ESET takes half in Operation Endgame to disrupt Amadey and Stealc

A yr in the past, ESET Analysis was a part of two main operations that disrupted a number of the main cybercriminal operations on the time, Lumma Stealer and Danabot. Extra not too long ago, our researchers are as soon as once more collaborating with personal companions and legislation enforcement, however this time taking purpose on the Amadey botnet and Stealc infostealer, each offered through malware-as-a-service (MaaS) choices. Operation Endgame – coordinated by Microsoft Digital Crimes Unit (DCU), BitSight, Lumen, Mitsui Bussan Safe Instructions (MBSD), and different companions – focused all recognized community infrastructure utilized by Amadey and Stealc associates in an effort to cripple their cybercriminal operations.

ESET contributed to this effort by offering technical analyses, statistical info, recognized command and management (C&C) servers, encryption keys, marketing campaign and construct identifiers, and different risk intelligence collected throughout our long-term monitoring of each malware households.

Key factors of this blogpost:

• ESET took half within the coordinated, world Operation Endgame to disrupt Amadey and Stealc.
• Operation Endgame impacted round 50 domains and practically 200 energetic IP-based C&C servers related to Amadey and Stealc.
• ESET offered technical analyses, statistical info, recognized C&C servers, encryption keys, marketing campaign identifiers, and different insights.
• We offer an outline of the MaaS ecosystem on the affiliate degree for each malware households.
• We describe how we clustered Amadey and Stealc exercise.
• We summarize the technical properties most related to monitoring and disruption, together with C&C communications, embedded identifiers, and encryption keys.
• We element overlaps between actions of Amadey and associates of Lumma Stealer.

Disruption contribution

ESET Analysis has been monitoring each the Amadey botnet and Stealc infostealer for the previous three years. For this disruption operation, we shared statistics masking This fall 2025 by means of H1 2026, together with technical indicators and configuration information extracted from processed malware samples.

Our automated techniques have been dissecting Amadey and Stealc samples and figuring out the fields most related for large-scale monitoring. These embrace C&C servers, construct identifiers, encryption keys, URL paths, marketing campaign identifiers, and different embedded values utilized by the malware households throughout communication with attacker-controlled infrastructure.

A serious focus of our work was discovering dependable strategies to deal with the big quantity of processed samples and to cluster them. This was notably helpful as a result of each Amadey and Stealc are bought as companies. As such, the malware samples are distributed and operated by associates, typically operating their very own infrastructure, producing or requesting their very own builds, and orchestrating their very own campaigns. Figuring out exercise clusters in such ecosystems permits us to identify high-priority targets for disruptions like this one.

Sharing technical analyses, statistical info, and risk intelligence, similar to C&C server lists, affiliate identifiers, and encryption keys, allows legislation enforcement companies to determine, prioritize, and act in opposition to infrastructure with a excessive diploma of confidence. IoCs additionally assist distinguish between particular person clusters, shared infrastructure, and high-impact botnets whose disruption is more likely to have the best affect on the general risk panorama. In the end, the disruption affected round 50 domains and practically 200 energetic IPs used as C&C servers for both Amadey or Stealc.

Disrupted malware households

Amadey is a modular malware loader. Its most important goal is to distribute extra malware to compromised techniques, though it additionally gives modules for information exfiltration and distant entry.

Stealc, in distinction, is a typical infostealer as a service. It targets credentials, cookies, cryptocurrency wallets, browser extensions, and information whose names match affiliate-defined patterns.

Each malware households are bought as companies and marketed on darknet boards. For visibility into darknet boards, we used Flare.io, a risk intelligence platform that displays underground communities. In each ecosystems, associates obtain a self-hosted administration panel that have to be deployed on their very own server infrastructure. This requires a sure degree of technical talent from associates and in addition provides them direct management over sufferer information and payload distribution.

This mannequin differs from different MaaS ecosystems. For instance, Danabot associates can select to lease C&C infrastructure as a service, whereas Lumma Stealer used an exfiltration community absolutely managed by its operators. Within the case of Amadey and Stealc, associates are chargeable for deploying and working their very own infrastructure, making disruption efforts harder, which is why the clustering strategy was important.

Whereas distribution strategies in the end depend upon every particular person affiliate, ESET telemetry persistently confirmed that each malware households had been delivered by means of a variety of channels. The most typical strategies included faux software program updates, cracked software program installers, and third-party malware loaders.

