"What’s new is how we’re combining AI analysis with an expanded use of that law," said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit.
Microsoft’s RICO strategy: treating two malwares as one conspiracy
Microsoft used the Racketeer Influenced and Corrupt Organizations Act (RICO) in an atypical way, folding two separate malware operations—Amadey and StealC—into a single civil racketeering case because the two malwares relied on the same infrastructure. Court documents quoted by Microsoft state: “Defendants comprise a group of cybercriminals operating a Malware as a Service enterprise that leverages malicious software commonly known as the Amadey Malware Suite and StealC Malware Suite (the "MaaS Enterprise").” The filings add: “Through the Maas Enterprise, Defendants and their accomplices have victimized hundreds of thousands of innocent computer users, including many users of Microsoft's software and services.”
AI analysis accelerated linkage and legal action
Microsoft said its investigators used Copilot and other AI tools to speed analysis of both the malware samples and the network infrastructure. The company described asking the tools “questions in plain English instead of manually combing through complex code,” which “helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster.” That rapid analysis yielded the crucial detail that both Amadey and StealC used the same command-and-control infrastructure—an element central to treating them as a single conspiracy under RICO and bringing civil claims against five defendants.
How Amadey and StealC operated and were interdependent
Microsoft’s account lays out distinct roles for the two toolsets. StealC is a credential stealer that “collects multiple browser credentials and cookies, cryptocurrency wallets, chats from messaging apps, and other sensitive data, and exfiltrates the stolen goods to a C2 server.” It also functions as a secondary loader, enabling criminals who rent StealC to download additional malware onto compromised devices. Amadey, by contrast, is described as a malware-as-a-service used to deliver StealC and other stealers, as well as remote access trojans, cryptominers, and ransomware. Microsoft reported that in the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers globally.
Disruption outcomes and allied partners
The combined action led to the takedown, suspension, and blocking of more than 200 domains and command-and-control servers that constituted the backbone of the StealC and Amadey infrastructure. Multiple security firms and international law enforcement partners participated in dismantling the alleged operations. Microsoft named ESET, BitSight, Mitsui Bussan Secure Directions (MBSD), IBM X-Force, and Proofpoint as contributors to the effort. Combined with an earlier Europol-led disruption of SocGholish announced the prior week, the coalition flagged and restricted cryptocurrency assets valued at more than $47 million and recovered about 27 million stolen credentials.
What this means for technologists, policymakers, and affected users
- Technologists and security teams: Expect to see defenders use AI tools to speed triage and infrastructure linkage—Microsoft credits Copilot and other AI for turning hours or days of work into minutes and surfacing the shared infrastructure that enabled a RICO claim.
- Policymakers and regulators: The use of RICO to treat multiple malware families as a single enterprise—based on shared infrastructure—shows one pathway for civil legal disruption beyond targeting single tools or servers.
- Affected enterprises and consumers: The operation led to blocking of over 200 domains and servers and the recovery of millions of credentials, but Microsoft’s filings assert the MaaS Enterprise had already victimized “hundreds of thousands” of users, highlighting the scale of exposure before disruption.
Microsoft’s effort represents a novel fusion of legal theory and machine-assisted technical analysis: AI-enabled linkage of infrastructure, then statutory leverage through RICO to pursue civil claims against five defendants. The operation produced measurable takedowns and asset restrictions, and it exposed how a malware-as-a-service ecosystem can multiply harm by combining loaders and stealers. The central open question the facts leave on the table is whether treating separate malware families as a single RICO enterprise—on the basis of shared infrastructure—will hold up as a model in subsequent legal proceedings.
Source: The Register — Microsoft uses AI to link two malware operations in racketeering suit
