ESET takes half in Operation Endgame to disrupt Amadey and Stealc

A yr in the past, ESET Analysis was a part of two main operations that disrupted a number of the main cybercriminal operations on the time, Lumma Stealer and Danabot. Extra not too long ago, our researchers are as soon as once more collaborating with personal companions and regulation enforcement, however this time taking goal on the Amadey botnet and Stealc infostealer, each supplied by way of malware-as-a-service (MaaS) choices. Operation Endgame – coordinated by Microsoft Digital Crimes Unit (DCU), BitSight, Lumen, Mitsui Bussan Safe Instructions (MBSD), and different companions – focused all identified community infrastructure utilized by Amadey and Stealc associates as a way to cripple their cybercriminal operations.

ESET contributed to this effort by offering technical analyses, statistical data, identified command and management (C&C) servers, encryption keys, marketing campaign and construct identifiers, and different risk intelligence collected throughout our long-term monitoring of each malware households.

Key factors of this blogpost:

• ESET took half within the coordinated, international Operation Endgame to disrupt Amadey and Stealc.
• Operation Endgame impacted round 50 domains and almost 200 lively IP-based C&C servers related to Amadey and Stealc.
• ESET supplied technical analyses, statistical data, identified C&C servers, encryption keys, marketing campaign identifiers, and different insights.
• We offer an outline of the MaaS ecosystem on the affiliate degree for each malware households.
• We describe how we clustered Amadey and Stealc exercise.
• We summarize the technical properties most related to monitoring and disruption, together with C&C communications, embedded identifiers, and encryption keys.
• We element overlaps between actions of Amadey and associates of Lumma Stealer.

Disruption contribution

ESET Analysis has been monitoring each the Amadey botnet and Stealc infostealer for the previous three years. For this disruption operation, we shared statistics overlaying This autumn 2025 by means of H1 2026, together with technical indicators and configuration knowledge extracted from processed malware samples.

Our automated methods have been dissecting Amadey and Stealc samples and figuring out the fields most related for large-scale monitoring. These embrace C&C servers, construct identifiers, encryption keys, URL paths, marketing campaign identifiers, and different embedded values utilized by the malware households throughout communication with attacker-controlled infrastructure.

A serious focus of our work was discovering dependable strategies to deal with the big quantity of processed samples and to cluster them. This was significantly helpful as a result of each Amadey and Stealc are offered as providers. As such, the malware samples are distributed and operated by associates, typically operating their very own infrastructure, producing or requesting their very own builds, and orchestrating their very own campaigns. Figuring out exercise clusters in such ecosystems permits us to identify high-priority targets for disruptions like this one.

Sharing technical analyses, statistical data, and risk intelligence, corresponding to C&C server lists, affiliate identifiers, and encryption keys, allows regulation enforcement companies to establish, prioritize, and act towards infrastructure with a excessive diploma of confidence. IoCs additionally assist distinguish between particular person clusters, shared infrastructure, and high-impact botnets whose disruption is more likely to have the best affect on the general risk panorama. Finally, the disruption affected round 50 domains and almost 200 lively IPs used as C&C servers for both Amadey or Stealc.

Disrupted malware households

Amadey is a modular malware loader. Its fundamental goal is to distribute further malware to compromised methods, though it additionally presents modules for knowledge exfiltration and distant entry.

Stealc, in distinction, is a typical infostealer as a service. It targets credentials, cookies, cryptocurrency wallets, browser extensions, and recordsdata whose names match affiliate-defined patterns.

Each malware households are offered as providers and marketed on darknet boards. For visibility into darknet boards, we used Flare.io, a risk intelligence platform that displays underground communities. In each ecosystems, associates obtain a self-hosted administration panel that should be deployed on their very own server infrastructure. This requires a sure degree of technical ability from associates and in addition provides them direct management over sufferer knowledge and payload distribution.

This mannequin differs from different MaaS ecosystems. For instance, Danabot associates can select to lease C&C infrastructure as a service, whereas Lumma Stealer used an exfiltration community totally managed by its operators. Within the case of Amadey and Stealc, associates are accountable for deploying and working their very own infrastructure, making disruption efforts tougher, which is why the clustering method was important.

Whereas distribution strategies in the end rely on every particular person affiliate, ESET telemetry constantly confirmed that each malware households had been delivered by means of a variety of channels. The commonest strategies included faux software program updates, cracked software program installers, and third-party malware loaders.

