Proofpoint, IBM X-Force, and Europol supported an Operation Endgame disruption against the StealC ecosystem, seizing 25.6 million stolen credentials and impacting 66 domains and 296 servers tied to StealC and Amadey. Researchers also exposed a StealC C2 vulnerability, built a StealC emulator, and observed payload delivery chains involving XTinyLoader, LockBit Black, and other malware families. #StealC #Amadey #Europol #OperationEndgame #IBMXForce #Proofpoint #XTinyLoader #LockBitBlack
Keypoints
- Operation Endgame disrupted the StealC ecosystem with support from Proofpoint, IBM X-Force, Europol, and other partners.
- The action affected 66 domains and 296 servers associated with StealC and Amadey.
- Authorities seized more than 25.6 million unique credentials stolen from over 385,000 compromised systems.
- Researchers identified a vulnerability in the StealC C2 panel that helped law enforcement search and seize infrastructure.
- Proofpoint and IBM X-Force built a StealC emulator to track operations, infrastructure, affiliate groups, and payload delivery.
- StealC operates as a malware-as-a-service infostealer and can also deliver secondary payloads through its loader function.
- Observed payload chains included malware such as XTinyLoader, LockBit Black, AsyncRAT, RedLine Stealer, Vidar, and XMRig.
MITRE Techniques
- [T1071.001 ] Web Protocols – StealC uses HTTP POST requests to communicate with its C2 panel and exchange JSON data (‘C2 communication uses RC4-encrypted HTTP POST requests containing JSON formatted data’).
- [T1027 ] Obfuscated Files or Information – The malware stores configs and other values in encrypted or obfuscated form before decrypting them during execution (‘configs are data structures stored in malware, usually in an encrypted or obfuscated state’).
- [T1041 ] Exfiltration Over C2 Channel – StealC exfiltrates stolen data back to the C2 server through its normal communications (‘all data is exfiltrated as a Base64 string in the encrypted JSON object’).
- [T1105 ] Ingress Tool Transfer – The loader function lets operators push additional payloads to infected systems (‘The StealC client will attempt to download and execute one of the payloads from the URLs provided by the server’).
- [T1059.001 ] PowerShell – Not directly mentioned.
- [T1106 ] Native API – The backend file handling and extraction logic are abused through a path-traversal flaw to write files to unintended locations (‘This directory traversal bug opens up a convenient way to upload a web shell to the StealC C2 server’).
- [T1204 ] User Execution – Not directly mentioned.
- [T1132.001 ] Standard Encoding – Stolen content is encoded as Base64 before being sent to the panel (‘all data is exfiltrated as a Base64 string’).
Indicators of Compromise
- [Domains ] Infrastructure disrupted in the operation – 66 domains associated with StealC and Amadey.
- [Servers ] Backend infrastructure targeted by law enforcement – 296 servers associated with StealC and Amadey.
- [Stolen credentials count ] Data seized from compromised systems – more than 25.6 million unique credentials from over 385k compromised systems.
- [Malware families ] Payloads observed during emulation – XTinyLoader, LockBit Black, AsyncRAT, RedLine Stealer, and Vidar.
- [Software names ] Victim software targeted for credential theft – Thunderbird, Outlook, Telegram, Discord, Steam, Battle.Net, Azure, OpenVPN, FileZilla, WinSCP, and crypto wallets.
- [File/attack artifacts ] C2 protocol artifacts and examples – a JSON request containing “access_token”, “data”, “filename”, and type “upload_file”; loader URLs and ZIP-stored collected files.