ESET takes half in Operation Endgame to disrupt Amadey and Stealc

A yr in the past, ESET Analysis was a part of two main operations that disrupted a few of the main cybercriminal operations on the time, Lumma Stealer and Danabot. Extra just lately, our researchers are as soon as once more collaborating with personal companions and legislation enforcement, however this time taking goal on the Amadey botnet and Stealc infostealer, each supplied through malware-as-a-service (MaaS) choices. Operation Endgame – coordinated by Microsoft Digital Crimes Unit (DCU), BitSight, Lumen, Mitsui Bussan Safe Instructions (MBSD), and different companions – focused all recognized community infrastructure utilized by Amadey and Stealc associates in an effort to cripple their cybercriminal operations.

ESET contributed to this effort by offering technical analyses, statistical data, recognized command and management (C&C) servers, encryption keys, marketing campaign and construct identifiers, and different risk intelligence collected throughout our long-term monitoring of each malware households.

Key factors of this blogpost:

• ESET took half within the coordinated, world Operation Endgame to disrupt Amadey and Stealc.
• Operation Endgame impacted round 50 domains and almost 200 lively IP-based C&C servers related to Amadey and Stealc.
• ESET supplied technical analyses, statistical data, recognized C&C servers, encryption keys, marketing campaign identifiers, and different insights.
• We offer an summary of the MaaS ecosystem on the affiliate stage for each malware households.
• We describe how we clustered Amadey and Stealc exercise.
• We summarize the technical properties most related to monitoring and disruption, together with C&C communications, embedded identifiers, and encryption keys.
• We element overlaps between actions of Amadey and associates of Lumma Stealer.

Disruption contribution

ESET Analysis has been monitoring each the Amadey botnet and Stealc infostealer for the previous three years. For this disruption operation, we shared statistics masking This autumn 2025 by means of H1 2026, together with technical indicators and configuration information extracted from processed malware samples.

Our automated programs have been dissecting Amadey and Stealc samples and figuring out the fields most related for large-scale monitoring. These embody C&C servers, construct identifiers, encryption keys, URL paths, marketing campaign identifiers, and different embedded values utilized by the malware households throughout communication with attacker-controlled infrastructure.

A significant focus of our work was discovering dependable strategies to deal with the big quantity of processed samples and to cluster them. This was significantly helpful as a result of each Amadey and Stealc are bought as companies. As such, the malware samples are distributed and operated by associates, usually working their very own infrastructure, producing or requesting their very own builds, and orchestrating their very own campaigns. Figuring out exercise clusters in such ecosystems permits us to identify high-priority targets for disruptions like this one.

Sharing technical analyses, statistical data, and risk intelligence, reminiscent of C&C server lists, affiliate identifiers, and encryption keys, permits legislation enforcement companies to establish, prioritize, and act in opposition to infrastructure with a excessive diploma of confidence. IoCs additionally assist distinguish between particular person clusters, shared infrastructure, and high-impact botnets whose disruption is prone to have the best influence on the general risk panorama. Finally, the disruption affected round 50 domains and almost 200 lively IPs used as C&C servers for both Amadey or Stealc.

Disrupted malware households

Amadey is a modular malware loader. Its foremost goal is to distribute extra malware to compromised programs, though it additionally presents modules for information exfiltration and distant entry.

Stealc, in distinction, is a typical infostealer as a service. It targets credentials, cookies, cryptocurrency wallets, browser extensions, and information whose names match affiliate-defined patterns.

Each malware households are bought as companies and marketed on darknet boards. For visibility into darknet boards, we used Flare.io, a risk intelligence platform that displays underground communities. In each ecosystems, associates obtain a self-hosted administration panel that should be deployed on their very own server infrastructure. This requires a sure stage of technical ability from associates and likewise offers them direct management over sufferer information and payload distribution.

This mannequin differs from different MaaS ecosystems. For instance, Danabot associates can select to lease C&C infrastructure as a service, whereas Lumma Stealer used an exfiltration community absolutely managed by its operators. Within the case of Amadey and Stealc, associates are answerable for deploying and working their very own infrastructure, making disruption efforts tougher, which is why the clustering method was important.

Whereas distribution strategies in the end depend upon every particular person affiliate, ESET telemetry constantly confirmed that each malware households have been delivered by means of a variety of channels. The most typical strategies included faux software program updates, cracked software program installers, and third-party malware loaders.