Amadey used a pay-per-rebuild mannequin. Associates bought a license after which paid a further charge every time they wanted to generate a brand new construct, for instance when rotating to a brand new C&C server. In different phrases, Amadey operators didn’t present associates with a builder software; as an alternative, samples had been compiled on request for every affiliate.

Stealc took a extra affiliate-friendly method, providing limitless construct technology (Determine 1) as a part of its subscription. This lowered the operational price of rotating C&C infrastructure and made it simpler for associates to generate new samples as wanted.

Making an attempt to keep away from impersonation scams, operators of each providers explicitly instructed potential associates on darknet boards to contact them solely by means of official channels. Amadey directed consumers to personal messages on the darknet discussion board the place it’s marketed, whereas Stealc used personal messages on darknet boards or Telegram.

Amadey

Amadey is a modular malware loader that has been marketed on darknet boards by account identify InCrease since October 2018. Over time, it has grow to be one of many extra steady and actively maintained malware households, with ongoing assist supplied by means of darknet discussion board channels.

Our telemetry detection fee, proven in Determine 2, signifies that Amadey was noticed globally with no particular regional focus, though the very best detection charges had been noticed in India, Turkey, Egypt, Mexico, and Spain.

The first operate of Amadey is to distribute further malware to victims. In addition to that, it presents three modules for additional knowledge exfiltration and entry: clipboard monitoring, credential theft, and VNC-based distant entry.

The service is priced at US$600, paid in Bitcoin, for a single license, with a further US$50 charged per rebuild. This implies associates incur a value every time they generate a brand new construct, corresponding to when rotating to a recent C&C server. This pricing has remained largely unchanged because the earliest marketed variations, suggesting a steady and established buyer base.

Over time we’ve noticed ongoing model updates (Determine 3) and lively growth of Amadey. Probably the most vital milestone in Amadey’s growth got here in August 2020 (v1.99.5), when the complete codebase was fully rewritten. The second main evolution arrived within the launch of v5.03 in October 2024, which delivered a dense wave of latest capabilities: hVNC with reverse join, MSI silent installer assist, RDP enabling, cmd.exe execution with SYSTEM privileges, and built-in assist for encrypted payloads. Total, the vast majority of the opposite, extra minor updates served one implicit however fixed goal: evading AV detections as they appeared.

Technical overview

Every Amadey pattern incorporates at the least one hardcoded C&C server URL, with the configuration supporting as much as three entries. Samples additionally embed an RC4 key used for encrypting communications with the C&C server.

Our evaluation confirmed that the RC4 key extracted from every pattern serves as a dependable cluster identifier, permitting us to cluster samples into particular person botnets, which we talk about in additional element within the Clustering part.

A second hardcoded worth, internally known as sd, is a random-looking six-character hexadecimal string matching the sample [0-9a-f]{6}. It’s transmitted through the preliminary C&C handshake and probably identifies a selected construct inside an affiliate’s deployment. Though it’s typically referred to as a marketing campaign ID or Amadey ID by researchers, Amadey’s pay-per-build enterprise mannequin means that it extra precisely represents a construct identifier.

Every pattern additionally carries a model quantity. Our evaluation focuses on model v5.x, which has been the dominant variant noticed in ESET telemetry because the starting of 2025.

This bot additionally checks the sufferer’s keyboard structure. If it matches a structure related to a CIS nation, all community communication is silently rejected. Menace actors working from Japanese Europe generally use this kind of built-in safeguard to keep away from affecting companies and governmental entities within the area, decreasing the danger of consideration or prosecution by native authorities. As well as, these operators typically comply with such practices to keep away from potential backlash from their friends for concentrating on “their very own folks” or for violating the foundations of darknet boards the place their providers are marketed.

This part supplies solely a high-level overview of Amadey, as deep technical evaluation has already been printed within the Swisscom report.

C&C communications

Amadey communicates with its C&C server over HTTP utilizing POST requests. At a excessive degree, communication follows a three-stage lifecycle:

• Preliminary beacon – the bot sends a minimal st=s HTTP POST request to the C&C server. The server responds with a sleep interval, for instance <c>10<d>, instructing the bot to attend 10 minutes between subsequent check-ins.
• Registration – the bot transmits RC4-encrypted system data encoded as a flat key-value string. This knowledge consists of the working system model, username, PC identify, put in antivirus product, administrative privileges, sd worth, and different host data. Notably, the RC4 key itself is rarely transmitted over the community. Based mostly on our telemetry, no server was noticed serving duties for multiple RC4 key at a time, suggesting that every pattern should talk with a C&C server that already is aware of and expects that actual RC4 key. The server responds with a job listing.
• Tasking – duties are delivered as structured command strings delimited by <c> and <d> tags with particular person instructions separated by # characters, as proven in Determine 4. Every job encodes a command kind, corresponding to downloading and executing an EXE, beginning VNC, or operating a stealer plugin. Duties additionally embrace parameters corresponding to a privilege escalation flag, goal listing, and payload URL.

