StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions
Proofpoint and IBM X-Force collaborated with Europol and Microsoft's Digital Crimes Unit to disrupt the StealC malware-as-a-service ecosystem as part of Operation Endgame, seizing 66 domains, 296 servers, and over 25.6 million stolen credentials. Researchers discovered a directory traversal vulnerability in the StealC PHP C2 panel's filename handling during ZIP extraction, which was exploited by law enforcement to access and seize C2 servers. The teams also built a StealC bot emulator to track affiliate infrastructure and observe payload delivery chains, revealing StealC's loader functionality distributing a broad range of secondary malware including ransomware, RATs, and additional stealers.
Detection / Hunteropenrouter
What Happened
Law enforcement agencies, working with private cybersecurity companies Proofpoint and IBM X-Force, took down a large portion of the StealC malware operation, which is a service criminals use to steal passwords, browser data, and cryptocurrency wallet information from infected computers. The takedown affected 66 websites and 296 servers, and recovered over 25.6 million stolen passwords from more than 385,000 compromised computers. The researchers found a security flaw in the criminals' own control panel software that allowed law enforcement to access and seize the servers. The researchers also built a tool that mimicked infected computers to trick the criminals' servers into revealing what additional malware they were distributing, discovering that StealC was being used to deliver ransomware, remote access tools, and other password-stealing programs. Organizations and individuals should ensure endpoints are protected with up-to-date security software, monitor for credential reuse, and enable multi-factor authentication wherever possible.
Key Takeaways
- Proofpoint and IBM X-Force supported a law enforcement disruption of the StealC infostealer ecosystem as part of Operation Endgame, impacting 66 domains and 296 servers associated with StealC and Amadey.
- Over 25.6 million unique credentials stolen from more than 385,000 compromised systems were seized during the operation.
- A directory traversal vulnerability in the StealC C2 panel (PHP backend) was discovered and exploited by law enforcement to search and seize StealC servers; the bug was in filename handling during ZIP extraction under /var/www/temp.
- Researchers built a StealC bot emulator to track C2 infrastructure, extract loader URLs, and identify payload delivery chains across affiliate groups.
- StealC's loader functionality was observed delivering a wide range of secondary payloads including ransomware (LockBit Black via XTinyLoader), RATs (AsyncRAT, SectopRAT), and other stealers (RedLine, Vidar).
Affected Systems
- Windows endpoints (StealC targets browser data, email clients, gaming software, VPN clients, and crypto wallets)
- Linux-based C2 panel servers running PHP (StealC backend infrastructure)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: StealC malware delivered to victim via phishing or other distribution methods used by affiliates
- Execution & C2 Check-in: StealC client sends RC4-encrypted HTTP POST 'create' request to hardcoded C2 URL to register and receive access token and configuration
- Data Collection: StealC harvests browser credentials, cookies, email/messenger data, gaming accounts, VPN credentials, and crypto wallet data from the victim system
- Exfiltration: Stolen data is Base64-encoded and sent to C2 via 'upload_file' requests in encrypted JSON format; 'done' request signals completion
- Secondary Payload Delivery: If configured by the operator, C2 responds to 'loader' request with payload URLs; StealC downloads and executes secondary malware (e.g., XTinyLoader which then delivers LockBit Black ransomware)
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Emerging Threats (Proofpoint), Proofpoint internal detections
The article states that intelligence was used to create detections and customer protections via Emerging Threats, and that configuration extraction scripts were developed. No specific rule content is provided in the article.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | StealC execution on endpoints should be visible via EDR process telemetry, but the malware's use of RC4-encrypted HTTP POST requests and standard browser data access may blend with legitimate activity. The loader functionality downloading secondary payloads would generate network connections that EDR may or may not correlate. |
| Network Visibility | Medium | C2 communications use HTTP POST with RC4-encrypted JSON payloads, which may appear as normal web traffic. The randomized C2 endpoint path is unique per server but hardcoded per sample. Loader URL retrieval and subsequent payload downloads generate additional network connections that could be correlated. |
| Detection Difficulty | Moderate | StealC uses standard HTTP for C2 with RC4 encryption, making payload inspection difficult without SSL interception or endpoint-based extraction. However, the C2 communication pattern (specific JSON request types: create, upload_file, loader, done) and the randomized endpoint path could be signatured. The broad range of data theft targets creates multiple behavioral signals on the endpoint. |
Required Log Sources
- EDR process creation and network connection logs
- Proxy or web gateway logs for HTTP POST traffic
- DNS resolution logs for C2 domain lookups
- Browser extension and credential store access audit logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes accessing multiple browser credential stores, cookie databases, and crypto wallet extension data in a short time window, which is consistent with infostealer behavior (T1555.003). | EDR file access telemetry, browser process child processes or unusual file reads of browser profile directories | Collection | Medium - legitimate browser extensions or security tools may access credential stores; correlate with subsequent network activity to reduce false positives |
