS devices.

SOC teams should operationalize these by feeding the hashes into EDR detection rules and the domains/IPs into DNS Sinkholing services.

Detection Engineering

Sigma Rules

YAML
title: Potential StealC Infostealer Activity
id: 4c2f3a1b-9e8f-4a1b-8f2a-1b9e8f4a1b9e
description: Detects behavior consistent with StealC infostealer accessing browser credential files or executing from suspicious parent processes.
status: experimental
date: 2026/06/25
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
    Image|endswith:
      - '\explorer.exe'
    CommandLine|contains:
      - 'cookie'
      - 'login data'
  condition: selection
falsepositives:
  - Legitimate browser administration
level: high
tags:
  - attack.credential_access
  - attack.t1003
---
title: Woodgnat Mistic Backdoor Sideloading
id: d3f@ck-loader-sideloading
description: Detects potential sideloading technique used by Woodgnat group to load Mistic backdoor via legitimate Windows binaries.
status: experimental
date: 2026/06/25
author: Security Arsenal
logsource:
  category: image_load
  product: windows
detection:
  selection:
    ImageLoaded|contains: '\AppData\'
    Image|endswith:
      - '\rundll32.exe'
      - '\dllhost.exe'
      - '\werfault.exe'
  filter:
    Signed: 'true'
  condition: selection and not filter
falsepositives:
  - Unsigned legitimate software
level: high
tags:
  - attack.defense_evasion
  - attack.t1055
---
title: FortiBleed VPN Credential Harvesting
id: fortibleed-auth-failure
description: Detects potential credential spraying or brute force activity targeting Fortinet SSL VPN endpoints associated with the FortiBleed campaign.
status: experimental
date: 2026/06/25
author: Security Arsenal
logsource:
  product: firewall
  definition: 'Requirements: VPN authentication logs'
detection:
  selection:
    DestinationPort: 443
    App|contains: 'sslvpn'
    Action: 'denied'
  timeframe: 2m
  condition: selection | count() > 10
falsepositives:
  - Legitimate failed user logins
level: medium
tags:
  - attack.initial_access
  - attack.t1110

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for StealC and Infostealer Network Connections
DeviceNetworkEvents
| where RemoteUrl in ("microsoft-telemetry.at", "svclsc.com", "goodpanelforgoodjob.com", "grande-luna.top", "human-check.top")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for Malicious File Execution (Hashes)
DeviceProcessEvents
| where SHA256 in ("8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea", "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be")
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunter for StealC and Woodgnat Campaigns
$TargetHashes = @(
    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea",
    "f89ad7e92c7de6945ce0878e470e388b",
    "ab5681266f70af7df24383f15de876e411fc18e35cb6f24603b12f580b05ccb3"
)

$PathsToScan = @("$env:TEMP", "$env:USERPROFILE\Downloads", "$env:APPDATA")

Write-Host "[+] Scanning for StealC/Woodgnat IOCs..." -ForegroundColor Cyan

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check for suspicious network connections (requires admin)
$SuspiciousDomains = @("microsoft-telemetry.at", "svclsc.com", "grande-luna.top")
$DNSCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($DNSCache) {
    foreach ($Domain in $SuspiciousDomains) {
        $Hits = $DNSCache | Where-Object { $_.Entry -like "*$Domain*" }
        if ($Hits) {
            Write-Host "[!] Suspicious DNS Entry found for: $Domain" -ForegroundColor Yellow
        }
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IP addresses at the network perimeter.
    • Scan endpoints for the provided file hashes (StealC, Mistic, CyberStrike).
    • Patch Fortinet FortiGate devices against CVE-2026-35616 and CVE-2026-0257 immediately.

  • 24 Hours:

    • Conduct credential audits for any accounts that may have been active on endpoints flagged during the hunt.
    • Force reset of SSL VPN credentials if FortiGate infrastructure is exposed.
    • Investigate browser session cookies on compromised machines for "StealC" exfil artifacts.

  • 1 Week:

    • Implement strict allow-listing for VPN access to mitigate credential spraying effectiveness.
    • Review and harden RDP and SSL VPN configurations against brute-force attacks.
    • Update browser isolation policies to prevent infostealers from accessing credential files.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerswoodgnatfortibleedaccess-brokerransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action