{"id":388,"date":"2026-06-25T01:44:57","date_gmt":"2026-06-25T01:44:57","guid":{"rendered":"https:\/\/escudodigital.uy\/index.php\/2026\/06\/25\/eset-takes-part-in-operation-endgame-to-disrupt-amadey-and-stealc\/"},"modified":"2026-06-25T01:44:57","modified_gmt":"2026-06-25T01:44:57","slug":"eset-takes-part-in-operation-endgame-to-disrupt-amadey-and-stealc","status":"publish","type":"post","link":"https:\/\/escudodigital.uy\/index.php\/2026\/06\/25\/eset-takes-part-in-operation-endgame-to-disrupt-amadey-and-stealc\/","title":{"rendered":"ESET takes part in Operation Endgame to disrupt Amadey and Stealc"},"content":{"rendered":"<div>\n<p>A year ago, ESET Research was part of two major operations that disrupted some of the leading cybercriminal operations at the time, Lumma Stealer and Danabot. More recently, our researchers are once again collaborating with private partners and law enforcement, but this time taking aim at the Amadey botnet and Stealc infostealer, both provided via malware-as-a-service (MaaS) offerings. Operation Endgame \u2013 coordinated by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/24\/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them\/\" target=\"_blank\" rel=\"noopener\">Microsoft Digital Crimes Unit<\/a> (DCU), <a href=\"https:\/\/www.bitsight.com\/blog\/bitsight-aids-disruption-efforts-on-amadey-malware-and-stealc-malware\" target=\"_blank\" rel=\"noopener\">BitSight<\/a>, Lumen, <a href=\"https:\/\/www.mbsd.jp\/research\/20260624\/amadey-c2-en\/\" target=\"_blank\" rel=\"noopener\">Mitsui Bussan Secure Directions<\/a> (MBSD), and other partners \u2013 targeted all known network infrastructure used by Amadey and Stealc affiliates in order to cripple their cybercriminal operations.<\/p>\n<p>ESET contributed to this effort by providing technical analyses, statistical information, known command and control (C&amp;C) servers, encryption keys, campaign and build identifiers, and other threat intelligence collected during our long-term tracking of both malware families.<\/p>\n<blockquote>\n<p><strong>Key points of this blogpost:<\/strong><\/p>\n<ul>\n<li>ESET took part in the coordinated, global Operation Endgame to disrupt Amadey and Stealc.<\/li>\n<li>Operation Endgame impacted around 50 domains and nearly 200 active IP-based C&amp;C servers associated with Amadey and Stealc.<\/li>\n<li>ESET provided technical analyses, statistical information, known C&amp;C servers, encryption keys, campaign identifiers, and other insights.<\/li>\n<li>We provide an overview of the MaaS ecosystem at the affiliate level for both malware families.<\/li>\n<li>We describe how we clustered Amadey and Stealc activity.<\/li>\n<li>We summarize the technical properties most relevant to tracking and disruption, including C&amp;C communications, embedded identifiers, and encryption keys.<\/li>\n<li>We detail overlaps between activities of Amadey and affiliates of Lumma Stealer.<\/li>\n<\/ul>\n<\/blockquote>\n<h2>Disruption contribution<\/h2>\n<p>ESET Research has been tracking both the Amadey botnet and Stealc infostealer for the past three years. For this disruption operation, we shared statistics covering Q4 2025 through H1 2026, along with technical indicators and configuration data extracted from processed malware samples.<\/p>\n<p>Our automated systems have been dissecting Amadey and Stealc samples and identifying the fields most relevant for large-scale tracking. These include C&amp;C servers, build identifiers, encryption keys, URL paths, campaign identifiers, and other embedded values used by the malware families during communication with attacker-controlled infrastructure.<\/p>\n<p>A major focus of our work was finding reliable methods to handle the large volume of processed samples and to cluster them. This was particularly useful because both Amadey and Stealc are sold as services. As such, the malware samples are distributed and operated by affiliates, often running their own infrastructure, generating or requesting their own builds, and orchestrating their own campaigns. Identifying activity clusters in such ecosystems allows us to spot high-priority targets for disruptions like this one.<\/p>\n<p>Sharing technical analyses, statistical information, and threat intelligence, such as C&amp;C server lists, affiliate identifiers, and encryption keys, enables law enforcement agencies to identify, prioritize, and act against infrastructure with a high degree of confidence. IoCs also help distinguish between individual clusters, shared infrastructure, and high-impact botnets whose disruption is likely to have the greatest impact on the overall threat landscape. Ultimately, the disruption affected around 50 domains and nearly 200 active IPs used as C&amp;C servers for either Amadey or Stealc.<\/p>\n<h3>Disrupted malware families<\/h3>\n<p>Amadey is a modular malware loader. Its main purpose is to distribute additional malware to compromised systems, although it also offers modules for data exfiltration and remote access.<\/p>\n<p>Stealc, in contrast, is a typical infostealer as a service. It targets credentials, cookies, cryptocurrency wallets, browser extensions, and files whose names match affiliate-defined patterns.<\/p>\n<p>Both malware families are sold as services and advertised on darknet forums. For visibility into darknet forums, we used <a href=\"https:\/\/flare.io\/\" target=\"_blank\" rel=\"noopener\">Flare.io<\/a>, a threat intelligence platform that monitors underground communities. In both ecosystems, affiliates receive a self-hosted administration panel that must be deployed on their own server infrastructure. This requires a certain level of technical skill from affiliates and also gives them direct control over victim data and payload distribution.<\/p>\n<p>This model differs from other MaaS ecosystems. For example, Danabot affiliates can choose to rent C&amp;C infrastructure as a service, while Lumma Stealer used an exfiltration network fully managed by its operators. In the case of Amadey and Stealc, affiliates are responsible for deploying and operating their own infrastructure, making disruption efforts more difficult, which is why the clustering approach was essential.<\/p>\n<p>While distribution methods ultimately depend on each individual affiliate, ESET telemetry consistently showed that both malware families were delivered through a wide range of channels. The most common methods included fake software updates, cracked software installers, and third-party malware loaders.