Amadey used a pay-per-rebuild mannequin. Associates bought a license after which paid a further price every time they wanted to generate a brand new construct, for instance when rotating to a brand new C&C server. In different phrases, Amadey operators didn’t present associates with a builder instrument; as an alternative, samples had been compiled on request for every affiliate.

Stealc took a extra affiliate-friendly strategy, providing limitless construct era (Determine 1) as a part of its subscription. This lowered the operational value of rotating C&C infrastructure and made it simpler for associates to generate new samples as wanted.

Making an attempt to keep away from impersonation scams, operators of each companies explicitly instructed potential associates on darknet boards to contact them solely by means of official channels. Amadey directed consumers to personal messages on the darknet discussion board the place it’s marketed, whereas Stealc used personal messages on darknet boards or Telegram.

Amadey

Amadey is a modular malware loader that has been marketed on darknet boards by account identify InCrease since October 2018. Over time, it has turn out to be one of many extra steady and actively maintained malware households, with ongoing help offered by means of darknet discussion board channels.

Our telemetry detection charge, proven in Determine 2, signifies that Amadey was noticed globally with no particular regional focus, though the very best detection charges had been noticed in India, Turkey, Egypt, Mexico, and Spain.

The first operate of Amadey is to distribute extra malware to victims. Apart from that, it gives three modules for additional information exfiltration and entry: clipboard monitoring, credential theft, and VNC-based distant entry.

The service is priced at US$600, paid in Bitcoin, for a single license, with a further US$50 charged per rebuild. This implies associates incur a price every time they generate a brand new construct, similar to when rotating to a contemporary C&C server. This pricing has remained largely unchanged because the earliest marketed variations, suggesting a steady and established buyer base.

Over time we’ve got noticed ongoing model updates (Determine 3) and energetic improvement of Amadey. Essentially the most important milestone in Amadey’s improvement got here in August 2020 (v1.99.5), when the whole codebase was fully rewritten. The second main evolution arrived within the launch of v5.03 in October 2024, which delivered a dense wave of recent capabilities: hVNC with reverse join, MSI silent installer help, RDP enabling, cmd.exe execution with SYSTEM privileges, and built-in help for encrypted payloads. Total, the vast majority of the opposite, extra minor updates served one implicit however fixed goal: evading AV detections as they appeared.

Technical overview

Every Amadey pattern comprises at the least one hardcoded C&C server URL, with the configuration supporting as much as three entries. Samples additionally embed an RC4 key used for encrypting communications with the C&C server.

Our evaluation confirmed that the RC4 key extracted from every pattern serves as a dependable cluster identifier, permitting us to cluster samples into particular person botnets, which we focus on in additional element within the Clustering part.

A second hardcoded worth, internally known as sd, is a random-looking six-character hexadecimal string matching the sample [0-9a-f]{6}. It’s transmitted in the course of the preliminary C&C handshake and almost definitely identifies a selected construct inside an affiliate’s deployment. Though it’s generally known as a marketing campaign ID or Amadey ID by researchers, Amadey’s pay-per-build enterprise mannequin means that it extra precisely represents a construct identifier.

Every pattern additionally carries a model quantity. Our evaluation focuses on model v5.x, which has been the dominant variant noticed in ESET telemetry because the starting of 2025.

This bot additionally checks the sufferer’s keyboard structure. If it matches a structure related to a CIS nation, all community communication is silently rejected. Risk actors working from Japanese Europe generally use the sort of built-in safeguard to keep away from affecting companies and governmental entities within the area, lowering the chance of consideration or prosecution by native authorities. As well as, these operators typically comply with such practices to keep away from potential backlash from their friends for concentrating on “their very own folks” or for violating the foundations of darknet boards the place their companies are marketed.

This part offers solely a high-level overview of Amadey, as deep technical evaluation has already been revealed within the Swisscom report.

C&C communications

Amadey communicates with its C&C server over HTTP utilizing POST requests. At a excessive degree, communication follows a three-stage lifecycle:

• Preliminary beacon – the bot sends a minimal st=s HTTP POST request to the C&C server. The server responds with a sleep interval, for instance 10, instructing the bot to attend 10 minutes between subsequent check-ins.
• Registration – the bot transmits RC4-encrypted system info encoded as a flat key-value string. This information consists of the working system model, username, PC identify, put in antivirus product, administrative privileges, sd worth, and different host info. Notably, the RC4 key itself isn’t transmitted over the community. Based mostly on our telemetry, no server was noticed serving duties for multiple RC4 key at a time, suggesting that every pattern should talk with a C&C server that already is aware of and expects that precise RC4 key. The server responds with a activity listing.
• Tasking – duties are delivered as structured command strings delimited by and tags with particular person instructions separated by # characters, as proven in Determine 4. Every activity encodes a command kind, similar to downloading and executing an EXE, beginning VNC, or operating a stealer plugin. Duties additionally embrace parameters similar to a privilege escalation flag, goal listing, and payload URL.

