CRITICAL: StealC Historical Bot Infections Special Report

LAST UPDATED: 2026-06-24

DEFAULT SEVERITY LEVEL: CRITICAL

The data in this Special Report is being shared as an output of the continuing international Law Enforcement cyber crime disruption effort called Operation Endgame, which had a third season of action announced on November 13th 2025, and continued with further disruption announced on June 18th 2026 and June 24th 2026. This Special Report dated 2026-06-24 contains data likely stolen by the StealC information stealer malware during the period between 4th July 2025 and 16th June 2026. You can read more about the StealC disruption operation in our blog post about this Special Report.

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24-hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24-hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24-hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and, hopefully, acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across special reports may differ on a case by case basis, hence the report formats for individual Special Reports may be different.

The data in this StealC Historical Bot Infections Special Report was provided to Shadowserver by the Operation Endgame Law Enforcement partners to disseminate to National CERTs/CSIRTs and network owners globally, to maximize remediation efforts.

Note that exact timestamps were not available for individual events, so the timestamp field is set “2026-06-24 00:00:00”. Since only the first and last seen time for an infection was recorded in the StealC database, the first and last seen dates for an infected victim system represent a date range when an infection was likely active. However, there could have been multiple infections during that time period for shorter individual time periods (and therefore periods without an active infection). Please note the comments below about the first and last seen times being based on the time reported by local system clocks, not a central server clock, so therefore being potentially subject to inaccuracy.

This special report has severity level CRITICAL set on all events.  Severity levels are described here.

Filename prefix: 2026-06-24-special. Note: this is accessible in the API using 2026-06-24 as the search date.

Fields

  • timestamp
    The timestamp has been set to "2026-06-24 00:00:00", to represent when this one-off data set was distributed.
  • ip
    IP address of the affected device. In this case, the last IP address an infected victim bot was using at the last seen time (note that the bot may have changed IP addresses over time, but only the last seen IP address is available)
  • port
    TCP or UDP port identified (unused)
  • protocol
    Protocol associated with the malicious activity (unused)
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Additional tags for more insight
  • infection
    Description of the malware/infection
  • public_source
    Source of the data
  • status
    Status of the affected IP, for example, "infected" (was historically infected with the StealC malware)
  • detail
    URL to obtain more detail
  • account
    The Microsoft Windows user name of the infected users on the infected victim system
  • method
    Request method (unused)
  • severity
    Severity level
  • hostname_source
    Hostname source
  • first_seen_time
    The time an infected victim bot was first seen by the StealC backend. Note: first_seen_time is based on the time reported by the infected client when the StealC malware was first executed and credentials were stolen on the victim computer. That date was stored by StealC in a file containing system information (called system_info.txt) and is based on the local time reported by the victim's computer at that time, not a centralized server clock. Some infected devices may have had broken or inaccurate local system clocks, so the first_seen_time value provided can only be as accurate as the local computer system clock. We believe this data was likely stolen from infected victim systems during the period between 4th July 2025 and 16th June 2026.
  • last_seen_time
    The time an infected victim bot was last seen by the StealC backend (note that there could have been multiple infections, but only the last seen time is available). Note: last_seen_time is based on the time reported by the infected client when the StealC malware was last executed and/or credentials were stolen on the victim computer. That date was stored by StealC in a file containing system information (called system_info.txt) and is based on the local time reported by the victim's computer at that time, not a centralized server clock. Some infected devices may have had broken or inaccurate local system clocks, so the last_seen_time value provided can only be as accurate as the local computer system clock. We believe this data was likely stolen from infected victim systems during the period between 4th July 2025 and 16th June 2026.
  • potential_exposure_time
    The number of seconds between first and last seen times for this bot (note comments above about the potential inaccuracy of the first_seen_time and last_seen_time values due to the data being based on the locally reported system clock time)
  • machine_name
    The machine name of the infected victim system
  • url
    The URL captured by the StealC information stealing malware
  • login
    The login user name or other identifying credential captured by the StealC information stealing malware
  • password
    The password captured by the StealC information stealing malware, redacted with ****s for most characters (to allow local verification)
  • password_sha1
    The SHA1 hash of the password captured by the StealC information stealing malware, redacted as the first half of the hash only (to allow local verification)
  • password_ntlm
    The Windows NTLM hash of the password captured by the StealC information stealing malware, redacted as the first half of the hash only (to allow local verification)
  • estimated_server_first_seen_time
    The estimated time an infected victim bot was first seen by the StealC backend. Note: as per comments on first_seen_date above, this time was not recorded on the server using its own clock, but has been added here using an estimate based on other data artifacts available from the server.
  • estimated_server_last_seen_time
    The estimated time an infected victim bot was last seen by the StealC backend. Note: as per comments on last_seen_date above, this time was not recorded on the server using its own clock, but has been added here using an estimate based on other data artifacts available from the server.

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","infection","public_source","status","detail","account","method","severity","hostname_source","first_seen_time","last_seen_time","potential_exposure_time","machine_name","url","login","password","password_sha1","password_ntlm","estimated_server_first_seen_time","estimated_server_last_seen_time"
"2026-06-24 00:00:00",192.168.0.1,,,64512,ZZ,Region,City,node01.example.com,0,,,StealC,operation-endgame,infected,https://operation-endgame.com/,user,,critical,ptr,"2025-12-19 07:42:30","2026-01-06 12:27:51",1572321,node01,android://192.168.0.1/,1001,******1,b24a6b087668cdb7,eed992949c9e1243,"2025-12-19 07:42:30","2026-01-06 12:27:51"
"2026-06-24 00:00:01",192.168.0.2,,,64512,ZZ,Region,City,node02.example.com,0,,,StealC,operation-endgame,infected,https://operation-endgame.com/,user,,critical,ptr,"2025-12-19 07:42:30","2026-01-06 12:27:51",1572321,node02,android://192.168.0.2/,1002,******2,935bd1b8fe8de932,857530059b27f18e,"2025-12-19 07:42:30","2026-01-06 12:27:51"
"2026-06-24 00:00:02",192.168.0.3,,,64512,ZZ,Region,City,node03.example.com,0,,,StealC,operation-endgame,infected,https://operation-endgame.com/,user,,critical,ptr,"2025-12-19 07:42:30","2026-01-06 12:27:51",1572321,node03,https://192.168.0.3/,1003,******3,935bd1b8fe8de932,857530059b27f18e,"2025-12-19 07:42:30","2026-01-06 12:27:51"

Our 145 Report Types

« Back to Network Reporting