StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
Infostealers remain among the most pervasive cybercrime threats, silently harvesting passwords, cookies, and session tokens that enable enterprise breaches. StealC is a malware-as-a-service infostealer written in C++ that collects credentials from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms while functioning as a secondary loader. Amadey operates as a modular backdoor loader active since 2018, delivering downstream payloads including StealC, Lumma Stealer, and ransomware through various backdoor commands. Both operate on commodity rental models where stolen credentials flow through underground markets to access brokers who resell enterprise access. On June 24, 2026, Microsoft's Digital Crimes Unit coordinated with Europol to disrupt over 200 malicious command-and-control domains supporting these operations, using AI-assisted analysis tools including Microsoft Copilot for binary analysis and configuration extraction.
AI Analysis
Technical Summary
StealC is a malware-as-a-service infostealer written in C++ that harvests sensitive credentials and session tokens from various applications and platforms, functioning also as a secondary loader. Amadey is a modular backdoor loader that has been active since 2018, delivering multiple downstream payloads including StealC, Lumma Stealer, and ransomware via backdoor commands. These malware families operate on commodity rental models, facilitating the flow of stolen credentials through underground markets to access brokers who resell enterprise access. On June 24, 2026, Microsoft’s Digital Crimes Unit, in coordination with Europol, disrupted over 200 malicious command-and-control domains supporting these operations, leveraging AI-assisted analysis tools for binary and configuration extraction. No specific affected software versions or patches are identified. No known exploits in the wild are reported.
Potential Impact
The malware families StealC and Amadey enable widespread credential theft, harvesting passwords, cookies, and session tokens that can lead to enterprise breaches. The stolen credentials are monetized through underground markets and access brokers, increasing the risk of unauthorized access and further compromise of enterprise environments. The disruption of their command-and-control infrastructure by law enforcement reduces their operational capability but does not eliminate the threat entirely.
Mitigation Recommendations
No official patches or fixes are available as these are malware threats rather than software vulnerabilities. The recent law enforcement disruption of command-and-control domains has mitigated some operational capabilities of these malware families. Organizations should continue to monitor for indicators of compromise related to these malware and apply standard credential protection measures. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Indicators of Compromise
- domain: microsoft-telemetry.at
- url: http://microsoft-telemetry.at/cvdfnaFJBmC0/index.php
- domain: svclsc.com
- url: http://svclsc.com/ms/index.php
- hash: f89ad7e92c7de6945ce0878e470e388b
- hash: d4f8f562b4a109cccbc0dbdf28bc6d033d7891fb
- hash: 8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea
- domain: goodpanelforgoodjob.com
- hash: 98e504cc7125b79eda5491f40b998605a05f4cd968b961aab4cce7beb074fefe
- url: https://bartsen284.online/39d9612df78e45b5a4bb.php
- domain: bartsen284.online
- domain: secure.controlpanel.asia
- url: http://secure.controlpanel.asia/330311481fe14ab99814.php
- hash: 0215f734867bd71c57ff5c524d8cc670be5b4f1861b2c390cf46d18784a53624
- url: http://cdntestconnect.com/ed54b97a570943999715.php
- domain: cdntestconnect.com
- url: http://spasopro.at/Lsge63sd3/index.php
- domain: spasopro.at
- hash: 349c233c4e1b6c0724e5ec84df16188d
- hash: 95b318d953fd939f284efe2be78fe95b
- hash: a025b901a7979bff2a6c6e4e74c7c76a
- hash: 2f3d86e77248b23ef93b7b8c2a9915b2eace5d46
