ESET takes part in Operation Endgame to disrupt Amadey and Stealc
ESET Research contributed to Operation Endgame, a coordinated global disruption targeting the Amadey botnet and Stealc infostealer MaaS ecosystems. The operation seized or rendered inoperative approximately 50 domains and nearly 200 active IP-based C&C servers. ESET provided technical analysis, C&C server lists, RC4 encryption keys, campaign/build identifiers, and clustering methodology based on long-term tracking of both malware families. The fragmented, affiliate-operated infrastructure model used by both services required advanced graph-based clustering of RC4 keys, build IDs, and C&C URL paths to identify high-priority targets for disruption.
- domainmi[.]barbertingling[.]comAmadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.php
- domainmi[.]candyendurable[.]comAmadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.php
- domainmicrosoft-telemetry[.]ccAmadey C&C domain using deceptive Microsoft telemetry naming; observed with path /cvdfnaFJBmC0/index.php
- domainmi[.]huffproofs[.]comAmadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.php
- domainmi[.]limpingbronco[.]comAmadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.php
- domainmi[.]overlapsnowbound[.]comAmadey C&C domain resolving to 188.114.96.1 (Cloudflare), first seen 2026-04-02; also observed in C&C URL list with path /kawt2QXfpPueNM/index.php
- domainmi[.]snowfieldupriver[.]comAmadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.php
- domainmi[.]unbuttonrudder[.]comAmadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.php
- domaintelemety-sys[.]lolAmadey C&C domain using deceptive telemetry naming; observed with path /cvdfnaFJBmC2/index.php
- domaintelemety-xbox[.]lolAmadey C&C domain using deceptive telemetry naming; observed with path /cvdfnaFJBmC1/index.php
- ip152[.]89[.]198[.]124Amadey C&C server observed in C&C URL list with path /8bdDsv3dk2FF/index.php
- ip176[.]111[.]174[.]140Amadey C&C server hosted on RU-NUBES-20220530, first seen 2026-03-04
- ip176[.]124[.]199[.]207Stealc C&C server hosted on AEZA INTERNATIONAL LTD, first seen 2026-03-31
- ip176[.]46[.]157[.]50Amadey C&C server observed in C&C URL list with path /tu3d2rom/index.php
- ip178[.]16[.]53[.]7Amadey C&C server observed in C&C URL list with path /cvdfnaFJBmC1/index.php
- ip185[.]156[.]72[.]96Amadey C&C server observed in C&C URL list with path /te4h2nus/index.php
- ip185[.]208[.]158[.]116Amadey C&C server observed in C&C URL list with path /bVoZEtTa1/index.php
- ip188[.]114[.]96[.]1Amadey C&C server IP behind Cloudflare for domain mi.overlapsnowbound.com
- ip193[.]156[.]1[.]16Amadey C&C server hosted on RU-PROTON66-20191118, first seen 2026-02-24
- ip194[.]26[.]192[.]191Stealc C&C server hosted on 1337 Services GmbH, first seen 2026-02-20
- ip196[.]251[.]107[.]130Stealc C&C server hosted on NTT America, Inc., first seen 2026-04-17
- ip213[.]209[.]150[.]166Amadey C&C server observed in C&C URL list with path /g7hen3xxf/index.php
- ip62[.]60[.]226[.]159Amadey C&C server hosted on FEMO IT SOLUTIONS LIMITED, first seen 2026-04-13
- ip64[.]188[.]91[.]237Stealc C&C server hosted on Hurricane Electric LLC, first seen 2026-03-19
- ip78[.]46[.]242[.]112Amadey C&C server observed in C&C URL list with path /so57Nst/index.php
- ip94[.]154[.]35[.]25Amadey C&C server; also observed in packet capture sending task responses containing SHA256 hashes for payload download
- ip95[.]85[.]238[.]4Stealc C&C server hosted on DATAMAT CZ s.r.o., first seen 2026-04-09
- sha109002d4668a778853e8da5c488c6e421c0628357Amadey downloader sample (Win32/TrojanDownloader.Amadey.A)
- sha111a42ef076686cb27ba2c8845301943652a5aadcStealc infostealer sample (Win64/Stealc.A), filename KB.14.804.8407.exe
- sha132d0c3300825b0bb991c4a8f1e6244f0ad2da989Stealc infostealer sample (Win64/Stealc.A), filename yinkaroj.exe
- sha138d744543b2051e6f749af171b5ef8d6df8aac7bAmadey downloader sample (Win64/TrojanDownloader.Amadey.A)
