Operation Endgame, the largest international law enforcement operation aimed at disrupting ransomware and cybercrime infrastructure across the world, has claimed its latest targets: StealC and Amadey.
The notice on disrupted websites (Source: Microsoft)
While developed by separate criminal groups, those two malware families work in tandem to compromise devices and harvest sensitive data. Law enforcement and private sector partners, including Microsoft and Proofpoint, coordinated action against the infrastructure delivering both threats.
Infrastructure dismantled, millions in crypto seized
On 18 June 2026, law enforcement agencies from the Netherlands, Canada, the United States, and Germany, supported by Europol and Eurojust, announced the successful disruption of the infrastructure behind the SocGholish malware framework. Worldwide, 106 servers and domains were taken down and nearly 15,000 compromised websites were remediated.
Today, a follow-up action targeting StealC and Amadey was announced.
“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol stated.
Law enforcement has also managed to identify and freeze over 41 million euros (approximately 47 million US dollars) in related crypto assets.
Additionally, Microsoft’s Digital Crimes Unit filed a lawsuit against multiple alleged enablers involved in StealC and Amadey and took down associated infrastructure.
These individuals include Amadey and StealC malware-as-a-service operators, as well as affiliates.
Microsoft targets operators and affiliates
“Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information,” noted Steven Masada, Assistant General Counsel with Microsoft’s Digital Crimes Unit.
According to data collected by the company in the first two weeks of May 2026, Amadey and StealC were linked to 140,000+ infected computers worldwide.
With the help of AI, investigators were able to discover that even though the two threats were developed by separate cybercriminals, they relied on the same infrastructure.
“Those insights allowed the legal team to treat both malware families as part of a single conspiracy. Instead of going after each tool separately, as we have done in the past, we used [the Racketeer Influenced and Corrupt Organizations Act (RICO)] to charge multiple complicit enablers involved across the operation,” Masada added.
He also shared that Microsoft pinpointed over 18,000 victim computers, has severed criminal control of those devices, and is helping telecoms protect affected customers.
How researchers cracked StealC
Proofpoint and IBM X-Force researchers revealed today their part in the operation.
They identified a vulnerability in the StealC C2 panel, which was exploited to help with the disruption operation, and they extracted configurations from many StealC samples.
These configurations contained URLs used to connect to and communicate with the C2 panel, campaign and affiliate IDs, unique client/bot IDs, and C2 communication encryption keys, and were used to track StealC operations and affiliate groups.
They also built a StealC bot emulator, which allowed them to simulate the network activity that occurs in a normal StealC infection, and retrieve and analyze the additional malicious payloads that criminals delivered via this infostealer-cum-dropper.
“In some cases, the StealC client was delivered only one payload, such as another stealer or a remote access trojan (RAT). In many cases, however, the StealC client received another loader malware, which subsequently downloaded the final payload,” the researchers shared.
In one case, StealC downloaded XTinyLoader, which then downloaded a LockBit Black ransomware payload.
Microsoft’s threat analysts also detailed the two Malware-as-a-service operations and shared indicators of compromise pointing to Amadey and StealC infections.
Compromised credentials
According to Europol, nearly 27 million stolen login credentials have been tracked down as part of this operation.
Following the SocGholish infrastructure disruption, compromised credentials have been added to the Have I Been Pwned database, allowing users check whether theirs are among those.
It’s currently unclear whether the same will happen with the latest batch.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
