Amadey, the activities of the StealC malware interfered with the action of Operation Endgame

Microsoft, Europol, and international partners disrupted the infrastructure used by the Amadey and StealC malware as part of Operation Endgame, targeting cybercrime services and ransomware gangs.

The enforcement action involved authorities and private partners from many countries, who helped identify and dismantle, intercept, block, or sink infrastructure tied to the malware families.

According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than 41 million euros ($47 million) in cryptocurrency linked to criminal activity and found about 27 million stolen credentials from more than 385k compromised systems.

“By bringing down these tools at the same time, cooperation between law enforcement and private organizations has increased the tension of computer hackers, making it difficult for attacks to succeed, spread, or recover,” declared Europol.

The coordinated action also targeted SocGholish (FakeUpdates), a malware downloader that infects visitors with compromised websites that offer fake browser update commands.

Operation Endgame involved law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating the effort. Private sector support was provided by Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.

According to Europol, this program is focused on disrupting the cybercrime infrastructure that threatens players to gain initial access to systems, steal information, and ultimately release ransomware or commit financial fraud.

Amadey and StealC are sold to hackers on a malware-as-a-service basis, where affiliates pay for access to malware developers, management panels, support, and infrastructure.

Criminals use Amadey to gain access to the victim’s devices to release additional malware. StealC is used to steal credentials, cryptocurrency wallets, and other sensitive information that can later be sold or used in ransomware attacks.

Amadey is a malware botnet used by both ransomware criminals and government-sponsored hacking groups to breach networks. Recently, StealC has been widely used in various ClickFix attacks, such as fake tutorial videos for TikTok and FileFix attacks.

In a public action filed by Microsoft in the US, Microsoft’s Digital Crimes Unit said it identified more than 200 malicious control and control domains and IP addresses related to Amadey and StealC and worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.

According to Microsoft’s complaint, stolen information harvested through StealC is often sold on underground markets and through first access buyers (IABs).

These credentials are then used by other malicious actors to breach networks, steal data, and release ransomware.

The company said the two malware families were linked to more than 140,000 infected devices in the first two weeks of May 2026 alone.

Some private partners have released reports of their involvement in the disruption.

Security vendor ESET said it assisted the operation by identifying and disrupting the infrastructure used by the two rogue families. The company reported that the action affected approximately 50 operational domains and 200 active control and management servers.

Proofpoint and IBM X-Force also contributed intelligence and malware analysis to support disruption.

Bitsight said it helped the operation by identifying and analyzing the infrastructure associated with both malware families, helping investigators map servers and related command and control infrastructure used by threat actors.

The disruption is the latest phase of Operation Endgame, which has disrupted other malware families, such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.

Unfortunately, unless people are caught in the act, threat actors often rebuild infrastructure to launch new attacks.