ESET takes half in Operation Endgame to disrupt Amadey and Stealc

A yr in the past, ESET Analysis was a part of two main operations that disrupted among the main cybercriminal operations on the time, Lumma Stealer and Danabot. Extra not too long ago, our researchers are as soon as once more collaborating with personal companions and legislation enforcement, however this time taking intention on the Amadey botnet and Stealc infostealer, each offered by way of malware-as-a-service (MaaS) choices. Operation Endgame – coordinated by Microsoft Digital Crimes Unit (DCU), BitSight, Lumen, Mitsui Bussan Safe Instructions (MBSD), and different companions – focused all identified community infrastructure utilized by Amadey and Stealc associates with a view to cripple their cybercriminal operations.

ESET contributed to this effort by offering technical analyses, statistical info, identified command and management (C&C) servers, encryption keys, marketing campaign and construct identifiers, and different risk intelligence collected throughout our long-term monitoring of each malware households.

Key factors of this blogpost:

• ESET took half within the coordinated, world Operation Endgame to disrupt Amadey and Stealc.
• Operation Endgame impacted round 50 domains and practically 200 lively IP-based C&C servers related to Amadey and Stealc.
• ESET offered technical analyses, statistical info, identified C&C servers, encryption keys, marketing campaign identifiers, and different insights.
• We offer an outline of the MaaS ecosystem on the affiliate degree for each malware households.
• We describe how we clustered Amadey and Stealc exercise.
• We summarize the technical properties most related to monitoring and disruption, together with C&C communications, embedded identifiers, and encryption keys.
• We element overlaps between actions of Amadey and associates of Lumma Stealer.

Disruption contribution

ESET Analysis has been monitoring each the Amadey botnet and Stealc infostealer for the previous three years. For this disruption operation, we shared statistics protecting This autumn 2025 by means of H1 2026, together with technical indicators and configuration knowledge extracted from processed malware samples.

Our automated programs have been dissecting Amadey and Stealc samples and figuring out the fields most related for large-scale monitoring. These embody C&C servers, construct identifiers, encryption keys, URL paths, marketing campaign identifiers, and different embedded values utilized by the malware households throughout communication with attacker-controlled infrastructure.

A serious focus of our work was discovering dependable strategies to deal with the big quantity of processed samples and to cluster them. This was notably helpful as a result of each Amadey and Stealc are offered as companies. As such, the malware samples are distributed and operated by associates, typically working their very own infrastructure, producing or requesting their very own builds, and orchestrating their very own campaigns. Figuring out exercise clusters in such ecosystems permits us to identify high-priority targets for disruptions like this one.

Sharing technical analyses, statistical info, and risk intelligence, equivalent to C&C server lists, affiliate identifiers, and encryption keys, permits legislation enforcement businesses to determine, prioritize, and act towards infrastructure with a excessive diploma of confidence. IoCs additionally assist distinguish between particular person clusters, shared infrastructure, and high-impact botnets whose disruption is prone to have the best influence on the general risk panorama. In the end, the disruption affected round 50 domains and practically 200 lively IPs used as C&C servers for both Amadey or Stealc.

Disrupted malware households

Amadey is a modular malware loader. Its major goal is to distribute further malware to compromised programs, though it additionally presents modules for knowledge exfiltration and distant entry.

Stealc, in distinction, is a typical infostealer as a service. It targets credentials, cookies, cryptocurrency wallets, browser extensions, and information whose names match affiliate-defined patterns.

Each malware households are offered as companies and marketed on darknet boards. For visibility into darknet boards, we used Flare.io, a risk intelligence platform that displays underground communities. In each ecosystems, associates obtain a self-hosted administration panel that should be deployed on their very own server infrastructure. This requires a sure degree of technical talent from associates and likewise offers them direct management over sufferer knowledge and payload distribution.

This mannequin differs from different MaaS ecosystems. For instance, Danabot associates can select to lease C&C infrastructure as a service, whereas Lumma Stealer used an exfiltration community totally managed by its operators. Within the case of Amadey and Stealc, associates are accountable for deploying and working their very own infrastructure, making disruption efforts harder, which is why the clustering strategy was important.

Whereas distribution strategies in the end depend upon every particular person affiliate, ESET telemetry persistently confirmed that each malware households had been delivered by means of a variety of channels. The most typical strategies included faux software program updates, cracked software program installers, and third-party malware loaders.