Every job has its personal processing logic, starting from easy download-and-execute instructions to extra complicated execution of hVNC or proxy elements. The inside workings have been documented in earlier technical reporting.

Clustering

When monitoring MaaS malware, a key problem is discovering a dependable solution to group samples belonging to the identical risk actor. Understanding the enterprise mannequin and the distribution of community infrastructure is thus important for profitable disruption, as a result of it permits defenders and regulation enforcement to establish the important factors the place motion may have the best affect. On this part, we clarify our methodology.

Amadey samples include three key hardcoded configuration values:

• C&C URLs,
• RC4 keys used for C&C communications, and
• the sd worth transmitted through the preliminary C&C handshake.

Over the course of our monitoring, we seen that Amadey C&C URLs comply with a constant sample:

http(s)?://<C&C>/<random_path>/index.php

Additional, the identical <random_path> URL half was used with totally different C&C servers (see Determine 5). As this worth seems to be a random string, seeing it tied to a number of C&C servers over time appeared like a robust indicator that the C&C servers are operated as a part of the identical cluster. Due to this fact, we additional decomposed the C&C URL into these two components: the IP tackle or area and the URL <random_path>.

Utilizing values from the samples’ configuration, mixed with our understanding of their goal, we leveraged graph modeling to achieve insights into the construction of the Amadey ecosystem. On first look at Determine 6, we clearly see that, certainly, there isn’t a shared infrastructure, however fairly a number of smaller sub-botnets with one clearly dominating. We dive deeper into that largest cluster within the subsequent part.

To conclude, the principle takeaways are:

1. We recognized a complete of 53 distinctive clusters contained in the Amadey ecosystem.
2. Every sd worth is tied to precisely one RC4 key.
3. RC4 keys are probably a helpful affiliate identifier, as rebuilds protect the important thing whereas altering the sd worth.
4. The C&C URL <random_path> half is sometimes reused when rotating C&C servers, serving as dependable proof of such C&C servers belonging to the identical cluster.

The biggest Amadey botnet cluster

One cluster stands out as the most important, and it contributed almost 34% of all processed Amadey samples. This cluster was additionally the one one lively all through the complete analyzed time interval, as represented in our timeline in Determine 7.

The biggest botnet additionally dominated within the common variety of payloads distributed to victims per execution. Based mostly on our clustering methodology, Amadey samples belonging to the most important botnet delivered, on common, round 14 payloads to each sufferer concurrently (Determine 8).

The vary and variety of distributed malware households was broad, from infostealers and RATs to malware filled with complicated code protectors. Determine 9 supplies an perception into the payloads we detected being delivered all through the monitoring interval.

Moreover, ESET researchers had been in a position to acquire proof that many instances, a number of Lumma Stealer samples had been delivered to a single sufferer, every attributed to a unique affiliate (see our earlier Lumma Stealer analysis). This ends in a number of Lumma Stealer associates ending up with the identical stolen knowledge. This statement leads us to conclude that the risk actors controlling this largest cluster probably ran their very own pay-per-install (PPI) mannequin, additional monetizing their bots.

Stealc

In distinction to Amadey, Stealc is a typical consultant of an infostealer. It targets a broad vary of information sources, together with credentials saved by net browsers, electronic mail shoppers, FTP shoppers, gaming platforms, cryptocurrency pockets recordsdata, and browser extensions.

Stealc was launched on a darknet discussion board in February 2023, and we began monitoring it shortly thereafter. Our telemetry detection fee, proven in Determine 10, signifies that Stealc was distributed globally with no particular regional focus. The very best detection charges had been noticed in the USA, Poland, and Italy.

Stealc is marketed by a risk actor utilizing the moniker plymouth. The operators had been actively sustaining Stealc; every time a brand new model was launched, they disclosed launch notes in a darknet discussion board publish. There have been 37 such releases up to now three years. Stealc is offered as a month-to-month subscription, with pricing that has advanced solely barely:

• US$300 monthly
• US$700 for 3 months
• US$1,000 for six months

In March 2025, Stealc obtained a significant architectural replace with model 2, introducing vital adjustments to the community protocol and configuration construction and – since then – this model has dominated in our telemetry. By June 2026, it had reached model 2.22.1, as proven in Determine 11.

