Operation Endgame Dismantles Notorious StealC & Amadey Global Malware Networks | #cybercrime | #infosec

International law enforcement agencies, working alongside Microsoft and leading cybersecurity firms, have dealt another significant blow to the global cybercrime ecosystem after dismantling the infrastructure supporting the StealC infostealer and Amadey malware operations.

The coordinated action marks the latest phase of Operation Endgame, one of the largest international campaigns ever launched against the digital infrastructure that enables ransomware attacks, credential theft, financial fraud and large-scale cybercrime.

Authorities announced that hundreds of servers and malicious domains linked to the two malware-as-a-service (MaaS) operations have been disrupted, while millions of euros worth of cryptocurrency connected to the criminal networks have been frozen. Investigators also revealed that tens of millions of stolen login credentials have been recovered, highlighting the enormous scale of the criminal ecosystem that has evolved around information-stealing malware.

The latest action follows an earlier Operation Endgame success announced on 18 June, when investigators dismantled infrastructure connected to the SocGholish malware framework. During that operation, authorities disabled more than 100 servers and domains while cleaning nearly 15,000 compromised websites that had been weaponized to infect unsuspecting visitors.

Building on that success, investigators shifted their attention to StealC and Amadey—two malware families that have become increasingly intertwined within the modern cybercrime supply chain.

According to Europol, the coordinated operation resulted in action against 326 servers and 142 malicious domains, significantly disrupting the infrastructure used to distribute and manage both malware families. Authorities also identified and froze more than €41 million ($47 million) in cryptocurrency believed to be linked to the criminal enterprise, representing one of the largest financial seizures associated with malware infrastructure in recent years.

The operation involved law enforcement agencies from the Netherlands, Germany, Canada and the United States, working alongside Europol, Eurojust and several private cybersecurity companies, demonstrating the increasingly close cooperation between governments and industry in combating transnational cybercrime.

Alongside the technical takedown, Microsoft’s Digital Crimes Unit initiated legal proceedings in the United States targeting individuals allegedly involved in operating and supporting the StealC and Amadey malware ecosystem.

Rather than focusing solely on the malware developers themselves, Microsoft’s lawsuit extends to affiliates and infrastructure providers accused of enabling the broader criminal operation.

Steven Masada, Assistant General Counsel with Microsoft’s Digital Crimes Unit, said investigators discovered that although Amadey and StealC originated from separate criminal groups, they frequently relied on overlapping infrastructure.

Using artificial intelligence-assisted analysis, Microsoft’s investigators were able to map relationships between command-and-control servers, malware campaigns and affiliate activity that would have previously required months of manual investigation.

Those findings enabled Microsoft’s legal team to pursue the operation under the U.S. Racketeer Influenced and Corrupt Organizations (RICO) Act, treating multiple operators as participants in a single coordinated criminal conspiracy rather than isolated actors. According to the company, this broader legal strategy reflects the increasingly interconnected nature of today’s cybercrime economy.

Microsoft’s telemetry illustrates just how widespread the threat had become.

During only the first two weeks of May 2026, security researchers observed more than 140,000 computers worldwide infected with either Amadey or StealC.

The company also identified over 18,000 compromised computers directly under the control of the criminal infrastructure targeted during the operation. Microsoft says it has now severed communications between those infected devices and the attackers while working with internet service providers and telecommunications companies to notify affected users and reduce further infections.

Cut phishing triage waste with browser-level evidence that helps your SOC validate threats faster, reduce escalations, and lower MTTR by up to 21 mins per case 👇🏻

Although both malware families are sold separately as Malware-as-a-Service offerings on underground cybercrime forums, they frequently appear together during attacks.

Amadey, first observed in 2018, functions primarily as a loader and botnet platform. Once installed on a victim’s computer, it establishes persistence, communicates with remote command servers and downloads additional malware chosen by its operators. Because of its modular architecture, cybercriminals can easily customize infections depending on their objectives.

StealC, introduced in early 2023, focuses on harvesting valuable information from compromised systems. The malware targets browser passwords, cookies, authentication tokens, cryptocurrency wallets, autofill information, browser extensions, password managers and numerous desktop applications.