- sha15f3f99b14243404c7cf57b40bb101244cce394bfStealc infostealer sample (Win64/Stealc.B), filename MusNotification.exe - masquerading as legitimate Windows notification binary
- sha187867ad29e621bf9ebf57e1757f75090842458beAmadey downloader sample (Win32/TrojanDownloader.Amadey.A)
- sha1b4101027bf2f1261402bf6318c6eb016ce249037Stealc infostealer sample (Win32/Spy.Agent.QOL), filename Patch.exe
- sha1f61e3a643f2417e1a1ab2c83bbdbfc8a7cb96756Stealc infostealer sample (Win32/Spy.Agent.QOL), filename VeloTeam_x32.exe
- sha1ff8d2afd9d7f0a822092fee34ca55d1a3542f7edAmadey downloader sample (Win32/TrojanDownloader.Amadey.A)
- urlhxxp://152[.]89[.]198[.]124/8bdDsv3dk2FF/index[.]phpAmadey C&C URL with unique random path identifier
- urlhxxp://176[.]46[.]157[.]50/tu3d2rom/index[.]phpAmadey C&C URL with unique random path identifier
- urlhxxp://178[.]16[.]53[.]7/cvdfnaFJBmC1/index[.]phpAmadey C&C URL; path prefix cvdfnaFJBmC shared across multiple servers
- urlhxxp://185[.]156[.]72[.]96/te4h2nus/index[.]phpAmadey C&C URL with unique random path identifier
- urlhxxp://185[.]208[.]158[.]116/bVoZEtTa1/index[.]phpAmadey C&C URL with unique random path identifier
- urlhxxp://213[.]209[.]150[.]166/g7hen3xxf/index[.]phpAmadey C&C URL with unique random path identifier
- urlhxxp://78[.]46[.]242[.]112/so57Nst/index[.]phpAmadey C&C URL with unique random path identifier
- urlhxxp://94[.]154[.]35[.]25/di9ku38f/index[.]phpAmadey C&C URL observed in Wireshark packet capture; bot sends initial beacon 'st=s' and receives task list with payload hashes
- urlhxxp://mi[.]barbertingling[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; shared path indicates same affiliate cluster
- urlhxxp://mi[.]candyendurable[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; shared path indicates same affiliate cluster
- urlhxxp://microsoft-telemetry[.]cc/cvdfnaFJBmC0/index[.]phpAmadey C&C URL using deceptive Microsoft-telemetry domain; part of a cluster sharing the path prefix 'cvdfnaFJBmC' across multiple servers
- urlhxxp://mi[.]huffproofs[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; shared path indicates same affiliate cluster
- urlhxxp://mi[.]limpingbronco[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; path /kawt2QXfpPueNM/ shared across multiple domains indicating same cluster
- urlhxxp://mi[.]overlapsnowbound[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; shared path indicates same affiliate cluster
- urlhxxp://mi[.]snowfieldupriver[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; shared path indicates same affiliate cluster as other mi.* domains
- urlhxxp://mi[.]unbuttonrudder[.]com/kawt2QXfpPueNM/index[.]phpAmadey C&C URL; shared path indicates same affiliate cluster
- urlhxxp://telemety-sys[.]lol/cvdfnaFJBmC2/index[.]phpAmadey C&C URL; path prefix cvdfnaFJBmC shared across multiple servers
- urlhxxp://telemety-xbox[.]lol/cvdfnaFJBmC1/index[.]phpAmadey C&C URL; path prefix cvdfnaFJBmC shared across multiple servers
Detection / Hunteropenrouter
What Happened
A major international law enforcement operation called Operation Endgame has disrupted two criminal services that sell hacking tools on the dark web: Amadey (a tool that installs other malware onto hacked computers) and Stealc (a tool that steals passwords and other sensitive data). Security company ESET helped by providing years of tracking data, including lists of the servers these criminals used to control their operations. The takedown affected about 50 website domains and 200 server addresses. People and organizations worldwide could be affected, as these tools were used to deliver further malware and steal credentials from web browsers, cryptocurrency wallets, and other applications. Organizations should check their security tools for any signs of these threats, review whether any of the listed server addresses have communicated with their systems, and ensure their software update processes are legitimate, since these malware tools were often spread through fake software updates and pirated software.
