EXECUTIVE SUMMARY
Cybercriminal groups currently deploy information-stealing malware families like StealC and Amadey to target organizations across multiple sectors globally. These operations focus on harvesting sensitive data, particularly login credentials and session tokens, from compromised devices.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Cybercriminal groups currently deploy information-stealing malware families like StealC and Amadey to target organizations across multiple sectors globally. These operations focus on harvesting sensitive data, particularly login credentials and session tokens, from compromised devices.[emaillocker id="1283"]
By infecting personal systems used by employees, attackers aim to bypass corporate security controls and gain unauthorized access to enterprise networks. The primary objective involves stealing corporate credentials to facilitate downstream crimes such as data theft, fraud, and ransomware attacks, effectively turning a single endpoint breach into a significant organizational risk.
The attack chain typically begins when users download trojanized software or visit malicious websites designed to distribute the Amadey loader. Once executed, Amadey retrieves and installs the StealC infostealer on the victim's machine. StealC silently harvests saved passwords, cookies, and cryptocurrency wallet data from web browsers and applications before transmitting the stolen logs to attacker-controlled servers. This malware maintains persistence by communicating with command-and-control infrastructure to receive further instructions, allowing operators to download additional payloads or update configurations while the program often deletes itself to avoid forensic analysis.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204 | User Execution | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1070.004 | Indicator Removal | File Deletion |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1057 | Process Discovery | — |
| Collection | T1113 | Screen Capture | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://www.microsoft.com/en-us/security/blog/2026/06/24/stealc-and-amadey-breaking-down-infostealers-and-the-cybercrime-services-that-deliver-them/