27 million stolen login credentials have been recovered as part of a coordinated international law-enforcement and private-sector operation that dismantled core infrastructure used to distribute the Amadey loader and the StealC stealer, officials and participating vendors said.
Operation Endgame: who acted and when
The disruption took place between June 15 and 19, 2026, as part of Operation Endgame and involved judicial authorities and law enforcement from Belgium, Canada, Denmark, France, Germany, the Netherlands, the U.K., and the U.S., Eurojust said. The action was carried out in partnership with private firms including Bitdefender, Bitsight, ESET, and Microsoft. Europol described the aim as to “disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.”
Scale: servers, domains, credentials, and cryptocurrency
Authorities said the takedown dismantled 326 servers and 142 domains associated with the malware distribution network. Investigators recovered as many as 27 million stolen login credentials. Cryptocurrency assets of criminal origin valued at more than $47 million were identified, flagged, and restricted from use during the two‑week operation.
Microsoft, infection counts, and technical takedowns
Microsoft reported that Amadey and StealC were linked to more than 140,000 infected computers globally in the first two weeks of May 2026. The company said it had identified over 18,000 victim computers and severed criminal control of those devices. Microsoft also flagged 200 malicious Amadey and StealC command-and-control domains and IP addresses; those addresses have since been shut down via a combination of court orders, domain seizures, registrations, and provider notifications.
How Amadey and StealC functioned in the malware-as-a-service ecosystem
Both Amadey and StealC are offered under a malware-as-a-service (MaaS) model that enables affiliates to deploy secondary payloads and harvest sensitive data. Amadey, a modular C++ backdoor active since October 2018 and advertised by a threat actor known as InCrease, was sold for $600 for a single license with an extra $50 charged per rebuild; its latest version at the time of the disruption was 5.87. Amadey’s supported commands include fingerprinting the machine, downloading files, executing commands via cmd.exe, taking screenshots, spawning a SOCKS proxy, opening a VNC or reverse proxy session, capturing clipboard contents and credentials, and enabling RDP. Mitsui Bussan Secure Directions reported that daily active Amadey C2 servers ranged roughly between 2 and 18 until around September 2022, rose to between 5 and 30 through late 2023, and then declined in 2024 after a brief dormant period. The number of malware samples distributed via Amadey scaled from 66 in 2019 to a peak of 11,635 in 2025; since the start of 2026, 1,837 payloads had been distributed through the loader.
StealC first surfaced in January 2023 and was marketed by an actor using the moniker “plymouth,” at $300 per month or $1,000 for six months. As of June 2026 its latest version was 2.2.1. The stealer harvested credentials, session cookies, autofill entries, credit card data, browsing history, extension data, screenshots, and application data from desktop programs such as Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, and Telegram. It also could act as a secondary loader, downloading and executing EXE, MSI, or PowerShell payloads. The highest infection concentrations reported for StealC were in the U.S., Poland, and Italy.
Affiliate models, control-panel flaws, and abuse of distribution channels
ESET researchers Jakub Tomanek and Tomáš Procházka explained that affiliates receive a self-hosted administration panel that they must deploy on their own servers. “Amadey used a pay-per-rebuild model. Affiliates purchased a license and then paid an additional fee each time they needed to generate a new build,” they said. “StealC took a more affiliate-friendly approach, offering unlimited build generation as part of its subscription. This lowered the operational cost of rotating C&C infrastructure and made it easier for affiliates to generate new samples as needed.”
Earlier in 2026, CyberArk disclosed a cross-site scripting (XSS) vulnerability in StealC’s web-based control panel that exposed aspects of the MaaS operation, including one customer named YouTubeTA who used Google’s video platform to distribute the stealer by advertising cracked software. IBM X-Force and Proofpoint also found multiple flaws in the StealC C2 panel, including a directory traversal bug that allowed an attacker to upload a web shell. The issue was patched by StealC developers in February 2026, but security firms warned it was likely exploited by an affiliate to steal data from other affiliates before the fix.
Bitsight summarized the ecosystem succinctly: “Loaders and stealers are the two halves of the commodity malware pipeline. A loader gets the first foothold and rents it out; a stealer leverages that foothold to collect credentials, cookies, and wallets, to then be sold on underground forums (including Telegram).” Amadey has been distributed via compromised WordPress sites and phishing campaigns and has also been propagated through other loaders such as Emmenhtal and SmokeLoader; SocGholish and Amadey both operate as loaders for next-stage malware.
What this means for technologists, policymakers, and end users
- Technologists and security teams: expect disrupted C2 infrastructure but continued churn — ESET’s description of self-hosted panels and StealC’s unlimited build model suggest affiliates can rapidly redeploy if left unchecked, so teams should continue tracking indicators and patching exposed control panels.
- Policymakers and regulators: the operation demonstrates cross-border legal action and domain seizures can restrict criminal assets and infrastructure; Eurojust framed the approach as striking “at the heart of the entire 'cybercrime-as-a-service' ecosystem.”
- End users and enterprises: the sheer volume of recovered credentials (27 million) and the breadth of application data targeted by StealC underline the need to assume compromise of reused credentials and browser-stored secrets and to prioritize remediation and credential rotation where infections were detected.
Europol framed the result as a disruption of criminal assembly lines; Bitdefender’s Alex Cosoi added that the takedown “sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them.” The operation removed large pieces of infrastructure and restricted illicit funds, but the published details about affiliate-friendly subscription models, self-hosted panels, and previously available control-panel flaws make clear the ecosystem that enabled these campaigns remains a resilient and technically adaptable one.
https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
