Amadey, StealC malware operations disrupted in Operation Endgame action
Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs.
The law enforcement action involved authorities and private partners from multiple countries, who assisted in identifying and taking down, seizing, blocking, or sinkholing infrastructure tied to the malware families.
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than β¬41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
"By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover," announced Europol.
The coordinated action also targeted SocGholish (FakeUpdates), a malware loader that infects visitors via compromised websites that serve fake browser update prompts.
Operation Endgame included law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating the effort. Private-sector support was provided by Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.
According to Europol, the operation focused on disrupting cybercrime infrastructure that threat actors utilize to gain initial access to systems, steal credentials, and ultimately deploy ransomware or conduct financial fraud.
Amadey and StealC are sold to cybercriminals through malware-as-a-service operations, where affiliates pay for access to malware builders, management panels, support, and infrastructure.
Criminals use Amadey to gain an initial foothold on victim devices to deploy additional malware. StealC is used to steal credentials, cryptocurrency wallets, and other sensitive information that can later be sold or leveraged in ransomware attacks.
Amadey is a malware botnet used by both ransomware gangs and state-sponsored hacking groups to breach networks. More recently, StealC has been widely used in a variety of ClickFix attacks, such as fake instructional videos on TikTok and FileFix attacks.
In a civil action filed by Microsoft in the US, Microsoft's Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC and worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.
According to Microsoft's complaint, stolen credentials harvested through StealC are commonly sold on underground marketplaces and through initial-access brokers (IABs).
These credentials are then used by other threat actors to breach networks, steal data, and deploy ransomware.
The company said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.
Other private partners released reports on their involvement in the disruption.
Security vendor ESET said it assisted the operation by identifying and disrupting the infrastructure used by both malware families. The company reported that the action affected roughly 50 domains used by the operations and nearly 200 active command-and-control servers.
Proofpoint and IBM X-Force also contributed intelligence and malware analysis supporting the disruption.
Bitsight said it assisted the operation by identifying and analyzing infrastructure associated with both malware families, helping investigators map servers and related command-and-control infrastructure used by the threat actors.
The disruption is the latest phase of Operation Endgame, which previously disrupted other malware families, such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.
Unfortunately, unless arrests are made in the operations, the threat actors commonly rebuild infrastructure to launch new attacks.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepapersource: BleepingComputer