Amadey used a pay-per-rebuild mannequin. Associates bought a license after which paid an extra charge every time they wanted to generate a brand new construct, for instance when rotating to a brand new C&C server. In different phrases, Amadey operators didn’t present associates with a builder device; as a substitute, samples had been compiled on request for every affiliate.

Stealc took a extra affiliate-friendly strategy, providing limitless construct era (Determine 1) as a part of its subscription. This lowered the operational price of rotating C&C infrastructure and made it simpler for associates to generate new samples as wanted.

Attempting to keep away from impersonation scams, operators of each companies explicitly instructed potential associates on darknet boards to contact them solely by means of official channels. Amadey directed patrons to non-public messages on the darknet discussion board the place it’s marketed, whereas Stealc used personal messages on darknet boards or Telegram.

Amadey

Amadey is a modular malware loader that has been marketed on darknet boards by account identify InCrease since October 2018. Over time, it has grow to be one of many extra secure and actively maintained malware households, with ongoing help offered by means of darknet discussion board channels.

Our telemetry detection fee, proven in Determine 2, signifies that Amadey was noticed globally with no particular regional focus, though the very best detection charges had been noticed in India, Turkey, Egypt, Mexico, and Spain.

The first operate of Amadey is to distribute further malware to victims. Moreover that, it presents three modules for additional knowledge exfiltration and entry: clipboard monitoring, credential theft, and VNC-based distant entry.

The service is priced at US$600, paid in Bitcoin, for a single license, with an extra US$50 charged per rebuild. This implies associates incur a price every time they generate a brand new construct, equivalent to when rotating to a recent C&C server. This pricing has remained largely unchanged because the earliest marketed variations, suggesting a secure and established buyer base.

Through the years now we have noticed ongoing model updates (Determine 3) and lively growth of Amadey. Probably the most vital milestone in Amadey’s growth got here in August 2020 (v1.99.5), when the complete codebase was fully rewritten. The second main evolution arrived within the launch of v5.03 in October 2024, which delivered a dense wave of latest capabilities: hVNC with reverse join, MSI silent installer help, RDP enabling, cmd.exe execution with SYSTEM privileges, and built-in help for encrypted payloads. Total, nearly all of the opposite, extra minor updates served one implicit however fixed goal: evading AV detections as they appeared.

Technical overview

Every Amadey pattern comprises at the very least one hardcoded C&C server URL, with the configuration supporting as much as three entries. Samples additionally embed an RC4 key used for encrypting communications with the C&C server.

Our evaluation confirmed that the RC4 key extracted from every pattern serves as a dependable cluster identifier, permitting us to cluster samples into particular person botnets, which we focus on in additional element within the Clustering part.

A second hardcoded worth, internally known as sd, is a random-looking six-character hexadecimal string matching the sample [0-9a-f]{6}. It’s transmitted throughout the preliminary C&C handshake and almost definitely identifies a selected construct inside an affiliate’s deployment. Though it’s typically referred to as a marketing campaign ID or Amadey ID by researchers, Amadey’s pay-per-build enterprise mannequin means that it extra precisely represents a construct identifier.

Every pattern additionally carries a model quantity. Our evaluation focuses on model v5.x, which has been the dominant variant noticed in ESET telemetry because the starting of 2025.

This bot additionally checks the sufferer’s keyboard structure. If it matches a structure related to a CIS nation, all community communication is silently rejected. Risk actors working from Jap Europe generally use this kind of built-in safeguard to keep away from affecting companies and governmental entities within the area, decreasing the chance of consideration or prosecution by native authorities. As well as, these operators typically comply with such practices to keep away from potential backlash from their friends for focusing on “their very own folks” or for violating the principles of darknet boards the place their companies are marketed.

This part gives solely a high-level overview of Amadey, as deep technical evaluation has already been revealed within the Swisscom report.

C&C communications

Amadey communicates with its C&C server over HTTP utilizing POST requests. At a excessive degree, communication follows a three-stage lifecycle:

• Preliminary beacon – the bot sends a minimal st=s HTTP POST request to the C&C server. The server responds with a sleep interval, for instance 10, instructing the bot to attend 10 minutes between subsequent check-ins.
• Registration – the bot transmits RC4-encrypted system info encoded as a flat key-value string. This knowledge consists of the working system model, username, PC identify, put in antivirus product, administrative privileges, sd worth, and different host info. Notably, the RC4 key itself is rarely transmitted over the community. Based mostly on our telemetry, no server was noticed serving duties for a couple of RC4 key at a time, suggesting that every pattern should talk with a C&C server that already is aware of and expects that precise RC4 key. The server responds with a activity checklist.
• Tasking – duties are delivered as structured command strings delimited by and tags with particular person instructions separated by # characters, as proven in Determine 4. Every activity encodes a command kind, equivalent to downloading and executing an EXE, beginning VNC, or working a stealer plugin. Duties additionally embody parameters equivalent to a privilege escalation flag, goal listing, and payload URL.