- hash: 72cab50156ba4e2d5f4de97f672d4635e98ddacc
- hash: 7493c316df2727dd19ef14593fcc014bdb2a0d4b
- hash: 1246c5b89ab668c1137f377507bc3e266a98e93248382aa026610ae1e764a497
- hash: 2a0f053855da59b3b56812e580d7baeba59fc9493694722aa9e3f121ee3363f1
- hash: 30cef3d3d956e83e2c50579cfbe57a49159cccbcc8b0b0422f27d55e1c401ad9
- hash: 43455f1ff4a623b783da670d052eb77eaaacb0c66a9f1e8508f802bf22e8129e
- hash: 5f5b25b2e35d404034d0d60975cf1ffbc6f141761ec3f4f15d6f7c6213a056f6
- hash: 8f32456359f209a63adfd24b94235e1727382ac7f7bb7f2bcaf754e721925b64
- hash: 9383572a30ae5b76fadd0700fbd7a1aa7b05d0b6c8f9cdaef9b30a3e1f65d57d
- hash: 977b33a9b481cf714946b7d386865cd5d284312aa5ecfa0546c197b1003e1bde
- hash: 99507f18c4e61fdb109805404bf6a79ea8ce2fddc590ce48d717e97516ab7e8d
- hash: b7d1f172ff3feafe65d47fd1cbe0cc249316371ae0e1cbe3a7c741c738b3353d
- hash: ca4d4c4fc3e5d5cfa922b898f2d7411f03a446dddb139ba45dfd4f8f0018b64f
- hash: d43c988d6f9cb355497696b580621fb1bdb7b6ed6d90f97520ecf6da5a1a41ff
- url: http://bluescry.com/01f96fd710e905ca2326.php
- url: http://goodpanelforgoodjob.com/hg8jjfSr5hy/index.php
- url: http://polse.us/62ea47cac2534aa18f74.php
- url: http://rebustan.top/gd7djkDveE2/index.php
- url: http://roger99699.xyz/425f1faf4b214434b8a3.php
- url: https://neltron-geltron.shop/e396586b99ee49d19cc3.php
- domain: bluescry.com
- domain: neltron-geltron.shop
- domain: polse.us
- domain: rebustan.top
- domain: roger99699.xyz
StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
Description
Infostealers remain among the most pervasive cybercrime threats, silently harvesting passwords, cookies, and session tokens that enable enterprise breaches. StealC is a malware-as-a-service infostealer written in C++ that collects credentials from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms while functioning as a secondary loader. Amadey operates as a modular backdoor loader active since 2018, delivering downstream payloads including StealC, Lumma Stealer, and ransomware through various backdoor commands. Both operate on commodity rental models where stolen credentials flow through underground markets to access brokers who resell enterprise access. On June 24, 2026, Microsoft's Digital Crimes Unit coordinated with Europol to disrupt over 200 malicious command-and-control domains supporting these operations, using AI-assisted analysis tools including Microsoft Copilot for binary analysis and configuration extraction.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
StealC is a malware-as-a-service infostealer written in C++ that harvests sensitive credentials and session tokens from various applications and platforms, functioning also as a secondary loader. Amadey is a modular backdoor loader that has been active since 2018, delivering multiple downstream payloads including StealC, Lumma Stealer, and ransomware via backdoor commands. These malware families operate on commodity rental models, facilitating the flow of stolen credentials through underground markets to access brokers who resell enterprise access. On June 24, 2026, Microsoft’s Digital Crimes Unit, in coordination with Europol, disrupted over 200 malicious command-and-control domains supporting these operations, leveraging AI-assisted analysis tools for binary and configuration extraction. No specific affected software versions or patches are identified. No known exploits in the wild are reported.
Potential Impact
The malware families StealC and Amadey enable widespread credential theft, harvesting passwords, cookies, and session tokens that can lead to enterprise breaches. The stolen credentials are monetized through underground markets and access brokers, increasing the risk of unauthorized access and further compromise of enterprise environments. The disruption of their command-and-control infrastructure by law enforcement reduces their operational capability but does not eliminate the threat entirely.