<\/p>\n<p>Amadey used a pay-per-rebuild model. Affiliates purchased a license and then paid an additional fee each time they needed to generate a new build, for example when rotating to a new C&amp;C server. In other words, Amadey operators did not provide affiliates with a builder tool; instead, samples were compiled on request for each affiliate.<\/p>\n<p>Stealc took a more affiliate-friendly approach, offering unlimited build generation (Figure 1) as part of its subscription. This lowered the operational cost of rotating C&amp;C infrastructure and made it easier for affiliates to generate new samples as needed.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 1. Stealc panel build generation feature\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-1.png\" alt=\"Figure 1. Stealc panel build generation feature\" width=\"\" height=\"\"\/><figcaption><em>Figure 1. Stealc panel build generation feature<\/em><\/figcaption><\/figure>\n<p>Trying to avoid impersonation scams, operators of both services explicitly instructed prospective affiliates on darknet forums to contact them only through official channels. Amadey directed buyers to private messages on the darknet forum where it is advertised, while Stealc used private messages on darknet forums or Telegram.<\/p>\n<h2>Amadey<\/h2>\n<p>Amadey is a modular malware loader that has been advertised on darknet forums by account name InCrease since October 2018. Over time, it has become one of the more stable and actively maintained malware families, with ongoing support provided through darknet forum channels.<\/p>\n<p>Our telemetry detection rate, shown in Figure 2, indicates that Amadey was observed globally with no specific regional focus, although the highest detection rates were observed in India, Turkey, Egypt, Mexico, and Spain.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 2. Distribution of Amadey \u2013 detection heatmap (2025\u2013present)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-2.png\" alt=\"Figure 2. Distribution of Amadey \u2013 detection heatmap (2025\u2013present)\" width=\"\" height=\"\"\/><figcaption><em>Figure 2. Distribution of Amadey \u2013 detection heatmap (2025\u2013present)<\/em><\/figcaption><\/figure>\n<p>The primary function of Amadey is to distribute additional malware to victims. Besides that, it offers three modules for further data exfiltration and access: clipboard monitoring, credential theft, and VNC-based remote access.<\/p>\n<p>The service is priced at US$600, paid in Bitcoin, for a single license, with an additional US$50 charged per rebuild. This means affiliates incur a cost each time they generate a new build, such as when rotating to a fresh C&amp;C server. This pricing has remained largely unchanged since the earliest advertised versions, suggesting a stable and established customer base.<\/p>\n<p>Over the years we have observed ongoing version updates (Figure 3) and active development of Amadey. The most significant milestone in Amadey\u2019s development came in August 2020 (v1.99.5), when the entire codebase was completely rewritten. The second major evolution arrived in the release of v5.03 in October 2024, which delivered a dense wave of new capabilities: hVNC with reverse connect, MSI silent installer support, RDP enabling, cmd.exe execution with SYSTEM privileges, and integrated support for encrypted payloads. Overall, the majority of the other, more minor updates served one implicit but constant purpose: evading AV detections as they appeared.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 3. Amadey versions timeline\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-3.png\" alt=\"Figure 3. Amadey versions timeline\" width=\"\" height=\"\"\/><figcaption><em>Figure 3. Amadey versions timeline<\/em><\/figcaption><\/figure>\n<h3>Technical overview<\/h3>\n<p>Each Amadey sample contains at least one hardcoded C&amp;C server URL, with the configuration supporting up to three entries. Samples also embed an RC4 key used for encrypting communications with the C&amp;C server.<\/p>\n<p>Our analysis showed that the RC4 key extracted from each sample serves as a reliable cluster identifier, allowing us to cluster samples into individual botnets, which we discuss in more detail in the <em><a href=\"#Clustering\">Clustering<\/a> <\/em>section.<\/p>\n<p>A second hardcoded value, internally referred to as <span style=\"font-family: courier new, courier, monospace;\">sd<\/span>, is a random-looking six-character hexadecimal string matching the pattern <span style=\"font-family: courier new, courier, monospace;\">[0-9a-f]{6}<\/span>. It is transmitted during the initial C&amp;C handshake and most likely identifies a specific build within an affiliate\u2019s deployment. Although it is sometimes called a <a href=\"https:\/\/www.linkedin.com\/posts\/teethador_swisscom-tdr-threat-brief-unmasking-amadey-ugcPost-7403675666841456640-mwlg\/\">campaign ID<\/a> or <a href=\"https:\/\/www.splunk.com\/en_us\/blog\/security\/amadey-threat-analysis-and-detections.html\">Amadey ID<\/a> by researchers, Amadey\u2019s pay-per-build business model suggests that it more accurately represents a build identifier.<\/p>\n<p>Each sample also carries a version number. Our analysis focuses on version v5.x, which has been the dominant variant observed in ESET telemetry since the beginning of 2025.<\/p>\n<p>This bot also checks the victim\u2019s keyboard layout. If it matches a layout associated with a <a href=\"https:\/\/www.linkedin.com\/posts\/teethador_swisscom-tdr-threat-brief-unmasking-amadey-activity-7403675667952844800-tFQL\/\" target=\"_blank\" rel=\"noopener\">CIS country<\/a>, all network communication is silently rejected. Threat actors operating from Eastern Europe commonly use this type of built-in safeguard to avoid affecting businesses and governmental entities in the region, reducing the risk of attention or prosecution by local authorities. In addition, these operators often follow such practices to avoid potential backlash from their peers for targeting \u201ctheir own people\u201d or <a href=\"https:\/\/g0njxa.medium.com\/profiling-traffic-cerberus-ex-amnesia-3758faba4385\" target=\"_blank\" rel=\"noopener\">for violating the rules of darknet forums<\/a> where their services are advertised.<\/p>\n<p>This section provides only a high-level overview of Amadey, as deep technical analysis has already been published in the <a href=\"https:\/\/www.linkedin.com\/posts\/teethador_swisscom-tdr-threat-brief-unmasking-amadey-activity-7403675667952844800-tFQL\/\" target=\"_blank\" rel=\"noopener\">Swisscom report<\/a>.