In addition to its fundamental targets, Stealc features a configurable file grabber that enables associates to specify customized patterns defining recordsdata to exfiltrate from compromised machines. Its C&C communications and embedded strings are protected by RC4 encryption with per-build keys.

Stealc doesn’t depend on a single, standardized distribution technique – every affiliate is accountable for its personal supply mechanisms. Nevertheless, much like Amadey, our telemetry signifies that sure vectors constantly stand out – significantly trojanized software program installers and established malware loaders (like Amadey).

Technical overview

An in depth technical evaluation of Stealc v2 has already been printed by Lumma-Labs. On this part, we deal with the properties usable for clustering.

Present variations of Stealc embed two distinct RC4 keys per pattern:

• one to decrypt obfuscated strings at runtime, and
• a second one to encrypt C&C community communications.

Along with the 2 RC4 keys, we’ve been extracting the construct identifier from Stealc samples. This worth represents a person Stealc marketing campaign, and in contrast to different strings it’s not protected within the binary. The worth is essential as a result of it’s transmitted as a part of the C&C handshake (see Determine 12).

The C&C server tackle and URL path used for communications are each saved among the many RC4-encrypted strings and have been extracted as a part of our automated configuration unpacking pipeline.

C&C communications

Stealc communicates with its C&C server over HTTP utilizing RC4-encrypted JSON objects. The preliminary request despatched to the C&C incorporates three values:

• a construct identifier (construct),
• a fingerprint of the compromised machine (hwid), and
• the request kind (this preliminary request is of the kind create).

The machine fingerprint is derived from the system’s quantity serial quantity and formatted as a UUIDv4 string. An instance JSON object for this preliminary request is proven in Determine 12.

The C&C server responds with a posh JSON object that defines what options Stealc ought to carry out. Alongside that, the response incorporates a randomly generated access_token worth that acts as a session key and must be utilized in all subsequent requests, in any other case they’re refused by the server. In addition to the complicated definitions of targets, the JSON object additionally defines whether or not to take a screenshot, self-destruct when completed, or obtain and execute a further payload afterwards. An instance of response JSON object is proven in Determine 13.

Every server response additionally incorporates a randomly generated key-value pair on the very starting – neither hexadecimal string is ever reused in subsequent C&C communications. In line with Zscaler analysis, this prevents static detection signatures on RC4-encrypted site visitors, even when the identical encryption key’s used repeatedly. In Determine 13 the randomly generated nonce is “bf66e52”: “03030ac3e9a8cebf”.

After the preliminary registration, Stealc makes use of three further operation varieties with self-explanatory names to carry out its performance:

• upload_file – exfiltrate collected knowledge,
• loader – fetch and execute a follow-on payload, and
• performed – sign completion.

Clustering

As talked about, in contrast to Lumma Stealer’s, Stealc operators supply their associates no shared infrastructure. Just like our clustering method for Amadey, we utilized graph modeling to values extracted from Stealc configurations, mixed with our understanding of their goal, to higher comprehend the construction of the Stealc ecosystem. We ended up with a graph displaying that Stealc is certainly fractured into many small clusters (see Determine 14). Every cluster is centered round a small variety of C&C servers (typically only one) and sometimes tied to just a few construct IDs or C&C URL paths. Disrupting such infrastructure is subsequently a difficult job because of the lack of a weak level. Total, we recognized a complete of 73 distinct clusters (see Determine 14) working Stealc since March 2025.

Conclusion

For international disruption operations corresponding to Operation Endgame towards Amadey and Stealc, long-term automated monitoring of malware is critical. This blogpost presents data collected in that method but additionally supplies particulars on the particular MaaS enterprise mannequin behind every household and the way that interprets into typically fragmented community infrastructure, paperwork their key static identifiers and C&C communication protocols, and descriptions how ESET researchers helped to establish important factors for the disruption. Our risk intelligence on each Amadey and Stealc, mixed with knowledge shared by our companions, supplied a robust basis for each the disruption operation and regulation enforcement efforts.

Operation Endgame aimed to grab or render inoperative all identified Amadey and Stealc C&C servers, straight disrupting the infrastructure relied upon by each MaaS choices’ associates. ESET will proceed to watch each households and observe any makes an attempt to rebuild operational infrastructure following this disruption.

IoCs

A complete listing of indicators of compromise (IoCs) and samples will be present in our GitHub repository.

Information

Community

MITRE ATT&CK methods

This desk was constructed utilizing model 19 of the MITRE ATT&CK framework.