Campaigns
StealC and Amadey Infostealer and Loader Campaign

StealC and Amadey Infostealer and Loader Campaign

StealCAmadeyInfostealerMalware-as-a-ServiceOperation Endgame
StealC and Amadey are commodity malware-as-a-service offerings - StealC an information stealer that harvests browser credentials, cookies, cryptocurrency wallets, messaging and email-client data, and Amadey a modular loader used to deliver StealC and other payloads - that together form an assembly line feeding the broader cybercrime economy. On 24 June 2026, Microsoft's Digital Crimes Unit, working with Europol and industry partners under Operation Endgame, disrupted this infrastructure by taking down hundreds of command-and-control domains and servers and recovering roughly 27 million stolen credentials.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION/DETECTION


Technique

Tactic

Detection Strategy ID

Detection Strategy Name

Analytic ID

Analytic Description

T1055.004

Asynchronous Procedure Call

Stealth

DET0100

Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing

AN0277

Detects malicious injection behavior involving memory allocation, remote thread queuing via APC (e.g., QueueUserAPC), and altered thread context within another live process to execute unauthorized code under legitimate context.

T1053.005

Scheduled Task

Persistence

DET0441

Detection of Suspicious Scheduled Task Creation and Execution on Windows

AN1221

Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes hidden or anomalous tasks, especially those created under SYSTEM or suspicious user contexts.

T1059.001

PowerShell

Execution

DET0455

Abuse of PowerShell for Arbitrary Execution

AN1252

Detects behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules loaded, potentially followed by network connections or child process spawning. Supports both direct (powershell.exe) and indirect (.NET automation) invocations.

T1218.011

Rundll32

Stealth

DET0475

Detection Strategy for T1218.011 Rundll32 Abuse

AN1308

Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, javascript:, mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network, or rundll32 reaching external domains.

T1555.003

Credentials from Web Browsers

Credential Access

DET0037

Detect Suspicious Access to Browser Credential Stores

AN0105

Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent calls to CryptUnprotectData or memory inspection attempts.

T1539

Steal Web Session Cookie

Credential Access

DET0509

Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts

AN1402

Detects suspicious access to browser session cookie storage (e.g., Chrome's Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory-dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe.

T1071.001

Web Protocols

Command and Control

DET0027

Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets

AN0075

Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs.

T1105

Ingress Tool Transfer

Command and Control

DET0060

Detect Ingress Tool Transfers via Behavioral Chain

AN0165

Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded).

T1021.001

Remote Desktop Protocol

Lateral Movement

DET0327

Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity

AN0931

Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe.

T1136.001

Local Account

Persistence

DET0447

T1136.001 Detection Strategy - Local Account Creation Across Platforms

AN1235

Adversary uses built-in tools like net user /add, PowerShell, or WMI to create a local user. Sequence: account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe).

T1113

Screen Capture

Collection

DET0346

Detect Screen Capture via Commands and API Calls

AN0980

Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.

Observed Countries3

IT (831)
PL (80)
US (957)