Every activity has its personal processing logic, starting from easy download-and-execute instructions to extra complicated execution of hVNC or proxy elements. The internal workings have been documented in earlier technical reporting.

Clustering

When monitoring MaaS malware, a key problem is discovering a dependable option to group samples belonging to the identical risk actor. Understanding the enterprise mannequin and the distribution of community infrastructure is thus important for profitable disruption, as a result of it permits defenders and legislation enforcement to determine the crucial factors the place motion may have the best affect. On this part, we clarify our methodology.

Amadey samples include three key hardcoded configuration values:

• C&C URLs,
• RC4 keys used for C&C communications, and
• the sd worth transmitted in the course of the preliminary C&C handshake.

Over the course of our monitoring, we seen that Amadey C&C URLs comply with a constant sample:

http(s)?:////index.php

Additional, the identical URL half was used with completely different C&C servers (see Determine 5). As this worth seems to be a random string, seeing it tied to a number of C&C servers over time appeared like a robust indicator that the C&C servers are operated as a part of the identical cluster. Subsequently, we additional decomposed the C&C URL into these two components: the IP handle or area and the URL .

Utilizing values from the samples’ configuration, mixed with our understanding of their goal, we leveraged graph modeling to realize insights into the construction of the Amadey ecosystem. On first look at Determine 6, we clearly see that, certainly, there isn’t a shared infrastructure, however relatively a number of smaller sub-botnets with one clearly dominating. We dive deeper into that largest cluster within the subsequent part.

To conclude, the principle takeaways are:

1. We recognized a complete of 53 distinctive clusters contained in the Amadey ecosystem.
2. Every sd worth is tied to precisely one RC4 key.
3. RC4 keys are probably a helpful affiliate identifier, as rebuilds protect the important thing whereas altering the sd worth.
4. The C&C URL half is often reused when rotating C&C servers, serving as dependable proof of such C&C servers belonging to the identical cluster.

The most important Amadey botnet cluster

One cluster stands out as the biggest, and it contributed practically 34% of all processed Amadey samples. This cluster was additionally the one one energetic all through the whole analyzed time interval, as represented in our timeline in Determine 7.

The most important botnet additionally dominated within the common variety of payloads distributed to victims per execution. Based mostly on our clustering methodology, Amadey samples belonging to the biggest botnet delivered, on common, round 14 payloads to each sufferer concurrently (Determine 8).

The vary and variety of distributed malware households was broad, from infostealers and RATs to malware filled with complicated code protectors. Determine 9 offers an perception into the payloads we detected being delivered all through the monitoring interval.

Moreover, ESET researchers had been capable of receive proof that many occasions, a number of Lumma Stealer samples had been delivered to a single sufferer, every attributed to a distinct affiliate (see our earlier Lumma Stealer analysis). This ends in a number of Lumma Stealer associates ending up with the identical stolen information. This commentary leads us to conclude that the risk actors controlling this largest cluster probably ran their very own pay-per-install (PPI) mannequin, additional monetizing their bots.

Stealc

In distinction to Amadey, Stealc is a typical consultant of an infostealer. It targets a broad vary of knowledge sources, together with credentials saved by net browsers, e mail purchasers, FTP purchasers, gaming platforms, cryptocurrency pockets information, and browser extensions.

Stealc was launched on a darknet discussion board in February 2023, and we began monitoring it shortly thereafter. Our telemetry detection charge, proven in Determine 10, signifies that Stealc was distributed globally with no particular regional focus. The best detection charges had been noticed in america, Poland, and Italy.

Stealc is marketed by a risk actor utilizing the moniker plymouth. The operators had been actively sustaining Stealc; every time a brand new model was launched, they disclosed launch notes in a darknet discussion board put up. There have been 37 such releases prior to now three years. Stealc is bought as a month-to-month subscription, with pricing that has developed solely barely:

• US$300 monthly
• US$700 for 3 months
• US$1,000 for six months

In March 2025, Stealc acquired a serious architectural replace with model 2, introducing important adjustments to the community protocol and configuration construction and – since then – this model has dominated in our telemetry. By June 2026, it had reached model 2.22.1, as proven in Determine 11.