Mitigation Recommendations
No official patches or fixes are available as these are malware threats rather than software vulnerabilities. The recent law enforcement disruption of command-and-control domains has mitigated some operational capabilities of these malware families. Organizations should continue to monitor for indicators of compromise related to these malware and apply standard credential protection measures. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/"]
- Adversary
- null
- Pulse Id
- 6a3bde31cd05f010063a2224
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainmicrosoft-telemetry.at | — | |
domainsvclsc.com | — | |
domaingoodpanelforgoodjob.com | — | |
domainbartsen284.online | — | |
domainsecure.controlpanel.asia | — | |
domaincdntestconnect.com | — | |
domainspasopro.at | — | |
domainbluescry.com | — | |
domainneltron-geltron.shop | — | |
domainpolse.us | — | |
domainrebustan.top | — | |
domainroger99699.xyz | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://microsoft-telemetry.at/cvdfnaFJBmC0/index.php | — | |
urlhttp://svclsc.com/ms/index.php | — | |
urlhttps://bartsen284.online/39d9612df78e45b5a4bb.php | — | |
urlhttp://secure.controlpanel.asia/330311481fe14ab99814.php | — | |
urlhttp://cdntestconnect.com/ed54b97a570943999715.php | — | |
urlhttp://spasopro.at/Lsge63sd3/index.php | — | |
urlhttp://bluescry.com/01f96fd710e905ca2326.php | — | |
urlhttp://goodpanelforgoodjob.com/hg8jjfSr5hy/index.php | — | |
urlhttp://polse.us/62ea47cac2534aa18f74.php | — | |
urlhttp://rebustan.top/gd7djkDveE2/index.php | — | |
urlhttp://roger99699.xyz/425f1faf4b214434b8a3.php | — | |
urlhttps://neltron-geltron.shop/e396586b99ee49d19cc3.php | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashf89ad7e92c7de6945ce0878e470e388b | — | |
hashd4f8f562b4a109cccbc0dbdf28bc6d033d7891fb | — | |
hash8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea | — | |
hash98e504cc7125b79eda5491f40b998605a05f4cd968b961aab4cce7beb074fefe | — | |
hash0215f734867bd71c57ff5c524d8cc670be5b4f1861b2c390cf46d18784a53624 | — | |
hash349c233c4e1b6c0724e5ec84df16188d | — | |
hash95b318d953fd939f284efe2be78fe95b | — | |
hasha025b901a7979bff2a6c6e4e74c7c76a | — | |
hash2f3d86e77248b23ef93b7b8c2a9915b2eace5d46 | — | |
hash72cab50156ba4e2d5f4de97f672d4635e98ddacc | — | |
hash7493c316df2727dd19ef14593fcc014bdb2a0d4b | — | |
hash1246c5b89ab668c1137f377507bc3e266a98e93248382aa026610ae1e764a497 | — | |
hash2a0f053855da59b3b56812e580d7baeba59fc9493694722aa9e3f121ee3363f1 | — | |
hash30cef3d3d956e83e2c50579cfbe57a49159cccbcc8b0b0422f27d55e1c401ad9 | — | |
hash43455f1ff4a623b783da670d052eb77eaaacb0c66a9f1e8508f802bf22e8129e | — | |
hash5f5b25b2e35d404034d0d60975cf1ffbc6f141761ec3f4f15d6f7c6213a056f6 | — | |
hash8f32456359f209a63adfd24b94235e1727382ac7f7bb7f2bcaf754e721925b64 | — | |
hash9383572a30ae5b76fadd0700fbd7a1aa7b05d0b6c8f9cdaef9b30a3e1f65d57d | — | |
hash977b33a9b481cf714946b7d386865cd5d284312aa5ecfa0546c197b1003e1bde | — | |
hash99507f18c4e61fdb109805404bf6a79ea8ce2fddc590ce48d717e97516ab7e8d | — | |
hashb7d1f172ff3feafe65d47fd1cbe0cc249316371ae0e1cbe3a7c741c738b3353d | — | |
hashca4d4c4fc3e5d5cfa922b898f2d7411f03a446dddb139ba45dfd4f8f0018b64f | — | |
hashd43c988d6f9cb355497696b580621fb1bdb7b6ed6d90f97520ecf6da5a1a41ff | — |
Threat ID: 6a3c19e4eed863c81e3957a7
Added to database: 06/24/2026, 17:54:44 UTC
Last enriched: 06/24/2026, 18:10:54 UTC
Last updated: 06/24/2026, 18:25:50 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.