Key Takeaways
- ESET participated in Operation Endgame, a coordinated law enforcement action disrupting ~50 domains and ~200 active IP-based C&C servers used by Amadey botnet and Stealc infostealer affiliates.
- Amadey is a modular malware loader using a pay-per-rebuild model ($600 license + $50/rebuild), advertised by darknet actor 'InCrease' since October 2018; Stealc is an infostealer-as-a-service with monthly subscriptions ($300/mo), advertised by actor 'plymouth' since February 2023.
- Both MaaS offerings require affiliates to self-host C&C infrastructure, making disruption harder; ESET used graph modeling of RC4 keys, build identifiers, and C&C URL paths to cluster 53 Amadey and 73 Stealc distinct clusters.
- Amadey's largest botnet cluster (34% of all samples) delivered ~14 payloads per victim on average, including multiple Lumma Stealer samples attributed to different affiliates, suggesting a PPI monetization model.
- Both malware families check victim keyboard layout and abort execution if it matches a CIS country, a common safeguard used by Eastern European threat actors to avoid targeting their own region.
Affected Systems
- Windows systems globally; highest Amadey detections in India, Turkey, Egypt, Mexico, Spain; highest Stealc detections in United States, Poland, Italy
Attack Chain
Victims are initially compromised through fake software updates, cracked software installers, or third-party malware loaders. Amadey samples beacon to hardcoded C&C URLs (pattern: http(s)://<C&C>/<random_path>/index.php) using RC4-encrypted HTTP POST requests, transmitting system info including OS version, username, PC name, installed AV, and a build identifier. The C&C responds with task lists containing download-and-execute commands, VNC/RDP activation, or stealer plugin deployment. Amadey can download ZIP-compressed payloads, inject them into child processes, establish persistence via registry Run keys, and create local admin accounts. Stealc follows a similar but distinct flow: it sends a JSON 'create' request with build ID and hardware fingerprint, receives a configuration JSON defining target browsers, applications, and steal flags, then automatically exfiltrates credentials, cookies, crypto wallets, and files matching affiliate-defined patterns via RC4-encrypted HTTP(S) to its C&C.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: ESET GitHub repository (referenced but not embedded in article)
The article references a comprehensive IoC list and samples available in ESET's GitHub repository but does not embed any detection rules, queries, or signatures in the blog post itself. The article provides detailed protocol-level descriptions (Amadey HTTP POST with st=s beacon, Stealc JSON create/upload_file/loader/done requests) that could inform custom detection engineering.
