Operation Endgame Dismantles StealC and Amadey Infrastructure

Law enforcement and private industry struck a major blow against the infostealer ecosystem on June 24, seizing infrastructure that powered two of the most prolific credential-theft operations active today.

TL;DR

• What happened: Microsoft's Digital Crimes Unit and Europol dismantled StealC and Amadey command-and-control infrastructure
• Scale: 66 domains, 296 servers seized; 25.6 million unique credentials recovered from 385,000+ compromised systems
• Why it matters: Both malware families fed the ransomware supply chain by providing initial access to corporate networks

What Are StealC and Amadey?

Amadey has operated as a malware-as-a-service platform since at least 2018, functioning primarily as a delivery mechanism for downstream payloads including infostealers, remote access trojans, cryptominers, and ransomware. StealC, a more recent entrant, operates as a dedicated infostealer targeting browser credentials, cryptocurrency wallets, email clients, and FTP applications.

The two often work in tandem. Amadey handles initial infection and persistence while StealC executes the data theft. Both terminate execution on systems with Russian, Ukrainian, Belarusian, Kazakh, or Uzbek locale settings—a common indicator of Eastern European criminal operations.

The Takedown Operation

Microsoft's Digital Crimes Unit coordinated with Europol and multiple cybersecurity vendors to execute the disruption. The operation targeted the backbone of both malware families through court orders, domain seizures, and provider notifications.

According to telemetry collected in the first two weeks of May 2026, the infrastructure supported approximately 140,000 actively infected computers worldwide. The 25.6 million credentials recovered represent data exfiltrated from over 385,000 compromised systems—primarily unmanaged personal devices whose owners reused passwords across consumer and enterprise accounts.

This action builds on the earlier Operation Endgame takedown targeting SocGholish, demonstrating a sustained campaign against the malware-as-a-service ecosystem.

Technical Capabilities

StealC harvests data from a wide range of applications:

• Chrome, Firefox, Edge, and other Chromium-based browsers
• Cryptocurrency wallet extensions and desktop clients
• Outlook, Foxmail, and other email clients
• WinSCP and FTP applications
• Steam gaming platform data

The malware includes screenshot capture, secondary payload delivery, and self-deletion features to cover its tracks post-exfiltration.

Amadey provides the foundation:

• File download and execution
• Command execution through cmd.exe and PowerShell
• Plugin system for modular capability expansion
• Hidden administrator account creation
• Scheduled task persistence

The Ransomware Connection

Stolen credentials rarely stay in the hands of the initial thief. The data flows through a well-established supply chain: packaged into logs, sold on dark web markets for $10-100 per set, validated by intermediaries, and ultimately monetized as enterprise access.

The time from initial theft to corporate breach can be as short as 48-72 hours, though some credentials remain dormant for months before activation. Organizations dealing with supply chain compromises and credential theft campaigns should audit for any accounts that may have been exposed through these networks.

Recommended Mitigations

1. Audit exposed credentials - Check employee accounts against breach notification services
2. Enforce MFA - Require multi-factor authentication on all corporate accounts
3. Implement password managers - Reduce password reuse across personal and enterprise accounts
4. Monitor for IOCs - Microsoft and participating vendors have published indicators of compromise
5. Segment unmanaged devices - Restrict access from personal devices to sensitive systems

Why This Matters

The infostealer-to-ransomware pipeline remains one of the most reliable revenue streams for cybercriminals. Every credential stolen from a personal laptop becomes a potential entry point for a corporate breach. This takedown disrupts that supply chain, but the underlying economic incentives remain unchanged.

Organizations looking to strengthen their defenses against credential-based attacks should review our online safety tips for practical guidance on reducing exposure.

Frequently Asked Questions

Were my credentials part of the seizure? Microsoft has not announced whether affected users will be notified. Monitor breach notification services like Have I Been Pwned for updates.

Does this mean StealC and Amadey are gone? Takedowns disrupt but rarely eliminate malware operations. Operators typically rebuild infrastructure within weeks to months. The goal is to impose costs and slow operations, not achieve permanent elimination.