Amadey used a pay-per-rebuild mannequin. Associates bought a license after which paid an extra payment every time they wanted to generate a brand new construct, for instance when rotating to a brand new C&C server. In different phrases, Amadey operators didn’t present associates with a builder instrument; as an alternative, samples have been compiled on request for every affiliate.

Stealc took a extra affiliate-friendly method, providing limitless construct era (Determine 1) as a part of its subscription. This lowered the operational value of rotating C&C infrastructure and made it simpler for associates to generate new samples as wanted.

Making an attempt to keep away from impersonation scams, operators of each companies explicitly instructed potential associates on darknet boards to contact them solely by means of official channels. Amadey directed patrons to non-public messages on the darknet discussion board the place it’s marketed, whereas Stealc used personal messages on darknet boards or Telegram.

Amadey

Amadey is a modular malware loader that has been marketed on darknet boards by account identify InCrease since October 2018. Over time, it has grow to be one of many extra steady and actively maintained malware households, with ongoing assist supplied by means of darknet discussion board channels.

Our telemetry detection fee, proven in Determine 2, signifies that Amadey was noticed globally with no particular regional focus, though the best detection charges have been noticed in India, Turkey, Egypt, Mexico, and Spain.

The first operate of Amadey is to distribute extra malware to victims. In addition to that, it presents three modules for additional information exfiltration and entry: clipboard monitoring, credential theft, and VNC-based distant entry.

The service is priced at US$600, paid in Bitcoin, for a single license, with an extra US$50 charged per rebuild. This implies associates incur a value every time they generate a brand new construct, reminiscent of when rotating to a recent C&C server. This pricing has remained largely unchanged for the reason that earliest marketed variations, suggesting a steady and established buyer base.

Through the years we now have noticed ongoing model updates (Determine 3) and lively growth of Amadey. Probably the most vital milestone in Amadey’s growth got here in August 2020 (v1.99.5), when the whole codebase was fully rewritten. The second main evolution arrived within the launch of v5.03 in October 2024, which delivered a dense wave of recent capabilities: hVNC with reverse join, MSI silent installer assist, RDP enabling, cmd.exe execution with SYSTEM privileges, and built-in assist for encrypted payloads. General, nearly all of the opposite, extra minor updates served one implicit however fixed goal: evading AV detections as they appeared.

Technical overview

Every Amadey pattern comprises at the least one hardcoded C&C server URL, with the configuration supporting as much as three entries. Samples additionally embed an RC4 key used for encrypting communications with the C&C server.

Our evaluation confirmed that the RC4 key extracted from every pattern serves as a dependable cluster identifier, permitting us to cluster samples into particular person botnets, which we focus on in additional element within the Clustering part.

A second hardcoded worth, internally known as sd, is a random-looking six-character hexadecimal string matching the sample [0-9a-f]{6}. It’s transmitted through the preliminary C&C handshake and almost definitely identifies a particular construct inside an affiliate’s deployment. Though it’s typically known as a marketing campaign ID or Amadey ID by researchers, Amadey’s pay-per-build enterprise mannequin means that it extra precisely represents a construct identifier.

Every pattern additionally carries a model quantity. Our evaluation focuses on model v5.x, which has been the dominant variant noticed in ESET telemetry for the reason that starting of 2025.

This bot additionally checks the sufferer’s keyboard structure. If it matches a structure related to a CIS nation, all community communication is silently rejected. Menace actors working from Japanese Europe generally use this sort of built-in safeguard to keep away from affecting companies and governmental entities within the area, decreasing the danger of consideration or prosecution by native authorities. As well as, these operators usually comply with such practices to keep away from potential backlash from their friends for concentrating on “their very own folks” or for violating the foundations of darknet boards the place their companies are marketed.

This part supplies solely a high-level overview of Amadey, as deep technical evaluation has already been printed within the Swisscom report.

C&C communications

Amadey communicates with its C&C server over HTTP utilizing POST requests. At a excessive stage, communication follows a three-stage lifecycle:

• Preliminary beacon – the bot sends a minimal st=s HTTP POST request to the C&C server. The server responds with a sleep interval, for instance 10, instructing the bot to attend 10 minutes between subsequent check-ins.
• Registration – the bot transmits RC4-encrypted system data encoded as a flat key-value string. This information consists of the working system model, username, PC identify, put in antivirus product, administrative privileges, sd worth, and different host data. Notably, the RC4 key itself is rarely transmitted over the community. Primarily based on our telemetry, no server was noticed serving duties for multiple RC4 key at a time, suggesting that every pattern should talk with a C&C server that already is aware of and expects that precise RC4 key. The server responds with a activity record.
• Tasking – duties are delivered as structured command strings delimited by and tags with particular person instructions separated by # characters, as proven in Determine 4. Every activity encodes a command kind, reminiscent of downloading and executing an EXE, beginning VNC, or working a stealer plugin. Duties additionally embody parameters reminiscent of a privilege escalation flag, goal listing, and payload URL.

