Microsoft-led Operation Disrupts StealC Infostealer and Amadey Loader Infrastructure
Microsoft, Europol, law enforcement agencies, and multiple private-sector partners carried out a coordinated disruption of the StealC infostealer and Amadey loader ecosystems, using court orders and related legal actions to target both malware operations at once. The operation struck a broad criminal infrastructure spanning more than 200 command-and-control domains and IP addresses, with partner reporting citing 66 domains and 296 servers tied to the two services. Microsoft said the malware families were linked to more than 140,000 infected computers in a single week in May, while partner investigators reported the seizure of 25.6 million unique credentials stolen from more than 385,000 compromised systems.
Investigators said StealC, active since 2023 as a malware-as-a-service infostealer, was used to steal browser data, credentials, email and messaging data, VPN and cloud access, and cryptocurrency wallet information, while Amadey, active since 2018, functioned as a modular loader and backdoor that frequently delivered StealC and other payloads. Researchers also identified a vulnerability in the StealC command-and-control panel that helped support search-and-seizure actions, and they used configuration extraction and a custom emulator to map affiliate activity and delivery chains. The two malware families were described as part of a broader cybercrime ecosystem tied to credential theft, access brokering, and downstream attacks including ransomware, with observed links to payloads such as AsyncRAT, RedLine, Vidar, XMRig, and in one case LockBit Black.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
20 events from the most recent confirmed update back to the earliest known activity.
Shadowserver issues StealC historical bot infection report
Shadowserver published a one-off StealC Historical Bot Infection Special Report based on Dutch NHTCU data, covering infections from 2025-07-04 to 2026-06-16. The report documented tens of millions of StealC theft events affecting victims across 231 countries or territories.
StealC developers patch C2 panel vulnerability
Hackread reported that the developers of StealC patched the directory traversal vulnerability in the malware’s command-and-control panel in February 2026. The flaw had been used during investigative and disruption activity tied to Operation Endgame.
Operation Endgame secures 18,000 computers and flags $47M in crypto
As part of the June 2026 disruption of the Amadey and StealC ecosystem, authorities said they identified and secured 18,000 compromised computers and flagged more than $47 million in cryptocurrency assets. This expanded the publicly disclosed impact of the operation beyond infrastructure takedowns and credential seizures.
Operation Endgame disrupts StealC and Amadey infrastructure
In June 2026, Microsoft, Europol, law enforcement, and industry partners carried out a coordinated disruption targeting the StealC and Amadey ecosystem. The action targeted more than 200 command-and-control servers, including 66 domains and 296 servers, using court orders, seizures, registrations, and provider notifications.
More than 140,000 systems linked to Amadey and StealC in early May
Microsoft said Amadey and StealC were associated with more than 140,000 infected computers worldwide in the first week of May alone, underscoring the scale of the malware ecosystem.
StealC infostealer begins operating
Sources described StealC as a malware-as-a-service infostealer active since 2023, with one reference specifying January 2023. It steals credentials and other sensitive data and is also used in broader malware delivery chains.
Amadey malware-as-a-service loader becomes active
Microsoft described Amadey as a malware-as-a-service loader that has been active since 2018 and is commonly used in cybercrime operations, including attacks on Ukraine.
ESET maps 53 Amadey and 73 StealC affiliate clusters
In its June 24, 2026 Operation Endgame write-up, ESET said it identified 53 Amadey clusters and 73 StealC clusters from three years of tracking. The disclosure highlighted that both malware-as-a-service ecosystems were fragmented, with affiliates operating their own command-and-control infrastructure rather than relying on centrally managed servers.
IBM and Proofpoint build StealC emulator to map payload delivery
IBM X-Force and Proofpoint said they built a StealC emulator to extract configurations, identify infrastructure, and collect secondary payloads from StealC infections. Their analysis showed StealC was used not only for credential theft but also to deliver malware including AsyncRAT, RedLine, Vidar, XTinyLoader, and in one case LockBit Black ransomware.
Microsoft publishes technical analysis and IOCs for StealC and Amadey
Microsoft released technical analysis, detection guidance, mitigations, and indicators of compromise for StealC and Amadey, including hashes and command-and-control URLs.
Europol links SocGholish malware to Evil Corp
In the June 24, 2026 reporting on Operation Endgame, Europol linked the SocGholish malware operation to the Russian cybercrime group Evil Corp. This added an attribution detail to the broader disruption of SocGholish, Amadey, and StealC infrastructure.
SocGholish credentials added to Have I Been Pwned
Europol said login credentials obtained through the earlier SocGholish disruption were added to the Have I Been Pwned breach-notification database. This represented a follow-on victim notification step within the broader Operation Endgame effort.