<\/p>\n<h3>C&amp;C communications<\/h3>\n<p>Amadey communicates with its C&amp;C server over HTTP using POST requests. At a high level, communication follows a three-stage lifecycle:<\/p>\n<ul>\n<li><strong>Initial beacon<\/strong> \u2013 the bot sends a minimal <span style=\"font-family: courier new, courier, monospace;\">st=s<\/span> HTTP POST request to the C&amp;C server. The server responds with a sleep interval, for example <span style=\"font-family: courier new, courier, monospace;\"><c>10<d\/><\/c><\/span>, instructing the bot to wait 10 minutes between subsequent check-ins.<\/li>\n<li><strong>Registration<\/strong> \u2013 the bot transmits RC4-encrypted system information encoded as a flat key-value string. This data includes the operating system version, username, PC name, installed antivirus product, administrative privileges, <span style=\"font-family: courier new, courier, monospace;\">sd<\/span> value, and other host information. Notably, the RC4 key itself is never transmitted over the network. Based on our telemetry, no server was observed serving tasks for more than one RC4 key at a time, suggesting that each sample must communicate with a C&amp;C server that already knows and expects that exact RC4 key. The server responds with a task list.<\/li>\n<li><strong>Tasking<\/strong> \u2013 tasks are delivered as structured command strings delimited by <span style=\"font-family: courier new, courier, monospace;\"><c\/><\/span> and <span style=\"font-family: courier new, courier, monospace;\"><d\/><\/span> tags with individual commands separated by <span style=\"font-family: courier new, courier, monospace;\">#<\/span> characters, as shown in Figure 4. Each task encodes a command type, such as downloading and executing an EXE, starting VNC, or running a stealer plugin. Tasks also include parameters such as a privilege escalation flag, target directory, and payload URL.<\/li>\n<\/ul>\n<p>Each task has its own processing logic, ranging from simple download-and-execute commands to more complex execution of hVNC or proxy components. The inner workings have been documented in <a href=\"https:\/\/www.linkedin.com\/posts\/teethador_swisscom-tdr-threat-brief-unmasking-amadey-activity-7403675667952844800-tFQL\/\">previous technical reporting<\/a>.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 4. Amadey C&amp;C communications with highlighted list of delimited encrypted tasks\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-4.png\" alt=\"Figure 4. Amadey C&amp;C communications with highlighted list of delimited encrypted tasks\" width=\"\" height=\"\"\/><figcaption><em>Figure 4. Amadey C&amp;C communications with highlighted list of delimited encrypted tasks<\/em><\/figcaption><\/figure>\n<h3>Clustering<\/h3>\n<p>When tracking MaaS malware, a key challenge is finding a reliable way to group samples belonging to the same threat actor. Understanding the business model and the distribution of network infrastructure is thus essential for successful disruption, because it allows defenders and law enforcement to identify the critical points where action will have the greatest impact. In this section, we explain our methodology.<\/p>\n<p>Amadey samples contain three key hardcoded configuration values:<\/p>\n<ul>\n<li>C&amp;C URLs,<\/li>\n<li>RC4 keys used for C&amp;C communications, and<\/li>\n<li>the <span style=\"font-family: courier new, courier, monospace;\">sd<\/span> value transmitted during the initial C&amp;C handshake.<\/li>\n<\/ul>\n<p>Over the course of our tracking, we noticed that Amadey C&amp;C URLs follow a consistent pattern:<\/p>\n<p><span style=\"font-family: courier new, courier, monospace;\">http(s)?:\/\/<c>\/<random_path>\/index.php<\/random_path><\/c><\/span><\/p>\n<p>Further, the same <span style=\"font-family: courier new, courier, monospace;\"><random_path\/><\/span> URL part was used with different C&amp;C servers (see Figure 5). As this value appears to be a random string, seeing it tied to multiple C&amp;C servers over time seemed like a strong indicator that the C&amp;C servers are operated as part of the same cluster. Therefore, we further decomposed the C&amp;C URL into these two parts: the IP address or domain and the URL <span style=\"font-family: courier new, courier, monospace;\"><random_path\/><\/span>.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 5. Examples of &lt;random_path&gt; identifiers in Amadey C&amp;C server URLs\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-5.png\" alt=\"Figure 5. Examples of random_path identifiers in Amadey C&amp;C server URLs\" width=\"\" height=\"\"\/><figcaption><em>Figure 5. Examples of <\/em><span style=\"font-family: courier new, courier, monospace;\"><random_path\/><\/span><em> identifiers in Amadey C&amp;C server URLs<\/em><\/figcaption><\/figure>\n<p>Using values from the samples\u2019 configuration, combined with our understanding of their purpose, we leveraged graph modeling to gain insights into the structure of the Amadey ecosystem. On first glance at Figure 6, we clearly see that, indeed, there is no shared infrastructure, but rather several smaller sub-botnets with one clearly dominating. We dive deeper into that largest cluster in the next section.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 6. Amadey affiliate clustering based on ESET telemetry\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-6.png\" alt=\"Figure 6. Amadey affiliate clustering based on ESET telemetry\" width=\"\" height=\"\"\/><figcaption><em>Figure 6. Amadey affiliate clustering based on ESET telemetry<\/em><\/figcaption><\/figure>\n<p>To conclude, the main takeaways are:<\/p>\n<ol>\n<li>We identified a total of <strong>53 unique clusters <\/strong>inside the Amadey ecosystem.<\/li>\n<li>Each <span style=\"font-family: courier new, courier, monospace;\">sd<\/span> value is tied to exactly one RC4 key.<\/li>\n<li>RC4 keys are likely a useful affiliate identifier, as rebuilds preserve the key while changing the <span style=\"font-family: courier new, courier, monospace;\">sd<\/span> value.<\/li>\n<li>The C&amp;C URL <span style=\"font-family: courier new, courier, monospace;\"><random_path\/><\/span> part is occasionally reused when rotating C&amp;C servers, serving as reliable evidence of such C&amp;C servers belonging to the same cluster.<\/li>\n<\/ol>\n<h3>The largest Amadey botnet cluster<\/h3>\n<p>One cluster stands out as the largest, and it contributed nearly 34% of all processed Amadey samples. This cluster was also the only one active throughout the entire analyzed time period, as represented in our timeline in Figure 7.