Every activity has its personal processing logic, starting from easy download-and-execute instructions to extra complicated execution of hVNC or proxy parts. The inside workings have been documented in earlier technical reporting.

Clustering

When monitoring MaaS malware, a key problem is discovering a dependable technique to group samples belonging to the identical risk actor. Understanding the enterprise mannequin and the distribution of community infrastructure is thus important for profitable disruption, as a result of it permits defenders and legislation enforcement to establish the vital factors the place motion could have the best influence. On this part, we clarify our methodology.

Amadey samples include three key hardcoded configuration values:

• C&C URLs,
• RC4 keys used for C&C communications, and
• the sd worth transmitted through the preliminary C&C handshake.

Over the course of our monitoring, we seen that Amadey C&C URLs comply with a constant sample:

http(s)?:////index.php

Additional, the identical URL half was used with completely different C&C servers (see Determine 5). As this worth seems to be a random string, seeing it tied to a number of C&C servers over time appeared like a robust indicator that the C&C servers are operated as a part of the identical cluster. Due to this fact, we additional decomposed the C&C URL into these two components: the IP tackle or area and the URL .

Utilizing values from the samples’ configuration, mixed with our understanding of their goal, we leveraged graph modeling to achieve insights into the construction of the Amadey ecosystem. On first look at Determine 6, we clearly see that, certainly, there isn’t a shared infrastructure, however relatively a number of smaller sub-botnets with one clearly dominating. We dive deeper into that largest cluster within the subsequent part.

To conclude, the principle takeaways are:

1. We recognized a complete of 53 distinctive clusters contained in the Amadey ecosystem.
2. Every sd worth is tied to precisely one RC4 key.
3. RC4 keys are possible a helpful affiliate identifier, as rebuilds protect the important thing whereas altering the sd worth.
4. The C&C URL half is sometimes reused when rotating C&C servers, serving as dependable proof of such C&C servers belonging to the identical cluster.

The biggest Amadey botnet cluster

One cluster stands out as the biggest, and it contributed almost 34% of all processed Amadey samples. This cluster was additionally the one one lively all through the whole analyzed time interval, as represented in our timeline in Determine 7.

The biggest botnet additionally dominated within the common variety of payloads distributed to victims per execution. Primarily based on our clustering methodology, Amadey samples belonging to the biggest botnet delivered, on common, round 14 payloads to each sufferer concurrently (Determine 8).

The vary and variety of distributed malware households was broad, from infostealers and RATs to malware filled with complicated code protectors. Determine 9 supplies an perception into the payloads we detected being delivered all through the monitoring interval.

Moreover, ESET researchers have been in a position to acquire proof that many occasions, a number of Lumma Stealer samples have been delivered to a single sufferer, every attributed to a special affiliate (see our earlier Lumma Stealer analysis). This ends in a number of Lumma Stealer associates ending up with the identical stolen information. This statement leads us to conclude that the risk actors controlling this largest cluster possible ran their very own pay-per-install (PPI) mannequin, additional monetizing their bots.

Stealc

In distinction to Amadey, Stealc is a typical consultant of an infostealer. It targets a broad vary of knowledge sources, together with credentials saved by net browsers, electronic mail purchasers, FTP purchasers, gaming platforms, cryptocurrency pockets information, and browser extensions.

Stealc was launched on a darknet discussion board in February 2023, and we began monitoring it shortly thereafter. Our telemetry detection fee, proven in Determine 10, signifies that Stealc was distributed globally with no particular regional focus. The best detection charges have been noticed in the US, Poland, and Italy.

Stealc is marketed by a risk actor utilizing the moniker plymouth. The operators had been actively sustaining Stealc; every time a brand new model was launched, they disclosed launch notes in a darknet discussion board submit. There have been 37 such releases prior to now three years. Stealc is bought as a month-to-month subscription, with pricing that has advanced solely barely:

• US$300 per thirty days
• US$700 for 3 months
• US$1,000 for six months

In March 2025, Stealc acquired a serious architectural replace with model 2, introducing vital modifications to the community protocol and configuration construction and – since then – this model has dominated in our telemetry. By June 2026, it had reached model 2.22.1, as proven in Determine 11.