Detection Engineering Assessment
EDR Visibility: Medium — Amadey's use of cmd.exe, rundll32.exe, msiexec.exe, registry Run key creation, local account creation, and process injection into child processes are all EDR-detectable behaviors. However, Stealc's masquerading as legitimate binaries and RC4-encrypted communications reduce visibility. Both families check keyboard layout before executing, which may be visible via API call monitoring. Network Visibility: Medium — Amadey uses HTTP POST with identifiable patterns (st=s initial beacon, <c>...<d> delimited responses) and Stealc uses JSON-based HTTP(S) with RC4 encryption. The C&C URL pattern http(s)://<C&C>/<random_path>/index.php for Amadey is distinctive. However, RC4 encryption of payloads and use of Cloudflare-fronted domains reduce content inspection visibility. Detection Difficulty: Moderate — The C&C URL patterns, RC4 key clustering, and known IP/domain infrastructure provide solid pivot points. However, the fragmented affiliate model (53 Amadey clusters, 73 Stealc clusters) means infrastructure rotates frequently. Stealc's use of per-build RC4 keys and random nonces in responses specifically evades static network signatures. Both families masquerade as legitimate binaries and use LOLBins for execution.
Required Log Sources
- Windows process creation events (Sysmon Event ID 1 / EDR telemetry)
- Network proxy or firewall logs for HTTP/HTTPS traffic
- DNS resolution logs
- Windows registry modification events (Sysmon Event ID 12/13/14)
- Windows security event logs for account creation (Event ID 4720)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for HTTP POST requests to URLs matching the pattern /<random_alphanumeric_string>/index.php where the initial request body contains st=s, which is characteristic of Amadey C&C beaconing (T1071.001). | Network proxy, firewall, or IDS logs capturing HTTP request URIs and POST body content | Command and Control | Low - the combination of specific URL pattern and minimal POST body is highly distinctive to Amadey |
| Consider hunting for processes masquerading as legitimate Windows binaries (e.g., MusNotification.exe, Patch.exe) executing from non-standard directories and subsequently making outbound HTTP connections, which may indicate Stealc or Amadey activity (T1036). | EDR process telemetry with file path, executable name, and network connection correlation | Execution / Command and Control | Medium - legitimate software updates may use similar naming; verify against known good paths and signatures |
| Consider hunting for rundll32.exe or msiexec.exe executions spawned by processes that recently made outbound HTTP connections to suspicious IPs or domains, which may indicate Amadey payload delivery via signed binary proxy execution (T1218.007, T1218.011). | EDR process telemetry with parent-child relationships and network connection correlation | Execution | Medium - legitimate software installations use these binaries; focus on unusual parent processes or network context |
| Consider hunting for processes that query keyboard layout information and then immediately terminate without further activity, which may indicate Amadey or Stealc CIS-country guardrail behavior (T1480, T1614.001). | EDR API call monitoring for keyboard layout/locale query APIs followed by process termination | Discovery / Execution Guardrails | Low to Medium - some legitimate software checks locale; combine with other indicators for confidence |
| Consider hunting for HTTP requests containing JSON objects with fields named 'build', 'hwid', and 'type' where type equals 'create', which is characteristic of Stealc initial C&C registration (T1071.001). | Network proxy or IDS logs with HTTP payload inspection (pre-encryption or TLS inspection) | Command and Control | Low - this specific JSON structure is distinctive to Stealc's protocol |
Control Gaps
- Network-based detection may miss Stealc communications if TLS inspection is not in place, as Stealc v2 uses HTTP(S) with RC4-encrypted JSON payloads
- Static network signatures are evaded by Stealc's use of random nonce key-value pairs at the beginning of each server response, even when the same RC4 key is reused