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 7. Activity of the 10 largest Amadey botnets (largest at top)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-7.png\" alt=\"Figure 7. Activity of the 10 largest Amadey botnets (largest at top)\" width=\"\" height=\"\"\/><figcaption><em>Figure 7. Activity of the 10 largest Amadey botnets (largest at top)<\/em><\/figcaption><\/figure>\n<p>The largest botnet also dominated in the average number of payloads distributed to victims per execution. Based on our clustering methodology, Amadey samples belonging to the largest botnet delivered, on average, around 14 payloads to every victim simultaneously (Figure 8).<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 8. Top five botnets based on the average number of payloads distributed per Amadey execution\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-8.png\" alt=\"Figure 8. Top five botnets based on the average number of payloads distributed per Amadey execution\" width=\"\" height=\"\"\/><figcaption><em>Figure 8. Top five botnets based on the average number of payloads distributed per Amadey execution<\/em><\/figcaption><\/figure>\n<p>The range and diversity of distributed malware families was broad, from infostealers and RATs to malware packed with complex code protectors. Figure 9 provides an insight into the payloads we detected being delivered throughout the tracking period.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 9. Payload distribution of the largest Amadey botnet\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-9.png\" alt=\"Figure 9. Payload distribution of the largest Amadey botnet\" width=\"\" height=\"\"\/><figcaption><em>Figure 9. Payload distribution of the largest Amadey botnet<\/em><\/figcaption><\/figure>\n<p>Furthermore, ESET researchers were able to obtain evidence that many times, multiple Lumma Stealer samples were delivered to a single victim, each attributed to a different affiliate (see our previous <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/eset-takes-part-global-operation-disrupt-lumma-stealer\/\"><em style=\"mso-bidi-font-style: normal;\">Lumma Stealer research<\/em>). This results in multiple Lumma Stealer affiliates ending up with the same stolen data. This observation leads us to conclude that the threat actors controlling this largest cluster likely ran their own pay-per-install (PPI) model, further monetizing their bots.<\/p>\n<h2>Stealc<\/h2>\n<p>In contrast to Amadey, Stealc is a typical representative of an infostealer. It targets a broad range of data sources, including credentials stored by web browsers, email clients, FTP clients, gaming platforms, cryptocurrency wallet files, and browser extensions.<\/p>\n<p>Stealc was introduced on a darknet forum in February 2023, and we started tracking it shortly thereafter. Our telemetry detection rate, shown in Figure 10, indicates that Stealc was distributed globally with no specific regional focus. The highest detection rates were observed in the United States, Poland, and Italy.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 10. Distribution of Stealc \u2013 detection heatmap (2025\u2013present)\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-10.png\" alt=\"Figure 10. Distribution of Stealc \u2013 detection heatmap (2025\u2013present)\" width=\"\" height=\"\"\/><figcaption><em>Figure 10. Distribution of Stealc \u2013 detection heatmap (2025\u2013present)<\/em><\/figcaption><\/figure>\n<p>Stealc is advertised by a threat actor using the moniker plymouth. The operators had been actively maintaining Stealc; each time a new version was released, they disclosed release notes in a darknet forum post. There have been 37 such releases in the past three years. Stealc is sold as a monthly subscription, with pricing that has evolved only slightly:<\/p>\n<ul>\n<li>US$300 per month<\/li>\n<li>US$700 for three months<\/li>\n<li>US$1,000 for six months<\/li>\n<\/ul>\n<p>In March 2025, Stealc received a major architectural update with version 2, introducing significant changes to the network protocol and configuration structure and \u2013 since then \u2013 this version has dominated in our telemetry. By June 2026, it had reached version 2.22.1, as shown in Figure 11.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 11. Stealc version timeline\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-11.png\" alt=\"Figure 11. Stealc version timeline\" width=\"\" height=\"\"\/><figcaption><em>Figure 11. Stealc version timeline<\/em><\/figcaption><\/figure>\n<p>Besides its main targets, Stealc includes a configurable file grabber that allows affiliates to specify custom patterns defining files to exfiltrate from compromised machines. Its C&amp;C communications and embedded strings are protected by RC4 encryption with per-build keys.<\/p>\n<p>Stealc does not rely on a single, standardized distribution method \u2013 each affiliate is responsible for its own delivery mechanisms. However, similar to Amadey, our telemetry indicates that certain vectors consistently stand out \u2013 particularly trojanized software installers and established malware loaders (like Amadey).<\/p>\n<h3>Technical overview<\/h3>\n<p>A detailed technical analysis of Stealc v2 has already been published by <a href=\"https:\/\/lumma-labs.com\/autopsy-of-a-failed-stealer-stealc-v2-a4e32da04396\" target=\"_blank\" rel=\"noopener\">Lumma-Labs<\/a>. In this section, we focus on the properties usable for clustering.<\/p>\n<p>Current versions of Stealc embed two distinct RC4 keys per sample:<\/p>\n<ul>\n<li>one to decrypt obfuscated strings at runtime, and<\/li>\n<li>a second one to encrypt C&amp;C network communications.<\/li>\n<\/ul>\n<p>In addition to the two RC4 keys, we have been extracting the <span style=\"font-family: courier new, courier, monospace;\">build<\/span> identifier from Stealc samples. This value represents an individual Stealc campaign, and unlike other strings it is not protected in the binary. The value is important because it is transmitted as part of the C&amp;C handshake (see Figure 12).<\/p>\n<p>The C&amp;C server address and URL path used for communications are both stored among the RC4-encrypted strings and have been extracted as part of our automated configuration unpacking pipeline.<\/p>\n<h3>C&amp;C communications<\/h3>\n<p>Stealc communicates with its C&amp;C server over HTTP using RC4-encrypted JSON objects. The initial request sent to the C&amp;C contains three values:<\/p>\n<ul>\n<li>a build identifier (<span style=\"font-family: courier new, courier, monospace;\">build<\/span>),<\/li>\n<li>a fingerprint of the compromised machine (<span style=\"font-family: courier new, courier, monospace;\">hwid<\/span>), and<\/li>\n<li>the request type (this initial request is of the type <span style=\"font-family: courier new, courier, monospace;\">create<\/span>).