In addition to its foremost targets, Stealc features a configurable file grabber that enables associates to specify customized patterns defining information to exfiltrate from compromised machines. Its C&C communications and embedded strings are protected by RC4 encryption with per-build keys.

Stealc doesn’t depend on a single, standardized distribution methodology – every affiliate is answerable for its personal supply mechanisms. Nonetheless, much like Amadey, our telemetry signifies that sure vectors constantly stand out – significantly trojanized software program installers and established malware loaders (like Amadey).

Technical overview

An in depth technical evaluation of Stealc v2 has already been printed by Lumma-Labs. On this part, we concentrate on the properties usable for clustering.

Present variations of Stealc embed two distinct RC4 keys per pattern:

• one to decrypt obfuscated strings at runtime, and
• a second one to encrypt C&C community communications.

Along with the 2 RC4 keys, we now have been extracting the construct identifier from Stealc samples. This worth represents a person Stealc marketing campaign, and in contrast to different strings it’s not protected within the binary. The worth is essential as a result of it’s transmitted as a part of the C&C handshake (see Determine 12).

The C&C server tackle and URL path used for communications are each saved among the many RC4-encrypted strings and have been extracted as a part of our automated configuration unpacking pipeline.

C&C communications

Stealc communicates with its C&C server over HTTP utilizing RC4-encrypted JSON objects. The preliminary request despatched to the C&C comprises three values:

• a construct identifier (construct),
• a fingerprint of the compromised machine (hwid), and
• the request kind (this preliminary request is of the kind create).

The machine fingerprint is derived from the system’s quantity serial quantity and formatted as a UUIDv4 string. An instance JSON object for this preliminary request is proven in Determine 12.

The C&C server responds with a fancy JSON object that defines what options Stealc ought to carry out. Alongside that, the response comprises a randomly generated access_token worth that acts as a session key and must be utilized in all subsequent requests, in any other case they’re refused by the server. In addition to the complicated definitions of targets, the JSON object additionally defines whether or not to take a screenshot, self-destruct when completed, or obtain and execute an extra payload afterwards. An instance of response JSON object is proven in Determine 13.

Every server response additionally comprises a randomly generated key-value pair on the very starting – neither hexadecimal string is ever reused in subsequent C&C communications. In response to Zscaler analysis, this prevents static detection signatures on RC4-encrypted visitors, even when the identical encryption key’s used repeatedly. In Determine 13 the randomly generated nonce is “bf66e52”: “03030ac3e9a8cebf”.

After the preliminary registration, Stealc makes use of three extra operation varieties with self-explanatory names to carry out its performance:

• upload_file – exfiltrate collected information,
• loader – fetch and execute a follow-on payload, and
• completed – sign completion.

Clustering

As talked about, in contrast to Lumma Stealer’s, Stealc operators provide their associates no shared infrastructure. Much like our clustering method for Amadey, we utilized graph modeling to values extracted from Stealc configurations, mixed with our understanding of their goal, to higher comprehend the construction of the Stealc ecosystem. We ended up with a graph exhibiting that Stealc is certainly fractured into many small clusters (see Determine 14). Every cluster is centered round a small variety of C&C servers (usually only one) and usually tied to just a few construct IDs or C&C URL paths. Disrupting such infrastructure is subsequently a difficult activity as a result of lack of a weak level. General, we recognized a complete of 73 distinct clusters (see Determine 14) working Stealc since March 2025.

Conclusion

For world disruption operations reminiscent of Operation Endgame in opposition to Amadey and Stealc, long-term automated monitoring of malware is critical. This blogpost presents data collected in that method but additionally supplies particulars on the particular MaaS enterprise mannequin behind every household and the way that interprets into usually fragmented community infrastructure, paperwork their key static identifiers and C&C communication protocols, and descriptions how ESET researchers helped to establish vital factors for the disruption. Our risk intelligence on each Amadey and Stealc, mixed with information shared by our companions, supplied a robust basis for each the disruption operation and legislation enforcement efforts.

Operation Endgame aimed to grab or render inoperative all recognized Amadey and Stealc C&C servers, straight disrupting the infrastructure relied upon by each MaaS choices’ associates. ESET will proceed to watch each households and observe any makes an attempt to rebuild operational infrastructure following this disruption.

IoCs

A complete record of indicators of compromise (IoCs) and samples could be present in our GitHub repository.

Information

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.