Operation Endgame, the largest international law enforcement operation aimed at disrupting ransomware and cybercrime infrastructure across the world, has claimed its latest targets: StealC and Amadey. These two malware families, while developed by separate criminal groups, have been working in tandem to compromise devices and harvest sensitive data. Law enforcement and private sector partners, including Microsoft and Proofpoint, coordinated action against the infrastructure delivering both threats.
Infrastructure dismantled, millions in crypto seized
On 18 June 2026, law enforcement agencies from the Netherlands, Canada, the United States, and Germany, supported by Europol and Eurojust, announced the successful disruption of the infrastructure behind the SocGholish malware framework. Worldwide, 106 servers and domains were taken down and nearly 15,000 compromised websites were remediated. Today, a follow-up action targeting StealC and Amadey was announced.
“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol stated. Law enforcement has also managed to identify and freeze over 41 million euros (approximately 47 million US dollars) in related crypto assets. Additionally, Microsoft’s Digital Crimes Unit filed a lawsuit against multiple alleged enablers involved in StealC and Amadey and took down associated infrastructure. These individuals include Amadey and StealC malware-as-a-service operators, as well as affiliates.
Microsoft targets operators and affiliates
“Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information,” noted Steven Masada, Assistant General Counsel with Microsoft’s Digital Crimes Unit. According to data collected by the company in the first two weeks of May 2026, Amadey and StealC were linked to 140,000+ infected computers worldwide. With the help of AI, investigators were able to discover that even though the two threats were developed by separate cybercriminals, they relied on the same infrastructure.
“Those insights allowed the legal team to treat both malware families as part of a single conspiracy. Instead of going after each tool separately, as we have done in the past, we used [the Racketeer Influenced and Corrupt Organizations Act (RICO)] to charge multiple complicit enablers involved across the operation,” Masada added. He also shared that Microsoft pinpointed over 18,000 victim computers, has severed criminal control of those devices, and is helping telecoms protect affected customers.
How researchers cracked StealC
Proofpoint and IBM X-Force researchers revealed today their part in the operation. They identified a vulnerability in the StealC C2 panel, which was exploited to help with the disruption operation, and they extracted configurations from many StealC samples. These configurations contained URLs used to connect to and communicate with the C2 panel, campaign and affiliate IDs, unique client/bot IDs, and C2 communication encryption keys, and were used to track StealC operations and affiliate groups.
They also built a StealC bot emulator, which allowed them to simulate the network activity that occurs in a normal StealC infection, and retrieve and analyze the additional malicious payloads that criminals delivered via this infostealer-cum-dropper. “In some cases, the StealC client was delivered only one payload, such as another stealer or a remote access trojan (RAT). In many cases, however, the StealC client received another loader malware, which subsequently downloaded the final payload,” the researchers shared. In one case, StealC downloaded XTinyLoader, which then downloaded a LockBit Black ransomware payload.
Microsoft’s threat analysts also detailed the two Malware-as-a-service operations and shared indicators of compromise pointing to Amadey and StealC infections.
Compromised credentials
According to Europol, nearly 27 million stolen login credentials have been tracked down as part of this operation. Following the SocGholish infrastructure disruption, compromised credentials have been added to the Have I Been Pwned database, allowing users check whether theirs are among those. It’s currently unclear whether the same will happen with the latest batch.
Operation Endgame represents a significant escalation in law enforcement’s ability to disrupt cybercrime at scale. The collaboration between agencies from multiple countries, combined with private sector expertise from companies like Microsoft and Proofpoint, demonstrates a unified front against malware-as-a-service ecosystems. The use of AI to link separate malware families under a single conspiracy theory is a novel legal approach that could set a precedent for future cases.
The StealC and Amadey malware have been active for several years. Amadey is a loader malware that initially appeared in 2018, often sold as a service on underground forums. It is designed to deliver secondary payloads, such as information stealers or ransomware. StealC, on the other hand, emerged around 2022 and is an infostealer that targets browser credentials, cryptocurrency wallets, and other sensitive data. The combination of a loader and a stealer allows attackers to establish a foothold on a compromised system and then extract valuable information.
The takedown of 326 servers and 142 domains effectively cripples the distribution network for these threats. However, cybercriminals often adapt quickly, and authorities emphasize that ongoing vigilance is required. The freezing of €41 million in crypto assets is a major financial blow to the operators, but it also highlights the profitability of these criminal enterprises. To put this into perspective, the stolen credentials tracked down – nearly 27 million – represent a treasure trove for identity theft, credential stuffing attacks, and further cybercrime.
Microsoft’s use of the RICO Act is particularly noteworthy. Traditionally used against organized crime, RICO allows prosecutors to charge individuals involved in a conspiracy rather than just the direct perpetrators. This legal strategy could be applied to other malware operations where developers, distributors, and affiliates act as separate but coordinated groups. The involvement of Microsoft’s Digital Crimes Unit also underscores the growing role of technology companies in law enforcement efforts.
Proofpoint and IBM X-Force’s research into the StealC C2 panel vulnerability provided a critical technical edge. By extracting configurations and building a bot emulator, they were able to map out the entire operation, identify affiliates, and understand the payload distribution chain. This intelligence allowed law enforcement to take targeted actions against servers and domains. The emulator also enabled researchers to observe real-time communications and anticipate the criminals’ next moves.
The impact on victims is significant. With over 18,000 victim computers identified by Microsoft alone, many individuals and organizations may not be aware that they have been compromised. Microsoft’s efforts to help telecoms protect affected customers will involve notifying internet service providers, blocking malicious domains, and providing cleanup tools. However, users are advised to run full antivirus scans, change all passwords, and enable multi-factor authentication on their accounts.
The disruption of SocGholish in June 2026 was followed by the addition of compromised credentials to Have I Been Pwned. If the same is done for this batch, it could alert millions of users to change their passwords. The scale of credential theft – 27 million – is a stark reminder of the importance of using unique passwords for different services and employing a password manager.
The cybercrime landscape is constantly evolving, and operations like Endgame are essential to staying ahead. But the fight is far from over. Even as these networks are dismantled, new ones may emerge, or existing criminals may shift to different tools. The collaboration between law enforcement and private sector partners must continue, and the public must remain educated about the risks and best practices for cybersecurity.
Source: Help Net Security News