Apart from its most important targets, Stealc features a configurable file grabber that permits associates to specify customized patterns defining information to exfiltrate from compromised machines. Its C&C communications and embedded strings are protected by RC4 encryption with per-build keys.

Stealc doesn’t depend on a single, standardized distribution technique – every affiliate is chargeable for its personal supply mechanisms. Nevertheless, much like Amadey, our telemetry signifies that sure vectors persistently stand out – notably trojanized software program installers and established malware loaders (like Amadey).

Technical overview

An in depth technical evaluation of Stealc v2 has already been revealed by Lumma-Labs. On this part, we give attention to the properties usable for clustering.

Present variations of Stealc embed two distinct RC4 keys per pattern:

• one to decrypt obfuscated strings at runtime, and
• a second one to encrypt C&C community communications.

Along with the 2 RC4 keys, we’ve got been extracting the construct identifier from Stealc samples. This worth represents a person Stealc marketing campaign, and in contrast to different strings it’s not protected within the binary. The worth is essential as a result of it’s transmitted as a part of the C&C handshake (see Determine 12).

The C&C server handle and URL path used for communications are each saved among the many RC4-encrypted strings and have been extracted as a part of our automated configuration unpacking pipeline.

C&C communications

Stealc communicates with its C&C server over HTTP utilizing RC4-encrypted JSON objects. The preliminary request despatched to the C&C comprises three values:

• a construct identifier (construct),
• a fingerprint of the compromised machine (hwid), and
• the request kind (this preliminary request is of the kind create).

The machine fingerprint is derived from the system’s quantity serial quantity and formatted as a UUIDv4 string. An instance JSON object for this preliminary request is proven in Determine 12.

The C&C server responds with a posh JSON object that defines what options Stealc ought to carry out. Alongside that, the response comprises a randomly generated access_token worth that acts as a session key and must be utilized in all subsequent requests, in any other case they’re refused by the server. Apart from the complicated definitions of targets, the JSON object additionally defines whether or not to take a screenshot, self-destruct when completed, or obtain and execute a further payload afterwards. An instance of response JSON object is proven in Determine 13.

Every server response additionally comprises a randomly generated key-value pair on the very starting – neither hexadecimal string is ever reused in subsequent C&C communications. In response to Zscaler analysis, this prevents static detection signatures on RC4-encrypted site visitors, even when the identical encryption secret’s used repeatedly. In Determine 13 the randomly generated nonce is “bf66e52”: “03030ac3e9a8cebf”.

After the preliminary registration, Stealc makes use of three extra operation varieties with self-explanatory names to carry out its performance:

• upload_file – exfiltrate collected information,
• loader – fetch and execute a follow-on payload, and
• completed – sign completion.

Clustering

As talked about, in contrast to Lumma Stealer’s, Stealc operators provide their associates no shared infrastructure. Just like our clustering strategy for Amadey, we utilized graph modeling to values extracted from Stealc configurations, mixed with our understanding of their goal, to raised comprehend the construction of the Stealc ecosystem. We ended up with a graph exhibiting that Stealc is certainly fractured into many small clusters (see Determine 14). Every cluster is centered round a small variety of C&C servers (typically only one) and usually tied to just a few construct IDs or C&C URL paths. Disrupting such infrastructure is due to this fact a difficult activity because of the lack of a weak level. Total, we recognized a complete of 73 distinct clusters (see Determine 14) working Stealc since March 2025.

Conclusion

For world disruption operations similar to Operation Endgame in opposition to Amadey and Stealc, long-term automated monitoring of malware is critical. This blogpost presents info collected in that method but additionally offers particulars on the particular MaaS enterprise mannequin behind every household and the way that interprets into typically fragmented community infrastructure, paperwork their key static identifiers and C&C communication protocols, and descriptions how ESET researchers helped to determine crucial factors for the disruption. Our risk intelligence on each Amadey and Stealc, mixed with information shared by our companions, offered a robust basis for each the disruption operation and legislation enforcement efforts.

Operation Endgame aimed to grab or render inoperative all recognized Amadey and Stealc C&C servers, straight disrupting the infrastructure relied upon by each MaaS choices’ associates. ESET will proceed to watch each households and monitor any makes an attempt to rebuild operational infrastructure following this disruption.

IoCs

A complete listing of indicators of compromise (IoCs) and samples will be present in our GitHub repository.

Information

Community

MITRE ATT&CK strategies

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.