<\/li>\n<\/ul>\n<p>The machine fingerprint is derived from the system\u2019s volume serial number and formatted as a UUIDv4 string. An example JSON object for this initial request is shown in Figure 12.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 12. Example of a create request issued by Stealc\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-12.png\" alt=\"Figure 12. Example of a create request issued by Stealc\" width=\"\" height=\"\"\/><figcaption><em>Figure 12. Example of a <\/em><span style=\"font-family: courier new, courier, monospace;\">create<\/span><em> request issued by Stealc<\/em><\/figcaption><\/figure>\n<p>The C&amp;C server responds with a complex JSON object that defines what features Stealc should perform. Alongside that, the response contains a randomly generated <span style=\"font-family: courier new, courier, monospace;\">access_token<\/span> value that acts as a session key and needs to be used in all subsequent requests, otherwise they are refused by the server. Besides the complex definitions of targets, the JSON object also defines whether to take a screenshot, self-destruct when finished, or download and execute an additional payload afterwards. An example of response JSON object is shown in Figure 13.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 13. Decrypted Stealc configuration from C&amp;C server\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-13.png\" alt=\"Figure 13. Decrypted Stealc configuration from C&amp;C server\" width=\"\" height=\"\"\/><figcaption><em>Figure 13. Decrypted Stealc configuration from C&amp;C server<\/em><\/figcaption><\/figure>\n<p>Each server response also contains a randomly generated key-value pair at the very beginning \u2013 neither hexadecimal string is ever reused in subsequent C&amp;C communications. According to <a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/i-stealc-you-tracking-rapid-changes-stealc\">Zscaler research<\/a>, this prevents static detection signatures on RC4-encrypted traffic, even when the same encryption key is used repeatedly. In Figure 13 the randomly generated nonce is <span style=\"font-family: courier new, courier, monospace;\">\u00abbf66e52\u00bb<\/span>: <span style=\"font-family: courier new, courier, monospace;\">\u00ab03030ac3e9a8cebf\u00bb<\/span>.<\/p>\n<p>After the initial registration, Stealc uses three additional operation types with self-explanatory names to perform its functionality:<\/p>\n<ul>\n<li><span style=\"font-family: courier new, courier, monospace;\">upload_file<\/span> \u2013 exfiltrate collected data,<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">loader<\/span> \u2013 fetch and execute a follow-on payload, and<\/li>\n<li><span style=\"font-family: courier new, courier, monospace;\">done<\/span> \u2013 signal completion.<\/li>\n<\/ul>\n<h3>Clustering<\/h3>\n<p>As mentioned, unlike Lumma Stealer\u2019s, Stealc operators offer their affiliates no shared infrastructure. Similar to our clustering approach for Amadey, we applied graph modeling to values extracted from Stealc configurations, combined with our understanding of their purpose, to better comprehend the structure of the Stealc ecosystem. We ended up with a graph showing that Stealc is indeed fractured into many small clusters (see Figure 14). Each cluster is centered around a small number of C&amp;C servers (often just one) and typically tied to only a few <span style=\"font-family: courier new, courier, monospace;\">build<\/span> IDs or C&amp;C URL paths. Disrupting such infrastructure is therefore a challenging task due to the lack of a weak point. Overall, we identified a total of <strong>73 distinct clusters<\/strong> (see Figure 14) operating Stealc since March 2025.<\/p>\n<figure class=\"image\"><img decoding=\"async\" title=\"Figure 14. Stealc affiliate clustering based on ESET telemetry\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2026\/06-26\/operation-endgame\/figure-14.png\" alt=\"Figure 14. Stealc affiliate clustering based on ESET telemetry\" width=\"\" height=\"\"\/><figcaption><em>Figure 14. Stealc affiliate clustering based on ESET telemetry<\/em><\/figcaption><\/figure>\n<h2>Conclusion<\/h2>\n<p>For global disruption operations such as Operation Endgame against Amadey and Stealc, long-term automated tracking of malware is necessary. This blogpost presents information collected in that manner but also provides details on the specific MaaS business model behind each family and how that translates into often fragmented network infrastructure, documents their key static identifiers and C&amp;C communication protocols, and outlines how ESET researchers helped to identify critical points for the disruption. Our threat intelligence on both Amadey and Stealc, combined with data shared by our partners, provided a strong foundation for both the disruption operation and law enforcement efforts.<\/p>\n<p>Operation Endgame aimed to seize or render inoperative all known Amadey and Stealc C&amp;C servers, directly disrupting the infrastructure relied upon by both MaaS offerings\u2019 affiliates. ESET will continue to monitor both families and track any attempts to rebuild operational infrastructure following this disruption.<\/p>\n<h2>IoCs<\/h2>\n<p>A comprehensive list of indicators of compromise (IoCs) and samples can be found in <a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/amadey_stealc\" target=\"_blank\" rel=\"noopener\">our GitHub repository<\/a>.<\/p>\n<h3>Files<\/h3>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><strong>SHA\u20111<\/strong><\/td>\n<td style=\"width: 197.438px;\" width=\"197\"><strong>Filename<\/strong><\/td>\n<td style=\"width: 180.359px;\" width=\"217\"><strong>Detection<\/strong><\/td>\n<td style=\"width: 139.1094px;\" width=\"114\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">11A42EF076686CB27BA2<wbr\/>C8845301943652A5AADC<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\"><span style=\"font-family: courier new, courier, monospace;\">KB.14.804.84<wbr\/>07.exe<\/span><\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win64\/Stealc.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Stealc infostealer.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">32D0C3300825B0BB991C<wbr\/>4A8F1E6244F0AD2DA989<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\"><span style=\"font-family: courier new, courier, monospace;\">yinkaroj.exe<\/span><\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win64\/Stealc.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Stealc infostealer.