Security researchers often describe the pairing as an efficient cybercrime production line. Amadey provides the initial access, while StealC monetizes that access by stealing credentials and financial data that can later be sold on underground marketplaces or used to facilitate ransomware attacks, business email compromise, cryptocurrency theft and account takeover campaigns.

Private-sector researchers played a critical role in enabling the operation.

Proofpoint and IBM X-Force disclosed that they had identified a vulnerability within StealC’s command-and-control administration panel. Rather than immediately disclosing the weakness publicly, researchers coordinated with law enforcement to exploit it during the disruption campaign.

By leveraging the vulnerability, investigators extracted malware configurations containing command-and-control URLs, campaign identifiers, affiliate information, encryption keys and unique bot identifiers. These details allowed investigators to map relationships between infrastructure operated by different criminal affiliates and identify previously unknown components of the malware ecosystem.

Researchers also developed a custom StealC bot emulator capable of safely reproducing the malware’s network communications. This allowed analysts to observe the payloads distributed through infected systems without exposing real victims to additional malware.

Their analysis revealed that StealC rarely operated in isolation. In some campaigns, victims received only a single secondary payload, such as another credential stealer or a remote access trojan. More commonly, however, StealC delivered additional loader malware that subsequently downloaded ransomware or other sophisticated malware families.

One documented infection chain observed by researchers involved StealC deploying XTinyLoader, which ultimately installed a LockBit Black ransomware payload—demonstrating how information stealers frequently serve as an entry point for much larger ransomware attacks.

Microsoft’s threat analysts also detailed two Malware-as-a-Service (MaaS) operations and shared indicators of compromise (IoCs) associated with infections involving Amadey and StealC.

Perhaps one of the most significant outcomes of the operation involves the enormous cache of stolen credentials recovered during the investigation.

Europol says investigators have traced nearly 27 million compromised login credentials connected to the criminal infrastructure disrupted during the latest phase of Operation Endgame.

Those credentials include usernames and passwords stolen from infected individuals and organizations across multiple countries. Such information often becomes a valuable commodity on cybercrime marketplaces, where access brokers sell compromised accounts to ransomware groups, financial fraud operations and nation-state threat actors.

Following last week’s SocGholish disruption, many compromised credentials were transferred to the Have I Been Pwned notification service, allowing victims to determine whether their information had been exposed. Officials have not yet confirmed whether credentials recovered during the StealC and Amadey operation will also be incorporated into the service.

Information-stealing malware is considered among the most dangerous threats facing organizations because they often represent the first stage of much larger attacks.

Rather than immediately deploying ransomware, criminals frequently begin by harvesting usernames, passwords, browser cookies and session tokens. These stolen credentials are then sold through underground marketplaces to other criminal groups specializing in ransomware deployment, financial fraud or corporate espionage.

This criminal specialization has created what researchers describe as a cybercrime “assembly line,” where different groups focus exclusively on malware development, initial access, credential theft, infrastructure hosting or ransomware deployment.

By targeting the infrastructure that supports these services instead of only individual malware strains, Operation Endgame aims to disrupt the broader ecosystem that enables cybercrime at industrial scale. Europol described the latest phase as a strategic shift away from dismantling isolated threats toward breaking the complete infection chain used by modern cybercriminal organizations.

Since launching in 2024, Operation Endgame has evolved into one of the most ambitious international cybercrime initiatives ever undertaken.

Previous phases have targeted malware families including TrickBot, Bumblebee, Smokeloader, SystemBC, IcedID, Rhadamanthys, VenomRAT and other malware loaders that underpin ransomware operations worldwide. Earlier operations resulted in the seizure of more than 1,000 servers, thousands of domains and multiple arrests across Europe and North America.

The latest disruption of StealC and Amadey further demonstrates how law enforcement agencies are increasingly combining technical expertise, legal action, financial investigations and private-sector intelligence to dismantle cybercrime infrastructure before ransomware attacks can occur.

The operators behind these malware families may attempt to rebuild their infrastructure, they say coordinated international operations significantly increase the cost and complexity of doing so, forcing criminal groups to replace servers, domains, cryptocurrency wallets and trusted affiliate networks.

As cybercriminal organizations continue to industrialize their operations, officials believe sustained public-private collaboration will remain essential to disrupting the global malware ecosystem before attacks reach their intended victims.