| Consider hunting for HTTP POST requests to URLs with randomized path segments that return JSON responses containing loader URLs, which would indicate StealC C2 loader communication. | Proxy logs, network IDS, or EDR network connection telemetry with payload inspection | Command and Control | Low to Medium - randomized URL paths with JSON responses are somewhat distinctive but could match legitimate API endpoints |
| Consider hunting for processes that download and execute additional payloads shortly after initial infection, particularly chains involving known loader malware families delivering ransomware or RATs. | EDR process creation telemetry with parent-child correlation, network connection logs showing sequential downloads | Execution | Low - multi-stage download-and-execute chains are uncommon in legitimate software |
| If you have visibility into email or messaging client data access, consider hunting for processes reading Thunderbird, Outlook, Foxmail, Telegram, or Discord local data stores alongside browser credential access, as this combination is characteristic of StealC. | EDR file access telemetry for messaging application data directories | Collection | Low - simultaneous access to multiple unrelated application data stores is unusual for legitimate software |
Control Gaps
- Network-based detection alone may miss StealC C2 traffic due to RC4 encryption over standard HTTP, which can resemble legitimate web API calls without deep payload inspection
- Signature-based AV may miss StealC samples due to per-build configuration and frequent BuildID rotation
- The randomized C2 endpoint path unique to each server complicates static URL-based blocking
Key Behavioral Indicators
- Process accessing browser credential databases, cookie stores, and crypto wallet extension data within a single execution session
- HTTP POST requests to randomized URL paths with RC4-encrypted JSON payloads containing fields named 'access_token', 'data', 'filename', 'type', 'part_index', and 'total_parts'
- Process making HTTP requests with JSON responses containing 'direction' and 'opcode' fields alongside URL values, indicating loader C2 response
- Sequential download-and-execute behavior where an initial process downloads a secondary executable and spawns it as a child process
- Access to multiple unrelated application data directories (browser, email client, gaming platform, VPN config) in rapid succession
False Positive Assessment
Medium - StealC uses standard HTTP for C2 communication and targets legitimate application data stores that are accessed during normal user activity. Behavioral detections based on multi-application data access may generate false positives from legitimate browser extensions or security tools. Network-based detections for RC4-encrypted JSON over HTTP may match legitimate API traffic without additional context.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider reviewing endpoint telemetry for any StealC-related activity, particularly processes accessing browser credential stores and crypto wallet data, given the scale of the disruption and potential for displaced affiliates to shift infrastructure.
- Consider blocking known StealC and Amadey C2 infrastructure if your threat intelligence feeds have been updated with IOCs from Operation Endgame partners.
- If your EDR supports it, consider hunting for processes exhibiting infostealer behavioral patterns: rapid sequential access to browser profile directories, messaging app data stores, and crypto wallet files.
Infrastructure Hardening
- Evaluate whether your web gateway or proxy can inspect and block HTTP POST traffic matching StealC C2 communication patterns (RC4-encrypted JSON with specific field names).
- Consider implementing SSL/TLS interception for outbound traffic if not already in place, to enable deeper inspection of encrypted C2 channels.
- Where supported by your tooling, consider deploying threat intelligence feeds that include StealC configuration extraction data (C2 URLs, BuildIDs) for automated blocking.
User Protection
- Consider enforcing multi-factor authentication on all externally accessible services to mitigate the risk of credential compromise from stolen StealC data.
- Evaluate whether browser security extensions that restrict access to credential stores by unauthorized processes are appropriate for your environment.
- Consider deploying endpoint detection rules for the behavioral pattern of multiple unrelated application data stores being accessed in rapid succession.
Security Awareness
- Consider reminding users that infostealers like StealC target not only passwords but also browser cookies, session tokens, and crypto wallet data, which can bypass MFA in some cases.
- If applicable to your awareness program, consider highlighting that stolen credentials from infostealers are frequently sold and used for follow-on attacks including ransomware deployment.
- Consider reinforcing reporting procedures for suspicious emails or downloads, as StealC is distributed by affiliates using various initial access methods.
MITRE ATT&CK Mapping
Execution
Credential Access
Collection
Command and Control
Exfiltration
Additional IOCs
- File Paths:
/var/www/temp- Temporary directory on StealC C2 server where uploaded victim files are extracted from ZIP archives; vulnerable to directory traversal via unsanitized filenames
- Other:
stealc-v2_bot_emulator.py- Researcher-built Python script that emulates StealC C2 client communications to extract loader URLs and track payload delivery (not an attacker tool)