SOC Prime Bias: High

30 Jun 2026 06:54 UTC

StealC and Amadey: Breaking Down the Infostealers and Services Behind Them

Author Photo
SOC Prime Team linkedin icon Follow
StealC and Amadey: Breaking Down the Infostealers and Services Behind Them
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

The report examines the activities of StealC, an infostealer-as-a-service platform, and Amadey, a malware-as-a-service loader. Cybercriminals use these tools to collect sensitive credentials, session cookies, and cryptocurrency-related data, enabling follow-on operations such as ransomware attacks. The threat ecosystem relies on deceptive web traffic, SEO poisoning, and phishing campaigns to compromise unmanaged devices.

Investigation

Microsoft’s Digital Crimes Unit, working with Europol, carried out a coordinated disruption against more than 200 malicious domains and command-and-control IP addresses linked to StealC and Amadey. Investigators used Microsoft Copilot to analyze malware samples, decrypt embedded strings, and uncover hardcoded command-and-control infrastructure. The operation led to the takedown and suspension of a significant portion of the threat actors’ supporting infrastructure.

Mitigation

Defenders should enable cloud-delivered protection and tamper protection in Microsoft Defender to help block new and evolving variants. Applying Attack Surface Reduction rules can also reduce exposure to common infection paths such as deceptive web traffic. In addition, organizations should strengthen identity protection and credential hygiene to limit the impact of stolen session tokens and compromised accounts.

Response

When this activity is detected, organizations should prioritize identity protection and rapid containment to prevent stolen credentials from being leveraged for lateral movement. Investigators should closely examine possible MFA bypass scenarios caused by session cookie theft. Compromised endpoints should be isolated quickly, and authentication telemetry should be monitored for unusual activity involving valid user credentials.

"flowchart TD step_initial_access{"Initial Access: T1189 – Drive-by Compromise & T1674 – Input Injection (ClickFix)"} step_persistence_amadey["Persistence: T1037.004 – Scheduled Task & T1059.003 – Windows Command Shell (Amadey Loader)"] rules_for_step_persistence_amadey("<b>Rule Name</b>: MsiExec Spawned by Shell Process (via cmdline)<br/><b>Rule ID</b>: d59d37c0-fc3c-4374-ba67-318edd591d19") step_credential_harvesting["Credential Access: T1555.003 – Credentials from Web Browsers, T1114.002 – Remote Email Collection & T1552.008 – Chat Messages (StealC Infostealer)"] step_stealth["Defense Evasion: T1070.010 – Relocate Malware (PowerShell cradle execution)"] step_exfiltration["Exfiltration: T1041 – Exfiltration Over C2 Channel (RC4/Base64 transmission of data)"] step_initial_access –>|leads_to| step_persistence_amadey step_persistence_amadey –>|enables| step_credential_harvesting step_credential_harvesting –>|then| step_stealth step_stealth –>|leads_to| step_exfiltration step_persistence_amadey -.->|detected_by| rules_for_step_persistence_amadey "

Attack Flow

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary has successfully dropped a malicious executable named StealC.exe. To evade simple signature-based detection and attempt to hide its injection routine, the malware is designed to call its internal functions by passing the name of the required Windows APIs as command-line arguments to a sub-process. This simulates a “Living-off-the-Land” style approach where the command line itself contains the indicators of the intent to perform CreateProcessA with CREATE_SUSPENDED and subsequently use VirtualAllocEx and WriteProcessMemory for injection.

  • Regression Test Script:

    # Simulation script to trigger the Sigma rule by mimicking the expected command line strings
    # Note: This simulates the string presence, not the actual API execution.
    
    $malwareName = "StealC.exe"
    $payloadArgs = "CreateProcessA CREATE_SUSPENDED VirtualAllocEx WriteProcessMemory"
    
    Write-Host "[+] Starting simulation: Executing $malwareName with injection strings..." -ForegroundColor Cyan
    
    # We create a dummy file named StealC.exe to satisfy the 'Image' part of the detection
    New-Item -Path ".$malwareName" -ItemType "File" -Force | Out-Null
    
    # Execute the dummy file with the specific strings required by the detection logic
    # In a real scenario, this would be the malware executing.
    Start-Process -FilePath ".$malwareName" -ArgumentList $payloadArgs -WindowStyle Hidden
    
    Write-Host "[+] Simulation command sent." -ForegroundColor Green
  • Cleanup Commands:

    # Cleanup: Remove the dummy malware file created during simulation
    Remove-Item -Path ".StealC.exe" -Force -ErrorAction SilentlyContinue
    Write-Host "[+] Cleanup complete: StealC.exe removed." -ForegroundColor Yellow