Every activity has its personal processing logic, starting from easy download-and-execute instructions to extra complicated execution of hVNC or proxy elements. The inside workings have been documented in earlier technical reporting.

Clustering

When monitoring MaaS malware, a key problem is discovering a dependable solution to group samples belonging to the identical risk actor. Understanding the enterprise mannequin and the distribution of community infrastructure is thus important for profitable disruption, as a result of it permits defenders and legislation enforcement to determine the crucial factors the place motion can have the best influence. On this part, we clarify our methodology.

Amadey samples comprise three key hardcoded configuration values:

• C&C URLs,
• RC4 keys used for C&C communications, and
• the sd worth transmitted throughout the preliminary C&C handshake.

Over the course of our monitoring, we observed that Amadey C&C URLs comply with a constant sample:

http(s)?:////index.php

Additional, the identical URL half was used with completely different C&C servers (see Determine 5). As this worth seems to be a random string, seeing it tied to a number of C&C servers over time appeared like a robust indicator that the C&C servers are operated as a part of the identical cluster. Subsequently, we additional decomposed the C&C URL into these two elements: the IP tackle or area and the URL .

Utilizing values from the samples’ configuration, mixed with our understanding of their goal, we leveraged graph modeling to realize insights into the construction of the Amadey ecosystem. On first look at Determine 6, we clearly see that, certainly, there isn’t a shared infrastructure, however slightly a number of smaller sub-botnets with one clearly dominating. We dive deeper into that largest cluster within the subsequent part.

To conclude, the primary takeaways are:

1. We recognized a complete of 53 distinctive clusters contained in the Amadey ecosystem.
2. Every sd worth is tied to precisely one RC4 key.
3. RC4 keys are doubtless a helpful affiliate identifier, as rebuilds protect the important thing whereas altering the sd worth.
4. The C&C URL half is often reused when rotating C&C servers, serving as dependable proof of such C&C servers belonging to the identical cluster.

The most important Amadey botnet cluster

One cluster stands out as the most important, and it contributed practically 34% of all processed Amadey samples. This cluster was additionally the one one lively all through the complete analyzed time interval, as represented in our timeline in Determine 7.

The most important botnet additionally dominated within the common variety of payloads distributed to victims per execution. Based mostly on our clustering methodology, Amadey samples belonging to the most important botnet delivered, on common, round 14 payloads to each sufferer concurrently (Determine 8).

The vary and variety of distributed malware households was broad, from infostealers and RATs to malware filled with complicated code protectors. Determine 9 gives an perception into the payloads we detected being delivered all through the monitoring interval.

Moreover, ESET researchers had been capable of get hold of proof that many instances, a number of Lumma Stealer samples had been delivered to a single sufferer, every attributed to a unique affiliate (see our earlier Lumma Stealer analysis). This leads to a number of Lumma Stealer associates ending up with the identical stolen knowledge. This statement leads us to conclude that the risk actors controlling this largest cluster doubtless ran their very own pay-per-install (PPI) mannequin, additional monetizing their bots.

Stealc

In distinction to Amadey, Stealc is a typical consultant of an infostealer. It targets a broad vary of knowledge sources, together with credentials saved by net browsers, e mail purchasers, FTP purchasers, gaming platforms, cryptocurrency pockets information, and browser extensions.

Stealc was launched on a darknet discussion board in February 2023, and we began monitoring it shortly thereafter. Our telemetry detection fee, proven in Determine 10, signifies that Stealc was distributed globally with no particular regional focus. The best detection charges had been noticed in america, Poland, and Italy.

Stealc is marketed by a risk actor utilizing the moniker plymouth. The operators had been actively sustaining Stealc; every time a brand new model was launched, they disclosed launch notes in a darknet discussion board put up. There have been 37 such releases previously three years. Stealc is offered as a month-to-month subscription, with pricing that has advanced solely barely:

• US$300 per thirty days
• US$700 for 3 months
• US$1,000 for six months

In March 2025, Stealc acquired a significant architectural replace with model 2, introducing vital modifications to the community protocol and configuration construction and – since then – this model has dominated in our telemetry. By June 2026, it had reached model 2.22.1, as proven in Determine 11.