Operation Endgame remediates 14,971 SocGholish-infected websites
Europol said the June 2026 Operation Endgame action also heavily impacted SocGholish-linked infrastructure, including remediation of 14,971 infected websites. This expanded the publicly disclosed scope of the disruption beyond Amadey and StealC to include SocGholish malware distribution infrastructure.
Microsoft names five defendants in StealC-Amadey RICO suit
Microsoft said its civil racketeering case names five defendants allegedly involved in a single malware-as-a-service enterprise spanning the StealC and Amadey operations. The filing accompanied the broader June 2026 disruption effort targeting shared infrastructure used by both malware families.
Microsoft announces coordinated StealC and Amadey disruption
On June 24, 2026, Microsoft’s Digital Crimes Unit announced a coordinated disruption with Europol and industry partners targeting the domains and command-and-control infrastructure supporting StealC and Amadey. Microsoft said it identified more than 200 malicious domains and IP addresses and moved to shut them down.
Microsoft expands infected-device count to first two weeks of May
Microsoft said Amadey and StealC were linked to more than 140,000 infected devices worldwide during the first two weeks of May 2026. This broadened the previously disclosed time window for the scale of infections associated with the malware ecosystem.
Operation Endgame international initiative launches
The reference says Operation Endgame was launched in 2024 as an international effort to dismantle criminal cyber services. This provides earlier origin context for the later June 2026 actions against the Amadey and StealC ecosystems.
Authorities seize 25.6 million stolen credentials
As part of the June 2026 Operation Endgame action, authorities seized more than 25.6 million unique credentials stolen from over 385,000 compromised systems tied to the StealC ecosystem.
Researchers identify vulnerability in StealC C2 panel
Proofpoint and IBM X-Force said researchers found a vulnerability in the StealC command-and-control panel, which enabled law enforcement to support search-and-seizure actions against StealC servers.
Operation Endgame runs from June 15 to 19
Authorities said the coordinated Operation Endgame action targeting the Amadey and StealC malware ecosystems was carried out from June 15 to 19, 2026. The operation involved international law enforcement and private-sector partners as part of the broader disruption campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
25 references tracked. Mallory keeps watching after this page renders.
StealC Historical Bot Infection Special Report | The Shadowserver Foundation
shadowserver.org
Open sourceOne-two punch delivered in global operation disrupts cybercrime "assembly line" - Ars Technica
arstechnica.com
Open sourceOperation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks
hackread.com
Open sourceEuropol Disrupts StealC and Amadey Malware Infrastructure in Operation Endgame
securityaffairs.com
Open sourceMicrosoft uses AI to link two malware operations in racketeering suit
theregister.com
Open sourceInfostealers StealC and Amadey Disrupted in Police Crackdown
bankinfosecurity.com
Open sourceAmadey's Rise and Fall: What Six and a Half Years of C2 Observation Reveal | 技術者ブログ | 三井物産セキュアディレクション株式会社
mbsd.jp
Open sourceStealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions | Proofpoint US
proofpoint.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
May 24, 2026
Infostealer and Loader Malware Activity Targeting Windows Users
Multiple reports highlight active **Windows-focused malware** operations centered on credential theft and payload delivery. **Socelars** is described as a stealthy infostealer that prioritizes harvesting browser-stored session cookies and authentication artifacts (notably targeting *Facebook Ads Manager* sessions) to enable account takeover and fraud; it is reportedly distributed via fake websites posing as legitimate software (e.g., a PDF reader) and uses staged execution including system reconnaissance and a **UAC bypass via COM auto-elevation** before extracting browser session data for exfiltration. Separately, research details how established malware delivery ecosystems are evolving. Zscaler ThreatLabz reports **GuLoader (CloudEye)** increasingly abuses legitimate cloud services (e.g., *Google Drive* and *OneDrive*) to blend malicious downloads into normal traffic, while using polymorphism and control-flow obfuscation plus layered decryption to hinder analysis and deliver follow-on payloads such as RATs and stealers. Bitdefender reports a resurgence of **LummaStealer** despite prior law-enforcement disruption, attributing continued scale to social-engineering-heavy distribution (fake cracks/downloads and **fake CAPTCHA/“ClickFix”** lures) and the use of **CastleLoader** for modular, in-memory execution and obfuscated delivery; the report notes infrastructure overlap suggesting coordination or shared providers. A separate Unit 42 incident-response writeup on **Muddled Libra (Scattered Spider/UNC3944)** describes a distinct intrusion tradecraft involving unauthorized access to a *VMware vSphere* environment and a rogue VM used for reconnaissance, persistence, and interaction with enterprise infrastructure, and is not part of the infostealer/loader activity described in the other items.
Mar 21, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026