A major international law enforcement operation known as Operation Endgame has disrupted the criminal infrastructure behind the Amadey and StealC malware ecosystem, resulting in the recovery of 27 million stolen login credentials and the dismantling of hundreds of malicious servers and domains. The operation was conducted with support from private sector partners including Bitdefender, Bitsight, ESET, and Microsoft.
According to Europol, the coordinated effort focused on disrupting the infrastructure used by cybercriminals to launch ransomware attacks, financial fraud campaigns, and operations targeting critical infrastructure. The action followed a separate operation involving authorities from the Netherlands, Canada, Germany, and the United States that recently disrupted infrastructure linked to SocGholish and cleaned nearly 15,000 compromised WordPress websites. During the two week operation, authorities identified, flagged, and restricted more than 47 million dollars in cryptocurrency assets connected to criminal activity. Investigators also dismantled 326 servers and 142 domains associated with malware distribution networks. Bitdefender Chief Security Strategist Alex Cosoi said the operation demonstrated the impact of coordinated collaboration between public and private organizations in targeting large scale cybercrime infrastructure and sent a clear message to operators behind malware ecosystems.
Amadey and StealC are both marketed under a malware as a service model, allowing affiliates to either deploy additional malware or steal sensitive information from infected systems. Amadey, which has been active since October 2018 and is attributed to a threat actor known as InCrease, operates as a modular C++ based backdoor capable of fingerprinting systems, downloading files, executing commands, capturing screenshots, opening proxy sessions, collecting credentials and clipboard data, enabling remote desktop access, and performing a range of other administrative actions. The service was sold for approximately 600 dollars per license, with additional fees charged for rebuilding new versions. Researchers said the latest known version is 5.87. Data from Mitsui Bussan Secure Directions showed that active Amadey command and control servers increased significantly from 2023 onward, indicating broader adoption of the malware. The number of malware payloads distributed through Amadey rose from 66 in 2019 to a peak of 11,635 in 2025, while 1,837 payloads have already been distributed through the loader during 2026.
StealC, first observed in January 2023 and sold through subscription plans by a threat actor known as plymouth, is designed to steal screenshots, credentials, session cookies, autofill data, credit card information, browsing history, browser extension data, and files matching specific naming patterns. It targets Chromium based browsers as well as applications including Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, and Telegram. StealC can also download and execute additional payloads such as EXE, MSI, and PowerShell files based on commands received from external servers. One notable characteristic is its ability to detect system language settings and terminate itself when running on systems configured for Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan. Researchers also discovered vulnerabilities in StealC’s web based control panel, including issues identified by CyberArk, IBM X Force, and Proofpoint, some of which exposed details about affiliates and potentially allowed unauthorized access to other operators’ data before patches were released.
Microsoft said the Amadey and StealC ecosystems shared infrastructure and were connected to more than 140,000 infected computers worldwide during the first two weeks of May 2026. The company identified over 18,000 victim systems and severed criminal control over those devices. In total, Microsoft flagged 200 malicious command and control domains and IP addresses, all of which were shut down through court orders, domain seizures, new registrations, and notifications to hosting providers. ESET researchers said Amadey and StealC operated through self hosted administration panels deployed by affiliates on their own infrastructure, with Amadey using a pay per rebuild model while StealC offered unlimited build generation as part of its subscription. Investigators identified 53 unique clusters within the Amadey ecosystem, with the largest botnet distributing malware families including Lumma Stealer, Vidar Stealer, PureCrypter, Agent Tesla, Rhadamanthys Stealer, RedLine Stealer, SmokeLoader, XWorm, and AsyncRAT. Operation Endgame, which ran between June 15 and June 19, 2026, involved judicial authorities and law enforcement agencies from Belgium, Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States. Eurojust stated that the operation specifically targeted the initial access malware used by cybercriminals to infiltrate systems and steal sensitive data, with the goal of disrupting the broader cybercrime as a service ecosystem at its source.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