- Amadey's use of Cloudflare-fronted domains (e.g., mi.overlapsnowbound.com resolving to 188.114.96.1) may bypass IP-based blocking rules
- Both families' use of LOLBins (rundll32, msiexec, cmd.exe) for execution may bypass application allowlisting if these binaries are whitelisted by default
- The fragmented affiliate infrastructure model with frequent C&C rotation makes static blocklists quickly stale
Key Behavioral Indicators
- Amadey C&C URL pattern: http(s)://<C&C>/<random_alphanumeric_path>/index.php
- Amadey initial beacon: HTTP POST with body 'st=s' to C&C URL
- Amadey task delimiter pattern: <c>...<d> tags with # separators in C&C responses
- Stealc initial C&C request: JSON with 'build', 'hwid' (UUIDv4 format), and 'type':'create' fields
- Stealc subsequent requests using 'access_token' session key from initial C&C response
- Stealc operation types: 'upload_file', 'loader', 'done' in HTTP request bodies
- Amadey 'sd' value: 6-character hexadecimal string transmitted during initial C&C handshake
- Process masquerading: MusNotification.exe, Patch.exe, VeloTeam_x32.exe, KB.14.804.8407.exe as malware filenames
- Amadey registry persistence via Run keys for downloaded payloads
- Amadey local admin account creation for persistence
False Positive Assessment
- Low - the C&C URL patterns, protocol signatures (Amadey st=s beacon, Stealc JSON create requests), and listed infrastructure are highly specific to these malware families. However, some medium risk exists for behavioral detections around LOLBin usage (rundll32, msiexec, cmd.exe) which are also used by legitimate software, and for masquerading detections that may match legitimate binaries with similar names.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking all listed C&C IP addresses and domains at network perimeter controls (firewall, proxy, DNS filtering) if consistent with your policies.
- Consider searching proxy, firewall, and DNS logs for any historical communication with the listed C&C IPs and domains to identify potentially compromised systems.
- If your EDR supports it, consider searching for the listed SHA-1 file hashes across endpoints to identify systems where Amadey or Stealc samples were executed.
- Consider prioritizing investigation of any systems that communicated with the shared-path C&C URLs (e.g., /kawt2QXfpPueNM/index.php or /cvdfnaFJBmC*/index.php) as these may indicate the largest Amadey botnet cluster.
Infrastructure Hardening
- Evaluate whether DNS sinkholing or response policy zones could be configured for the listed Amadey and Stealc C&C domains to prevent future reactivation attempts.
- Consider implementing network-level blocking for the C&C URL pattern http(s)://<C&C>/<random_path>/index.php where the POST body contains 'st=s', if your IDS/IPS supports custom HTTP inspection rules.
- If your organization uses Cloudflare or similar CDN services, consider whether additional scrutiny is needed for traffic to newly-registered domains using deceptive naming patterns (e.g., mi..com, telemety-.lol, microsoft-telemetry.cc).
User Protection
- Consider deploying or updating endpoint detection rules to flag executions of rundll32.exe, msiexec.exe, and cmd.exe spawned by processes that recently made outbound HTTP connections to suspicious infrastructure.
- Evaluate whether your EDR can detect the keyboard-layout check behavior (T1614.001) followed by immediate process termination, which is a guardrail used by both Amadey and Stealc.
- If supported by your endpoint tooling, consider blocking execution of binaries masquerading as legitimate Windows binaries (e.g., MusNotification.exe) from non-standard paths.
Security Awareness
- Consider reinforcing awareness training about the risks of downloading cracked software and fake software updates, as these are the primary distribution vectors for both Amadey and Stealc.
- Consider reminding users that legitimate software updates come through official vendor channels, not third-party websites or pop-up notifications.
- If applicable to your awareness program, consider highlighting that infostealers target browser credentials, cookies, cryptocurrency wallets, and FTP/email client credentials, and recommend use of password managers and MFA where possible.
