Operation Endgame disrupts Amadey and StealC malware operations

A coordinated international law enforcement effort has successfully dismantled key infrastructure supporting the Amadey and StealC malware operations, marking a significant blow to the cybercriminal ecosystem. The action, part of the broader Operation Endgame, brought together Microsoft, Europol, and a coalition of global partners to target the tools and services that enable ransomware attacks and data theft.

The operation involved authorities and private-sector allies from multiple nations, who worked to identify and neutralize servers, domains, and other assets tied to these malicious families. According to Europol, the takedown affected 326 servers and 142 domains. Investigators also traced and recovered over €41 million ($47 million) in cryptocurrency linked to criminal activity, and secured roughly 27 million stolen credentials taken from more than 385,000 compromised systems.

“By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover,” Europol stated.

The sweep also targeted SocGholish (FakeUpdates), a malware loader that tricks website visitors into downloading malicious payloads through fake browser update prompts.

Agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States participated, with Europol and Eurojust coordinating the international response. Private-sector contributors included Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, and Spamhaus.

Europol explained that Operation Endgame is focused on dismantling the infrastructure threat actors use for initial access, credential theft, and ultimately ransomware deployment or financial fraud. Both Amadey and StealC are sold through malware-as-a-service models, where affiliates pay for builders, management panels, support, and infrastructure.

Amadey is a botnet malware that provides initial footholds on victim devices, allowing attackers to deploy additional payloads. StealC specializes in harvesting credentials, cryptocurrency wallets, and other sensitive data, which can be sold or weaponized in ransomware campaigns. Recently, StealC has been observed in ClickFix attacks, including fake instructional videos on TikTok and FileFix schemes.

In a civil action filed in the U. S., Microsoft’s Digital Crimes Unit identified over 200 malicious command-and-control domains and IP addresses linked to these malware families. The company collaborated with partners to shut down the infrastructure through court orders, domain seizures, and provider notifications. Stolen credentials from StealC are commonly sold on underground forums and through initial-access brokers (IABs), who then enable other criminals to breach networks and deploy ransomware, Microsoft noted.

During the first two weeks of May 2026 alone, the two malware families were linked to more than 140,000 infected devices, according to Microsoft.

Other partners detailed their contributions. ESET reported that its efforts disrupted roughly 50 domains and nearly 200 active command-and-control servers used by the operations. Proofpoint and IBM X-Force provided intelligence and malware analysis, while Bitsight helped map server infrastructure and related command-and-control assets.

This disruption is the latest phase of Operation Endgame, which has previously targeted other malware families including DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader. However, law enforcement officials acknowledge that unless arrests are made, threat actors often rebuild their infrastructure and resume operations.