Microsoft, Europol, and a group of law-enforcement and cybersecurity partners have disrupted infrastructure used by StealC and Amadey, two malware-as-a-service tools that sit close to the front of many credential-theft and ransomware pipelines.
The June 24 action, part of Operation Endgame, took aim at a practical cybercrime pairing: Amadey gets attackers onto devices and can deliver follow-on payloads, while StealC harvests passwords, session cookies, browser data, cryptocurrency wallets, and other sensitive information. Europol-linked reporting put the disruption at 326 servers and 142 domains, with more than 27 million stolen credentials recovered from over 385,000 compromised systems and more than 41 million euros in criminal cryptocurrency assets identified.
Microsoft’s Digital Crimes Unit framed the case as a shift from chasing separate malware families to attacking the shared supply chain that lets criminal crews rent tools, steal access, and pass that access to fraud operators, ransomware groups, and brokers. In the first two weeks of May alone, Microsoft linked Amadey and StealC to more than 140,000 infected computers worldwide.
Why StealC and Amadey are useful together
StealC is an infostealer sold as a service. Operators use it to collect credentials, cookies, autofill data, cryptocurrency-wallet material, browser-extension data, email-client information, and files chosen by the affiliate running the campaign. Microsoft notes that these logs can include corporate VPN credentials, single sign-on tokens, cloud accounts, and session cookies, which can let attackers look like legitimate users instead of noisy intruders.
Amadey plays a different role. It is a modular loader and botnet that can establish a foothold, deliver other malware, and add modules for data exfiltration or remote access. ESET, which contributed technical analysis to the disruption, described Amadey as a loader whose affiliates could use clipboard monitoring, credential theft, and VNC-based remote access modules. In campaigns where Amadey drops StealC, the workflow becomes straightforward: compromise the device, steal usable access, then sell or reuse the results.
That division of labor is why the takedown is more important than a one-family malware story. A stolen password is not always the end product. It can become an initial-access listing, a session-cookie bypass against multifactor authentication, a ransomware foothold, a cloud-account takeover, or a fraud path into payment and identity systems.
The AI and legal angle
Microsoft says its investigators used AI-assisted malware analysis, including Copilot, to link infrastructure across StealC and Amadey. The security blog describes tooling that analyzed disassembled malware code, extracted configuration values, decrypted strings, and confirmed command-and-control activity. The related Microsoft legal post says those findings helped the company treat the two families as part of one connected operation rather than two isolated targets.
That mattered legally as well as technically. Microsoft says it used the Racketeer Influenced and Corrupt Organizations Act, the U.S. law commonly known as RICO, to charge multiple alleged enablers across the operation. The company says its Digital Crimes Unit identified more than 200 malicious command-and-control domains and IP addresses and moved against them through court orders, domain seizures, registrations, and provider notifications.
The claim is not that AI alone took down a malware network. The notable change is that AI sped up the work of mapping a shared criminal infrastructure, while courts, registrars, hosting providers, Europol, national police agencies, and private security firms supplied the authorities and operational reach needed to disrupt it.
What was disrupted
The operation covered more than StealC and Amadey. Operation Endgame also targeted SocGholish, also known as FakeUpdates, a malware framework that has long relied on compromised websites and fake browser-update prompts. BleepingComputer reported that the broader effort involved agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating and private-sector support from Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.
Bitsight’s research team described its role as mapping command-and-control infrastructure, extracting malware configurations, emulating malware against live C2 servers, sinkholing domains, and using infection telemetry to understand how the families were operating. ESET contributed known C2 servers, encryption keys, campaign identifiers, build identifiers, affiliate-level insights, and other technical details gathered from long-term tracking.
That breadth matters because malware-as-a-service crews rarely operate like one static company with one server and one customer list. Affiliates run campaigns, rotate infrastructure, rebuild panels, and buy or rent new tooling when old paths are burned. A useful disruption therefore has to create friction across infrastructure, intelligence, legal pressure, victim notification, credential remediation, and follow-up tracking.
What defenders should do now
A takedown reduces active criminal control over parts of the infrastructure, but it does not automatically make every stolen credential safe again. Security teams should treat the operation as a prompt to review credential exposure, not as a reason to relax.
- Reset passwords and revoke sessions for accounts tied to exposed devices, suspicious sign-ins, or known infostealer infections.
- Review identity logs for impossible travel, unusual device fingerprints, new OAuth grants, unfamiliar user agents, and successful logins from residential proxy ranges.
- Rotate high-value secrets that may have touched unmanaged endpoints, including VPN credentials, cloud access keys, developer tokens, browser-stored passwords, and service-account material.
- Harden conditional access so session-cookie theft is harder to convert into persistent enterprise access.
- Audit employee guidance around fake software downloads, cracked tools, browser-update prompts, ClickFix-style paste-and-run instructions, and game-cheat installers.
- Check endpoint telemetry for loader activity, suspicious script execution, unexpected remote-access tools, unusual browser-data access, and cleanup behavior that may follow an infostealer run.
The personal-device angle deserves particular attention. Microsoft warned that infostealer infections can begin on unmanaged home PCs and later become enterprise incidents when corporate credentials, VPN access, SSO tokens, or cookies are reused from that device. That is one reason credential theft can bypass the neat boundary between consumer security and corporate security.
Why the disruption may not be permanent
Operation Endgame has repeatedly shown that coordinated takedowns can remove real capacity from cybercrime ecosystems. It has also shown the limits of one-time disruption. Where arrests, asset seizures, sinkholing, and victim notification line up, criminals lose more than servers. Where infrastructure is merely blocked, affiliates may rebuild on new hosts, buy new malware, or move to other loaders and stealers.
That does not make the StealC and Amadey action symbolic. It means its value should be measured in time, cost, intelligence, and friction. Every seized server, blocked domain, recovered credential set, and shared indicator can reduce the number of attacks that become successful intrusions. For defenders, the urgent lesson is simpler: infostealer logs are now part of the enterprise attack surface, and they need to be handled with the same seriousness as a perimeter exploit or a stolen admin password.
Sources: Microsoft Security, Microsoft On the Issues, Europol, Bitsight, ESET, and BleepingComputer.