MITRE ATT&CK Mapping
- T1583.004 - Acquire Infrastructure: Server
- T1587.001 - Develop Capabilities: Malware
- T1588.001 - Obtain Capabilities: Malware
- T1608.001 - Stage Capabilities: Upload Malware
- T1195 - Supply Chain Compromise
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1106 - Native API
- T1129 - Shared Modules
- T1204.002 - User Execution: Malicious File
- T1136.001 - Create Account: Local Account
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1027.015 - Obfuscated Files or Information: Compression
- T1055.002 - Process Injection: Portable Executable Injection
- T1480 - Execution Guardrails
- T1140 - Deobfuscate/Decode Files or Information
- T1218.007 - Signed Binary Proxy Execution: Msiexec
- T1218.011 - Signed Binary Proxy Execution: Rundll32
- T1027 - Obfuscated Files or Information
- T1036 - Masquerading
- T1552.001 - Unsecured Credentials: Credentials In Files
- T1552.002 - Unsecured Credentials: Credentials in Registry
- T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
- T1528 - Steal Application Access Token
- T1539 - Steal Web Session Cookie
- T1555 - Credentials from Password Stores
- T1012 - Query Registry
- T1016 - System Network Configuration Discovery
- T1033 - System Owner/User Discovery
- T1057 - Process Discovery
- T1082 - System Information Discovery
- T1083 - File and Directory Discovery
- T1518.001 - Software Discovery: Security Software Discovery
- T1614.001 - System Location Discovery: System Language Discovery
- T1113 - Screen Capture
- T1119 - Automated Collection
- T1005 - Data from Local System
- T1008 - Fallback Channels
- T1071.001 - Application Layer Protocol: Web Protocols
- T1132.001 - Data Encoding: Standard Encoding
- T1219.002 - Remote Access Software: Remote Desktop Software
- T1573.001 - Encrypted Channel: Symmetric Cryptography
- T1020 - Automated Exfiltration
- T1041 - Exfiltration Over C2 Channel
Additional IOCs
- Ips:
62[.]60[.]226[.]159- Amadey C&C server hosted on FEMO IT SOLUTIONS LIMITED, first seen 2026-04-1395[.]85[.]238[.]4- Stealc C&C server hosted on DATAMAT CZ s.r.o., first seen 2026-04-09176[.]111[.]174[.]140- Amadey C&C server hosted on RU-NUBES-20220530, first seen 2026-03-04193[.]156[.]1[.]16- Amadey C&C server hosted on RU-PROTON66-20191118, first seen 2026-02-24196[.]251[.]107[.]130- Stealc C&C server hosted on NTT America, Inc., first seen 2026-04-17188[.]114[.]96[.]1- Amadey C&C server IP behind Cloudflare for domain mi.overlapsnowbound.com213[.]209[.]150[.]166- Amadey C&C server observed in C&C URL list with path /g7hen3xxf/index.php185[.]208[.]158[.]116- Amadey C&C server observed in C&C URL list with path /bVoZEtTa1/index.php152[.]89[.]198[.]124- Amadey C&C server observed in C&C URL list with path /8bdDsv3dk2FF/index.php185[.]156[.]72[.]96- Amadey C&C server observed in C&C URL list with path /te4h2nus/index.php78[.]46[.]242[.]112- Amadey C&C server observed in C&C URL list with path /so57Nst/index.php178[.]16[.]53[.]7- Amadey C&C server observed in C&C URL list with path /cvdfnaFJBmC1/index.php176[.]46[.]157[.]50- Amadey C&C server observed in C&C URL list with path /tu3d2rom/index.php
- Domains:
mi[.]limpingbronco[.]com- Amadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.phpmi[.]snowfieldupriver[.]com- Amadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.phptelemety-xbox[.]lol- Amadey C&C domain using deceptive telemetry naming; observed with path /cvdfnaFJBmC1/index.phptelemety-sys[.]lol- Amadey C&C domain using deceptive telemetry naming; observed with path /cvdfnaFJBmC2/index.phpmi[.]huffproofs[.]com- Amadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.phpmi[.]candyendurable[.]com- Amadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.phpmi[.]unbuttonrudder[.]com- Amadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.phpmi[.]barbertingling[.]com- Amadey C&C domain observed in URL list with path /kawt2QXfpPueNM/index.phpmicrosoft-telemetry[.]cc- Amadey C&C domain using deceptive Microsoft telemetry naming; observed with path /cvdfnaFJBmC0/index.php
