1 malware family

Plymouth

Also known asPlymouth

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they target

Geographies tied to known operations.

🇺🇸 United States
🇵🇱 Poland
🇮🇹 Italy

MITRE ATT&CK

Tradecraft

32 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

7 of 15 tactics36 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0002

Execution

4 techniques

T1059

Command and Scripting Interpreter

T1059.003

Windows Command Shell

T1106

Native API

T1129

Shared Modules

T1204

User Execution

TA0005

Stealth

4 techniques

T1027×2

Obfuscated Files or Information

T1027.007×2

Dynamic API Resolution

T1070

Indicator Removal

T1070.004

File Deletion

T1140

Deobfuscate/Decode Files or Information

T1622

Debugger Evasion

TA0006

Credential Access

3 techniques

T1539×3

Steal Web Session Cookie

T1552

Unsecured Credentials

T1552.001

Credentials In Files

T1555×2

Credentials from Password Stores

T1555.003

Credentials from Web Browsers

TA0007

Discovery

8 techniques

T1012

Query Registry

T1016

System Network Configuration Discovery

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

T1518

Software Discovery

T1614

System Location Discovery

T1614.001

System Language Discovery

T1622

Debugger Evasion

TA0009

Collection

4 techniques

T1005×2

Data from Local System

T1113×3

Screen Capture

T1119

Automated Collection

T1560

Archive Collected Data

TA0011

Command and Control

3 techniques

T1071

Application Layer Protocol

T1071.001×2

Web Protocols

T1105×2

Ingress Tool Transfer

T1132

Data Encoding

T1132.001

Standard Encoding

TA0010

Exfiltration

2 techniques

T1020

Automated Exfiltration

T1041

Exfiltration Over C2 Channel

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

StealCStealC, on the other hand, has leveraged various initial access vectors ranging from malware loaders (including Amadey) and ClickFix lures, and is equipped to extract sensitive information, such as screenshots, credentials, session cookies, autofill entries, credit card data, browsing history, and extension data. ... It also acts as a secondary loader, capable of downloading and executing EXE, MSI, or PowerShell payloads based on commands from an external server.1Jun 24, 2026

IOCS

Observables

136 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

136 IOCsView more in app

uri

89 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+81

ip.v4

37 total

••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••+29

Domains

5 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com

hash.sha256

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Jun 24, 2026

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Sells and maintains the StealC malware-as-a-service infostealer, which steals credentials, cookies, payment data, and other sensitive information and can also act as a secondary loader.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping32

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables136

Domains, IPs, and hashes tied to this actor, refreshed continuously.