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">5F3F99B14243404C7CF5<wbr\/>7B40BB101244CCE394BF<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\"><span style=\"font-family: courier new, courier, monospace;\">MusNotificat<wbr\/>ion.exe<\/span><\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win64\/Stealc.B<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Stealc infostealer.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">B4101027BF2F1261402B<wbr\/>F6318C6EB016CE249037<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\"><span style=\"font-family: courier new, courier, monospace;\">Patch.exe<\/span><\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win32\/Spy.Agent.QOL<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Stealc infostealer.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">F61E3A643F2417E1A1AB<wbr\/>2C83BBDBFC8A7CB96756<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\"><span style=\"font-family: courier new, courier, monospace;\">VeloTeam_x32<wbr\/>.exe<\/span><\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win32\/Spy.Agent.QOL<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Stealc infostealer.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">09002D4668A778853E8D<wbr\/>A5C488C6E421C0628357<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\">N\/A<\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win32\/TrojanDownloa<wbr\/>der.Amadey.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Amadey.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">87867AD29E621BF9EBF5<wbr\/>7E1757F75090842458BE<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\">N\/A<\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win32\/TrojanDownloa<wbr\/>der.Amadey.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Amadey.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">38D744543B2051E6F749<wbr\/>AF171B5EF8D6DF8AAC7B<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\">N\/A<\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win64\/TrojanDownloa<wbr\/>der.Amadey.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Amadey.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">C0E178D26E1E613985A9C<wbr\/>67E649D71D54642E0EED<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\">N\/A<\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win64\/TrojanDownloa<wbr\/>der.Amadey.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Amadey.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 220.906px;\" width=\"1139\"><span style=\"font-family: courier new, courier, monospace;\">FF8D2AFD9D7F0A822092<wbr\/>FEE34CA55D1A3542F7ED<\/span><\/td>\n<td style=\"width: 197.438px;\" width=\"197\">N\/A<\/td>\n<td style=\"width: 180.359px;\" width=\"217\">Win32\/TrojanDownloa<wbr\/>der.Amadey.A<\/td>\n<td style=\"width: 139.1094px;\" width=\"114\">Amadey.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Network<\/h3>\n<p><span style=\"font-size: medium; font-weight: 400;\"><\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"156\"><strong>IP<\/strong><\/td>\n<td width=\"100\"><strong>Domain<\/strong><\/td>\n<td width=\"181\"><strong>Hosting provider<\/strong><\/td>\n<td width=\"80\"><strong>First seen<\/strong><\/td>\n<td width=\"156\"><strong>Details<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">62.60.226[.]159<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">FEMO IT SOLUTIONS LIMITED<\/td>\n<td width=\"80\">2026\u201104\u201113<\/td>\n<td width=\"156\">Amadey C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">64.188.91[.]237<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">Hurricane Electric LLC<\/td>\n<td width=\"80\">2026\u201103\u201119<\/td>\n<td width=\"156\">Stealc C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">94.154.35[.]25<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">Artem Sevastyanov<\/td>\n<td width=\"80\">2026\u201103\u201126<\/td>\n<td width=\"156\">Amadey C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">95.85.238[.]4<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">DATAMAT CZ s.r.o.<\/td>\n<td width=\"80\">2026\u201104\u201109<\/td>\n<td width=\"156\">Stealc C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">176.111.174[.]140<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">RU-NUBES-20220530<\/td>\n<td width=\"80\">2026\u201103\u201104<\/td>\n<td width=\"156\">Amadey C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">176.124.199[.]207<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">AEZA INTERNATIONAL LTD<\/td>\n<td width=\"80\">2026\u201103\u201131<\/td>\n<td width=\"156\">Stealc C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">188.114.96[.]1<\/span><\/td>\n<td width=\"100\"><span style=\"font-family: courier new, courier, monospace;\">mi.overlapsno<wbr\/>wbound[.]com<\/span><\/td>\n<td width=\"181\">Cloudflare, Inc.<\/td>\n<td width=\"80\">2026\u201104\u201102<\/td>\n<td width=\"156\">Amadey C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">193.156.1[.]16<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">RU-PROTON66-20191118<\/td>\n<td width=\"80\">2026\u201102\u201124<\/td>\n<td width=\"156\">Amadey C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">194.26.192[.]191<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">1337 Services GmbH<\/td>\n<td width=\"80\">2026\u201102\u201120<\/td>\n<td width=\"156\">Stealc C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"156\"><span style=\"font-family: courier new, courier, monospace;\">196.251.107[.]130<\/span><\/td>\n<td width=\"100\">N\/A<\/td>\n<td width=\"181\">NTT America, Inc.<\/td>\n<td width=\"80\">2026\u201104\u201117<\/td>\n<td width=\"156\">Stealc C&amp;C server.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p>This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\" target=\"_blank\" rel=\"noopener\">version 19<\/a> of the MITRE ATT&amp;CK framework.<\/p>\n<table border=\"1\" width=\"642\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<td width=\"113\"><strong>Tactic<\/strong><\/td>\n<td width=\"113\"><strong>ID<\/strong><\/td>\n<td width=\"151\"><strong>Name<\/strong><\/td>\n<td width=\"265\"><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Resource Development<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1583\/004\" target=\"_BLANK\">T1583.004<\/a><\/td>\n<td width=\"151\">Acquire Infrastructure: Server<\/td>\n<td width=\"265\">Amadey affiliates acquire servers to host C&amp;C panels and support Amadey operations.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1587\/001\" target=\"_BLANK\">T1587.001<\/a><\/td>\n<td width=\"151\">Develop Capabilities: Malware<\/td>\n<td width=\"265\">Amadey operators actively develop their malware and tools to support their monetization efforts.