Microsoft has adopted a new approach to tackling cybercrime by targeting the broader cyberattack supply chain rather than focusing solely on individual services. In a recent blog post, Microsoft revealed how it disrupted two widely used cybercrime tools, Amadey and StealC, after AI-assisted analysis helped uncover that both relied on similar underlying infrastructure.
The operation targeted what Microsoft described as the cybercrime “assembly line,” where coordinated tools are used to facilitate ransomware attacks, financial fraud, and disruptions to public services. Amadey and StealC are often deployed together as part of these attack chains.
Microsoft’s findings show that Amadey is typically used to gain access to compromised devices, while StealC is designed to steal passwords and other sensitive information. Together, they form a critical link in the cybercrime ecosystem. Working alongside Europol and industry partners, Microsoft said it was able to target both tools simultaneously.
As part of the operation, Microsoft identified more than 140,000 infected computers worldwide, highlighting the widespread use of these cybercrime tools.
How This Crackdown Differs From Previous Operations
This time, Microsoft combined AI-driven analysis with expanded use of artificial intelligence throughout the investigation. Although Amadey and StealC were developed by separate cybercriminal groups, investigators discovered that they relied on shared infrastructure. To better understand how the tools operated and interacted, Microsoft used AI technologies, including Copilot, as part of the investigation.
Microsoft said AI tools, including Copilot, helped investigators analyze malware more efficiently by allowing them to query complex code in plain English, significantly reducing the time needed to uncover hidden data and identify links between cybercrime operations.
These insights enabled Microsoft’s legal team to treat the Amadey and StealC malware networks as part of a single criminal conspiracy, leading to broader legal action under RICO. As part of the operation, Microsoft’s Digital Crimes Unit disrupted more than 200 command-and-control servers, reflecting a new strategy of targeting interconnected cybercrime ecosystems rather than individual tools.
Insights from the investigation
Microsoft highlighted that cybercrime is no longer a series of isolated attacks but a coordinated ecosystem. According to the company, specialized tools now handle different stages of an attack chain—one tool gains access to a device, another steals credentials, while others sell or exploit that access for fraud, ransomware, espionage, and other malicious activities. Different threat actors may be involved at each stage of the process.
Microsoft said that by targeting multiple points in the cybercrime chain simultaneously, it can reduce the likelihood that a single compromise escalates into widespread harm. “Fewer attacks succeed, and fewer people feel the impact when they do,” the company noted.
The disruption is part of Microsoft’s broader effort to continuously track emerging cybercrime infrastructure and prevent attackers from quickly rebuilding their operations. The company plans to incorporate insights from the investigation into its automated disruption programs, which help accelerate the takedown of malicious domains and services. According to Microsoft, the goal extends beyond dismantling a single operation—it aims to make cyberattacks harder to launch, scale, and recover from by combining AI-driven analysis, legal action, and industry partnerships.
Click Here For The Original Source.