Moreover its major targets, Stealc features a configurable file grabber that enables associates to specify customized patterns defining information to exfiltrate from compromised machines. Its C&C communications and embedded strings are protected by RC4 encryption with per-build keys.

Stealc doesn’t depend on a single, standardized distribution technique – every affiliate is accountable for its personal supply mechanisms. Nonetheless, much like Amadey, our telemetry signifies that sure vectors persistently stand out – notably trojanized software program installers and established malware loaders (like Amadey).

Technical overview

An in depth technical evaluation of Stealc v2 has already been revealed by Lumma-Labs. On this part, we deal with the properties usable for clustering.

Present variations of Stealc embed two distinct RC4 keys per pattern:

• one to decrypt obfuscated strings at runtime, and
• a second one to encrypt C&C community communications.

Along with the 2 RC4 keys, now we have been extracting the construct identifier from Stealc samples. This worth represents a person Stealc marketing campaign, and in contrast to different strings it isn’t protected within the binary. The worth is essential as a result of it’s transmitted as a part of the C&C handshake (see Determine 12).

The C&C server tackle and URL path used for communications are each saved among the many RC4-encrypted strings and have been extracted as a part of our automated configuration unpacking pipeline.

C&C communications

Stealc communicates with its C&C server over HTTP utilizing RC4-encrypted JSON objects. The preliminary request despatched to the C&C comprises three values:

• a construct identifier (construct),
• a fingerprint of the compromised machine (hwid), and
• the request kind (this preliminary request is of the sort create).

The machine fingerprint is derived from the system’s quantity serial quantity and formatted as a UUIDv4 string. An instance JSON object for this preliminary request is proven in Determine 12.

The C&C server responds with a fancy JSON object that defines what options Stealc ought to carry out. Alongside that, the response comprises a randomly generated access_token worth that acts as a session key and must be utilized in all subsequent requests, in any other case they’re refused by the server. Moreover the complicated definitions of targets, the JSON object additionally defines whether or not to take a screenshot, self-destruct when completed, or obtain and execute an extra payload afterwards. An instance of response JSON object is proven in Determine 13.

Every server response additionally comprises a randomly generated key-value pair on the very starting – neither hexadecimal string is ever reused in subsequent C&C communications. In response to Zscaler analysis, this prevents static detection signatures on RC4-encrypted site visitors, even when the identical encryption key’s used repeatedly. In Determine 13 the randomly generated nonce is “bf66e52”: “03030ac3e9a8cebf”.

After the preliminary registration, Stealc makes use of three further operation sorts with self-explanatory names to carry out its performance:

• upload_file – exfiltrate collected knowledge,
• loader – fetch and execute a follow-on payload, and
• performed – sign completion.

Clustering

As talked about, in contrast to Lumma Stealer’s, Stealc operators supply their associates no shared infrastructure. Just like our clustering strategy for Amadey, we utilized graph modeling to values extracted from Stealc configurations, mixed with our understanding of their goal, to higher comprehend the construction of the Stealc ecosystem. We ended up with a graph displaying that Stealc is certainly fractured into many small clusters (see Determine 14). Every cluster is centered round a small variety of C&C servers (typically only one) and usually tied to only some construct IDs or C&C URL paths. Disrupting such infrastructure is subsequently a difficult activity because of the lack of a weak level. Total, we recognized a complete of 73 distinct clusters (see Determine 14) working Stealc since March 2025.

Conclusion

For world disruption operations equivalent to Operation Endgame towards Amadey and Stealc, long-term automated monitoring of malware is important. This blogpost presents info collected in that method but in addition gives particulars on the precise MaaS enterprise mannequin behind every household and the way that interprets into typically fragmented community infrastructure, paperwork their key static identifiers and C&C communication protocols, and descriptions how ESET researchers helped to determine crucial factors for the disruption. Our risk intelligence on each Amadey and Stealc, mixed with knowledge shared by our companions, offered a robust basis for each the disruption operation and legislation enforcement efforts.

Operation Endgame aimed to grab or render inoperative all identified Amadey and Stealc C&C servers, straight disrupting the infrastructure relied upon by each MaaS choices’ associates. ESET will proceed to observe each households and monitor any makes an attempt to rebuild operational infrastructure following this disruption.

IoCs

A complete checklist of indicators of compromise (IoCs) and samples may be present in our GitHub repository.

Recordsdata

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.