Police Take Down StealC & Amadey Malware Networks
▼ Summary
– Operation Endgame disrupted infrastructure for StealC and Amadey malware, taking down 326 servers and 142 domains, and freezing over 41 million euros in crypto assets.
– StealC and Amadey work together: Amadey gains device access, while StealC steals passwords and sensitive data, linked to over 140,000 infected computers worldwide.
– Microsoft used RICO laws to charge multiple enablers across both malware families as part of a single conspiracy, severing control of over 18,000 victim computers.
– Proofpoint and IBM X-Force exploited a vulnerability in StealC’s C2 panel to extract configurations and built a bot emulator to track payloads, including LockBit Black ransomware.
– Nearly 27 million stolen login credentials were tracked in the operation, with previous SocGholish credentials added to the Have I Been Pwned database.
Operation Endgame, the sweeping international law enforcement initiative targeting ransomware and cybercrime infrastructure, has struck again. This time, the operation has dismantled the networks behind StealC and Amadey, two malware families that have been working in tandem to compromise devices and steal sensitive data.
Though developed by separate criminal groups, these threats have operated in coordination. Law enforcement agencies, alongside private sector partners like Microsoft and Proofpoint, have taken coordinated action to cripple the infrastructure supporting both malware strains.
Infrastructure dismantled, millions in crypto seized
On 18 June 2026, authorities from the Netherlands, Canada, the United States, and Germany, backed by Europol and Eurojust, announced the takedown of the infrastructure behind the SocGholish malware framework. That operation resulted in the seizure of 106 servers and domains, and the remediation of nearly 15,000 compromised websites.
Now, a follow-up action has targeted StealC and Amadey. Europol confirmed that 326 servers and 142 domains were actioned by law enforcement and private sector partners, severely disrupting the malware’s distribution network. In addition, authorities have identified and frozen over 41 million euros (roughly 47 million US dollars) in related crypto assets.
Microsoft’s Digital Crimes Unit also filed a lawsuit against multiple alleged enablers involved in both StealC and Amadey, and took down associated infrastructure. These individuals include operators of the malware-as-a-service platforms and their affiliates.
Microsoft targets operators and affiliates
Steven Masada, Assistant General Counsel with Microsoft’s Digital Crimes Unit, explained the relationship between the two threats: “Amadey and StealC are often used alongside each other. Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information.”
Data collected by Microsoft in the first two weeks of May 2026 linked Amadey and StealC to over 140,000 infected computers worldwide. Using AI, investigators discovered that despite being developed by different cybercriminals, both threats relied on the same infrastructure.
“Those insights allowed the legal team to treat both malware families as part of a single conspiracy. Instead of going after each tool separately, as we have done in the past, we used the Racketeer Influenced and Corrupt Organizations Act (RICO) to charge multiple complicit enablers involved across the operation,” Masada added.
He also revealed that Microsoft identified over 18,000 victim computers, has severed criminal control of those devices, and is now helping telecoms protect affected customers.
How researchers cracked StealC
Researchers from Proofpoint and IBM X-Force have detailed their role in the operation. They identified a vulnerability in the StealC C2 panel, which was exploited to aid the disruption effort. By extracting configurations from numerous StealC samples, they obtained URLs used for C2 communication, campaign and affiliate IDs, unique client and bot IDs, and encryption keys.
These configurations allowed them to track StealC operations and affiliate groups. They also built a StealC bot emulator, which simulated normal infection activity and enabled them to retrieve and analyze additional malicious payloads delivered by the infostealer-cum-dropper.
“In some cases, the StealC client was delivered only one payload, such as another stealer or a remote access trojan (RAT). In many cases, however, the StealC client received another loader malware, which subsequently downloaded the final payload,” the researchers noted.
In one instance, StealC downloaded XTinyLoader, which then delivered a LockBit Black ransomware payload. Microsoft’s threat analysts have also detailed the two malware-as-a-service operations and shared indicators of compromise for both Amadey and StealC.
Compromised credentials
Europol reports that nearly 27 million stolen login credentials have been tracked down as part of this operation. Following the SocGholish infrastructure disruption, compromised credentials were added to the Have I Been Pwned database, allowing users to check if their information was exposed. It remains unclear whether the latest batch of stolen credentials will be added as well.
(Source: Help Net Security)