- Urls:
hxxp://213[.]209[.]150[.]166/g7hen3xxf/index.php- Amadey C&C URL with unique random path identifierhxxp://185[.]208[.]158[.]116/bVoZEtTa1/index.php- Amadey C&C URL with unique random path identifierhxxp://mi[.]limpingbronco[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; path /kawt2QXfpPueNM/ shared across multiple domains indicating same clusterhxxp://152[.]89[.]198[.]124/8bdDsv3dk2FF/index.php- Amadey C&C URL with unique random path identifierhxxp://mi[.]snowfieldupriver[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; shared path indicates same affiliate cluster as other mi.* domainshxxp://telemety-xbox[.]lol/cvdfnaFJBmC1/index.php- Amadey C&C URL; path prefix cvdfnaFJBmC shared across multiple servershxxp://telemety-sys[.]lol/cvdfnaFJBmC2/index.php- Amadey C&C URL; path prefix cvdfnaFJBmC shared across multiple servershxxp://185[.]156[.]72[.]96/te4h2nus/index.php- Amadey C&C URL with unique random path identifierhxxp://78[.]46[.]242[.]112/so57Nst/index.php- Amadey C&C URL with unique random path identifierhxxp://mi[.]huffproofs[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; shared path indicates same affiliate clusterhxxp://178[.]16[.]53[.]7/cvdfnaFJBmC1/index.php- Amadey C&C URL; path prefix cvdfnaFJBmC shared across multiple servershxxp://176[.]46[.]157[.]50/tu3d2rom/index.php- Amadey C&C URL with unique random path identifierhxxp://mi[.]candyendurable[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; shared path indicates same affiliate clusterhxxp://mi[.]overlapsnowbound[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; shared path indicates same affiliate clusterhxxp://mi[.]unbuttonrudder[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; shared path indicates same affiliate clusterhxxp://mi[.]barbertingling[.]com/kawt2QXfpPueNM/index.php- Amadey C&C URL; shared path indicates same affiliate cluster
- File Hashes:
32D0C3300825B0BB991C4A8F1E6244F0AD2DA989(SHA1) - Stealc infostealer sample (Win64/Stealc.A), filename yinkaroj.exeB4101027BF2F1261402BF6318C6EB016CE249037(SHA1) - Stealc infostealer sample (Win32/Spy.Agent.QOL), filename Patch.exeF61E3A643F2417E1A1AB2C83BBDBFC8A7CB96756(SHA1) - Stealc infostealer sample (Win32/Spy.Agent.QOL), filename VeloTeam_x32.exe87867AD29E621BF9EBF57E1757F75090842458BE(SHA1) - Amadey downloader sample (Win32/TrojanDownloader.Amadey.A)38D744543B2051E6F749AF171B5EF8D6DF8AAC7B(SHA1) - Amadey downloader sample (Win64/TrojanDownloader.Amadey.A)C0E178D26E1E613985A9C67E649D71D54642E0EED(SHA1) - Amadey downloader sample (Win64/TrojanDownloader.Amadey.A)FF8D2AFD9D7F0A822092FEE34CA55D1A3542F7ED(SHA1) - Amadey downloader sample (Win32/TrojanDownloader.Amadey.A)
- Command Lines:
- Purpose: Execute arbitrary CMD script files with SYSTEM privileges | Tools:
cmd.exe| Stage: Execution / Privilege Escalation |cmd.exe /c - Purpose: Download and load additional DLL payload | Tools:
rundll32.exe| Stage: Execution / Payload Loading |rundll32.exe <dll_path>,<entrypoint> - Purpose: Download and execute MSI payload silently | Tools:
msiexec.exe| Stage: Execution / Payload Distribution |msiexec.exe /i <msi_path> /quiet
- Purpose: Execute arbitrary CMD script files with SYSTEM privileges | Tools: