More than 140,000 infected computers around the globe in the first week of May alone — a single metric that underpinned an unusually broad legal and technical response against two linked pieces of criminal software, Microsoft said on Tuesday.
The dual takedown: Amadey and StealC disrupted together
In what Microsoft described as a novel maneuver, industry and law enforcement conducted a court-authorized disruption operation that targeted two widely used criminal tools at once: Amadey, a botnet and loader, and StealC, an infostealer. Microsoft said the companies and agencies “simultaneously went after Amadey, a botnet that can serve as a malware delivery system, and StealC, an infostealer,” because cybercriminals often use them in conjunction and they “rely on the same infrastructure.”
Partners applied the Racketeer Influenced and Corrupt Organizations (RICO) Act to disrupt more than 200 command-and-control servers tied to the operation, a legal route Microsoft and collaborators said helped treat the multiple components as parts of a single criminal conspiracy.
How Microsoft used AI and legal strategy
Microsoft said insights from its artificial intelligence product Copilot “allowed the legal team to treat both malware families as part of a single criminal conspiracy.” The company also framed the action as an extension of its regular practice: Microsoft “regularly leads court-authorized disruption operations,” but in this case industry and law enforcement partnerships combined with AI “to expand data collection and identify connections beyond what one company could normally do.”
Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, summarized the change in approach: “When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from,” he said. “The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild. It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”
International operational partners: Europol, national police, and private defenders
Microsoft did not act alone. The company had been tracking Amadey alongside ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Separately, Europol had been investigating StealC with law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police, as well as IBM X-Force and Proofpoint. Those parallel efforts were folded together into the single court-authorized disruption.
The coordinated approach drew technical intelligence from multiple private security firms and law enforcement agencies in different countries, then used U.S. legal mechanisms to take down command-and-control infrastructure.
Modular malware-as-a-service: why Amadey and StealC are a natural pair
Microsoft’s reporting emphasized that the two tools fit into a modern cybercrime assembly line. “StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms,” the company wrote. “It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel.”
“Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware,” Microsoft added. The company described such offerings as “Modular, pay-as-you-go models” that let operators take a single initial infection and “quickly escalate into multiple other threats.”
Microsoft also noted timelines and actor associations: StealC “has ranked among the top infostealers for years since its emergence in 2023 and sells in underground forums as a malware-as-a-service. It’s typically used by Russia-linked groups.” Amadey “dates back to 2018, and is also commonly employed by Russian groups, including in attacks on Ukraine.” Microsoft said the two tools’ interaction demonstrates the “assembly line-like structure of modern cybercrime,” and that even without direct coordination between actors, “their tools are designed to work together.”
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: Expect disruptions that target shared infrastructure rather than single binaries. The joint action against Amadey and StealC underscores the value of mapping cross-tool command-and-control relationships and coordinating telemetry across vendors and jurisdictions.
- Policymakers and regulators: The use of the RICO Act to target more than 200 command-and-control servers sets a legal precedent for treating multiple malware families as a unified criminal enterprise, and shows how domestic legal tools can be applied to international technical infrastructure when multiple partners pool evidence.
- Affected enterprises and procurement leaders: Microsoft’s account that Amadey and StealC were linked to more than 140,000 infected machines in a single week is a reminder that modular MaaS offerings can scale quickly; organizations will want to prioritize detection and remediation that accounts for chained delivery and data-exfiltration tools working in concert.
The operation is notable not simply for its technical results — more than 200 command-and-control servers disrupted — but for its shift in method. By aligning private-sector telemetry, multinational law enforcement investigations, and AI-assisted legal analysis, partners sought to interrupt the way attacks are assembled rather than dismantling one component at a time. As Microsoft put it through its counsel: “It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”