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1588\/001\" target=\"_BLANK\">T1588.001<\/a><\/td>\n<td width=\"151\">Obtain Capabilities: Malware<\/td>\n<td width=\"265\">Amadey affiliates often acquire additional malware to be distributed to a compromised system.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1608\/001\" target=\"_BLANK\">T1608.001<\/a><\/td>\n<td width=\"151\">Stage Capabilities: Upload Malware<\/td>\n<td width=\"265\">Amadey and Stealc affiliates can upload acquired malware to their infrastructure or third-party web services to distribute it.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><strong>Initial Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1195\" target=\"_BLANK\">T1195<\/a><\/td>\n<td width=\"151\">Supply Chain Compromise<\/td>\n<td width=\"265\">Amadey and Stealc are distributed through trojanized, cracked software installers.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"113\"><strong>Execution<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1059\/003\" target=\"_BLANK\">T1059.003<\/a><\/td>\n<td width=\"151\">Command and Scripting Interpreter: Windows Command Shell<\/td>\n<td width=\"265\">Amadey uses <span style=\"font-family: courier new, courier, monospace;\">cmd.exe<\/span> to support its operation and can execute arbitrary CMD script files.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1106\" target=\"_BLANK\">T1106<\/a><\/td>\n<td width=\"151\">Native API<\/td>\n<td width=\"265\">Amadey utilizes various Windows API functions throughout its execution.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1129\" target=\"_BLANK\">T1129<\/a><\/td>\n<td width=\"151\">Shared Modules<\/td>\n<td width=\"265\">Amadey can load additional credential stealer and clipper plugins to enhance its capabilities.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1204\/002\" target=\"_BLANK\">T1204.002<\/a><\/td>\n<td width=\"151\">User Execution: Malicious File<\/td>\n<td width=\"265\">Amadey and Stealc are distributed as a PE file to be executed by the victim.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Persistence<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1136\/001\" target=\"_BLANK\">T1136.001<\/a><\/td>\n<td width=\"151\">Create Account: Local Account<\/td>\n<td width=\"265\">Amadey can create an administrative account on a compromised system.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1547\/001\" target=\"_BLANK\">T1547.001<\/a><\/td>\n<td width=\"151\">Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>\n<td width=\"265\">Amadey can establish persistence for newly downloaded malware by creating a registry Run key.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"8\" width=\"113\"><strong>Stealth<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\/015\" target=\"_BLANK\">T1027.015<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information: Compression<\/td>\n<td width=\"265\">Amadey can download, decompress, and execute payloads delivered in ZIP archives.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1055\/002\" target=\"_BLANK\">T1055.002<\/a><\/td>\n<td width=\"151\">Process Injection: Portable Executable Injection<\/td>\n<td width=\"265\">Amadey can inject a downloaded payload into its child process.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1480\" target=\"_BLANK\">T1480<\/a><\/td>\n<td width=\"151\">Execution Guardrails<\/td>\n<td width=\"265\">Amadey and Stealc check the keyboard layout and abort execution if it matches a CIS country.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1140\" target=\"_BLANK\">T1140<\/a><\/td>\n<td width=\"151\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"265\">Amadey and Stealc encrypt their strings, network traffic, and downloaded payloads.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1218\/007\" target=\"_BLANK\">T1218.007<\/a><\/td>\n<td width=\"151\">Signed Binary Proxy Execution: Msiexec<\/td>\n<td width=\"265\">Amadey can download and execute an additional payload distributed in an MSI package.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1218\/011\" target=\"_BLANK\">T1218.011<\/a><\/td>\n<td width=\"151\">Signed Binary Proxy Execution: Rundll32<\/td>\n<td width=\"265\">Amadey can download and load an additional DLL file using <span style=\"font-family: courier new, courier, monospace;\">rundll32.exe<\/span>.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1027\" target=\"_BLANK\">T1027<\/a><\/td>\n<td width=\"151\">Obfuscated Files or Information<\/td>\n<td width=\"265\">The majority of strings in Stealc (C&amp;C addresses, URLs, configuration parameters) are RC4 encrypted within the binary.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1036\" target=\"_BLANK\">T1036<\/a><\/td>\n<td width=\"151\">Masquerading<\/td>\n<td width=\"265\">Stealc masquerades as a legitimate binary.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"6\" width=\"113\"><strong>Credential Access<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1552\/001\" target=\"_BLANK\">T1552.001<\/a><\/td>\n<td width=\"151\">Unsecured Credentials: Credentials In Files<\/td>\n<td width=\"265\">Amadey and Stealc can harvest credentials from various applications, such as crypto wallets and FTP and messaging clients.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1552\/002\" target=\"_BLANK\">T1552.002<\/a><\/td>\n<td width=\"151\">Unsecured Credentials: Credentials in Registry<\/td>\n<td width=\"265\">Amadey can harvest application credentials stored in the registry, such as those from Outlook and the WinSCP client.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1555\/003\" target=\"_BLANK\">T1555.003<\/a><\/td>\n<td width=\"151\">Credentials from Password Stores: Credentials from Web Browsers<\/td>\n<td width=\"265\">Stealc and Amadey can harvest credentials from various Web Browsers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1528\" target=\"_BLANK\">T1528<\/a><\/td>\n<td width=\"151\">Steal Application Access Token<\/td>\n<td width=\"265\">Stealc targets application tokens (e.g., crypto wallets, messaging apps).<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1539\" target=\"_BLANK\">T1539<\/a><\/td>\n<td width=\"151\">Steal Web Session Cookie<\/td>\n<td width=\"265\">Stealc harvests browser cookies alongside credentials.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1555\" target=\"_BLANK\">T1555<\/a><\/td>\n<td width=\"151\">Credentials from Password Stores<\/td>\n<td width=\"265\">Stealc targets browser-stored credentials (passwords, autofill data).