StealC and Amadey: Breaking Down the Infostealers and Services Behind Them
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report examines the activities of StealC, an infostealer-as-a-service platform, and Amadey, a malware-as-a-service loader. Cybercriminals use these tools to collect sensitive credentials, session cookies, and cryptocurrency-related data, enabling follow-on operations such as ransomware attacks. The threat ecosystem relies on deceptive web traffic, SEO poisoning, and phishing campaigns to compromise unmanaged devices.
Investigation
Microsoft’s Digital Crimes Unit, working with Europol, carried out a coordinated disruption against more than 200 malicious domains and command-and-control IP addresses linked to StealC and Amadey. Investigators used Microsoft Copilot to analyze malware samples, decrypt embedded strings, and uncover hardcoded command-and-control infrastructure. The operation led to the takedown and suspension of a significant portion of the threat actors’ supporting infrastructure.
Mitigation
Defenders should enable cloud-delivered protection and tamper protection in Microsoft Defender to help block new and evolving variants. Applying Attack Surface Reduction rules can also reduce exposure to common infection paths such as deceptive web traffic. In addition, organizations should strengthen identity protection and credential hygiene to limit the impact of stolen session tokens and compromised accounts.
Response
When this activity is detected, organizations should prioritize identity protection and rapid containment to prevent stolen credentials from being leveraged for lateral movement. Investigators should closely examine possible MFA bypass scenarios caused by session cookie theft. Compromised endpoints should be isolated quickly, and authentication telemetry should be monitored for unusual activity involving valid user credentials.
"flowchart TD step_initial_access{"Initial Access: T1189 – Drive-by Compromise & T1674 – Input Injection (ClickFix)"} step_persistence_amadey["Persistence: T1037.004 – Scheduled Task & T1059.003 – Windows Command Shell (Amadey Loader)"] rules_for_step_persistence_amadey("<b>Rule Name</b>: MsiExec Spawned by Shell Process (via cmdline)<br/><b>Rule ID</b>: d59d37c0-fc3c-4374-ba67-318edd591d19") step_credential_harvesting["Credential Access: T1555.003 – Credentials from Web Browsers, T1114.002 – Remote Email Collection & T1552.008 – Chat Messages (StealC Infostealer)"] step_stealth["Defense Evasion: T1070.010 – Relocate Malware (PowerShell cradle execution)"] step_exfiltration["Exfiltration: T1041 – Exfiltration Over C2 Channel (RC4/Base64 transmission of data)"] step_initial_access –>|leads_to| step_persistence_amadey step_persistence_amadey –>|enables| step_credential_harvesting step_credential_harvesting –>|then| step_stealth step_stealth –>|leads_to| step_exfiltration step_persistence_amadey -.->|detected_by| rules_for_step_persistence_amadey "
Attack Flow
Detections
Possible Timeout Usage for Delay Execution (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
MsiExec Spawned by Shell Process (via cmdline)
View
Scheduled Task Creation for Amadey Malware Persistence [Microsoft Windows Security Event Log]
View
StealC Malware Execution and Process Injection Detection [Windows Process Creation]
View
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has successfully dropped a malicious executable named
StealC.exe. To evade simple signature-based detection and attempt to hide its injection routine, the malware is designed to call its internal functions by passing the name of the required Windows APIs as command-line arguments to a sub-process. This simulates a “Living-off-the-Land” style approach where the command line itself contains the indicators of the intent to performCreateProcessAwithCREATE_SUSPENDEDand subsequently useVirtualAllocExandWriteProcessMemoryfor injection. -
Regression Test Script:
# Simulation script to trigger the Sigma rule by mimicking the expected command line strings # Note: This simulates the string presence, not the actual API execution. $malwareName = "StealC.exe" $payloadArgs = "CreateProcessA CREATE_SUSPENDED VirtualAllocEx WriteProcessMemory" Write-Host "[+] Starting simulation: Executing $malwareName with injection strings..." -ForegroundColor Cyan # We create a dummy file named StealC.exe to satisfy the 'Image' part of the detection New-Item -Path ".$malwareName" -ItemType "File" -Force | Out-Null # Execute the dummy file with the specific strings required by the detection logic # In a real scenario, this would be the malware executing. Start-Process -FilePath ".$malwareName" -ArgumentList $payloadArgs -WindowStyle Hidden Write-Host "[+] Simulation command sent." -ForegroundColor Green -
Cleanup Commands:
# Cleanup: Remove the dummy malware file created during simulation Remove-Item -Path ".StealC.exe" -Force -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete: StealC.exe removed." -ForegroundColor Yellow