<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"8\" width=\"113\"><strong>Discovery<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1012\" target=\"_BLANK\">T1012<\/a><\/td>\n<td width=\"151\">Query Registry<\/td>\n<td width=\"265\">Amadey reads various data from the registry, such as data to harvest, Windows version, and keyboard layout.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1016\" target=\"_BLANK\">T1016<\/a><\/td>\n<td width=\"151\">System Network Configuration Discovery<\/td>\n<td width=\"265\">Amadey and Stealc send information about the compromised system\u2019s network setup to their C&amp;C servers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1033\" target=\"_BLANK\">T1033<\/a><\/td>\n<td width=\"151\">System Owner\/User Discovery<\/td>\n<td width=\"265\">Amadey and Stealc send the victim\u2019s username to their C&amp;C servers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1057\" target=\"_BLANK\">T1057<\/a><\/td>\n<td width=\"151\">Process Discovery<\/td>\n<td width=\"265\">Amadey\u2019s credential stealer plugin enumerates running processes to identify targeted applications. Stealc also enumerates running processes during its initial execution stage.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1082\" target=\"_BLANK\">T1082<\/a><\/td>\n<td width=\"151\">System Information Discovery<\/td>\n<td width=\"265\">Amadey and Stealc send various system information, such as the Windows version, the computer name, and other metadata to their C&amp;C servers.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1083\" target=\"_BLANK\">T1083<\/a><\/td>\n<td width=\"151\">File and Directory Discovery<\/td>\n<td width=\"265\">Amadey and Stealc search the file system to discover interesting files to harvest, security products, and other artifacts of interest.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1518\/001\" target=\"_BLANK\">T1518.001<\/a><\/td>\n<td width=\"151\">Software Discovery: Security Software Discovery<\/td>\n<td width=\"265\">Amadey checks the system for a set of security products and reports those installed to its C&amp;C server.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1614\/001\" target=\"_BLANK\">T1614.001<\/a><\/td>\n<td width=\"151\">System Location Discovery: System Language Discovery<\/td>\n<td width=\"265\">Amadey and Stealc check the system keyboard layout\/locale to implement CIS-country execution blocks.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\"><strong>Collection<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1113\" target=\"_BLANK\">T1113<\/a><\/td>\n<td width=\"151\">Screen Capture<\/td>\n<td width=\"265\">Amadey and Stealc can capture a screenshot when instructed to do so.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1119\" target=\"_BLANK\">T1119<\/a><\/td>\n<td width=\"151\">Automated Collection<\/td>\n<td width=\"265\">Amadey uses its credential stealer plugin to collect and exfiltrate credentials from various applications. Stealc\u2019s credential collection is fully automated and policy-driven via the C&amp;C-supplied configuration.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1005\" target=\"_BLANK\">T1005<\/a><\/td>\n<td width=\"151\">Data from Local System<\/td>\n<td width=\"265\">Stealc collects files matching operator-defined patterns from the local file system via the configurable file grabber.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"5\" width=\"113\"><strong>Command and Control<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1008\" target=\"_BLANK\">T1008<\/a><\/td>\n<td width=\"151\">Fallback Channels<\/td>\n<td width=\"265\">Amadey\u2019s configuration may contain up to three C&amp;C servers in case the primary one becomes inaccessible.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1071\/001\" target=\"_BLANK\">T1071.001<\/a><\/td>\n<td width=\"151\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"265\">Amadey communicates with its C&amp;C server over HTTP. Stealc communicates over HTTP(S) using a JSON-based protocol.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1132\/001\" target=\"_BLANK\">T1132.001<\/a><\/td>\n<td width=\"151\">Data Encoding: Standard Encoding<\/td>\n<td width=\"265\">Amadey uses hexadecimal and base64 encodings for transferred data. Stealc uses base64 for exfiltrated data on top of RC4 encryption.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1219\/002\" target=\"_BLANK\">T1219.002<\/a><\/td>\n<td width=\"151\">Remote Access Software: Remote Desktop Software<\/td>\n<td width=\"265\">Amadey supports remote control of compromised systems via its VNC plugin or through an RDP connection.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1573\/001\" target=\"_BLANK\">T1573.001<\/a><\/td>\n<td width=\"151\">Encrypted Channel: Symmetric Cryptography<\/td>\n<td width=\"265\">Amadey and Stealc use the RC4 cipher for encrypting C&amp;C communications.<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\"><strong>Exfiltration<\/strong><\/td>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1020\" target=\"_BLANK\">T1020<\/a><\/td>\n<td width=\"151\">Automated Exfiltration<\/td>\n<td width=\"265\">Amadey and Stealc exfiltrate collected data to their C&amp;Cs fully automatically without operator interaction.<\/td>\n<\/tr>\n<tr>\n<td width=\"113\"><a href=\"https:\/\/attack.mitre.org\/versions\/v19\/techniques\/T1041\" target=\"_BLANK\">T1041<\/a><\/td>\n<td width=\"151\">Exfiltration Over C2 Channel<\/td>\n<td width=\"265\">Amadey and Stealc exfiltrate collected data to their C&amp;C servers.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=eset-takes-part-operation-endgame-disrupt-amadey-stealc&amp;sfdccampaignid=7011n0000017htTAAQ\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/eti-eset-threat-intelligence.png\" alt=\"\" width=\"915\" height=\"296\"\/><\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A year ago, ESET Research was part of two major operations that disrupted some of the leading cybercriminal<\/p>\n","protected":false},"author":1,"featured_media":389,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/comments?post=388"}],"version-history":[{"count":0,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/posts\/388\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media\/389"}],"wp:attachment":[{"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/media?parent=388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/categories?post=388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/escudodigital.uy\/index.php\/wp-json\/wp\/v2\/tags?post=388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}