"By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover," announced Europol.
Operation Endgame: multilateral action coordinated by Europol and Eurojust
Operation Endgame brought together law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating the effort. Private-sector partners provided technical support and intelligence: Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others. The stated focus of the operation was disrupting the infrastructure cybercriminals use to gain initial access, steal credentials, and ultimately deploy ransomware or conduct financial fraud.
Scale of the disruption: servers, domains, credentials, and cryptocurrency
Europol reported the coordinated action disrupted 326 servers and 142 domains tied to the targeted malware operations. Investigators identified more than €41 million (reported as $47 million) in cryptocurrency linked to criminal activity, and recovered approximately 27 million credentials stolen from over 385,000 compromised systems. Microsoft said its Digital Crimes Unit identified more than 200 malicious command-and-control domains and IP addresses associated with the Amadey and StealC families and worked to shut down that infrastructure through court orders, domain seizures, registrations, and provider notifications.
Amadey, StealC, and SocGholish: complementary malicious capabilities
The action targeted three distinct but complementary threats. According to the reporting, Amadey is a malware botnet used by both ransomware gangs and state-sponsored hacking groups to breach networks and gain an initial foothold on victim devices so that additional malware can be deployed. StealC is a credential- and wallet-stealing tool used to harvest credentials, cryptocurrency wallets, and other sensitive information that can be sold or leveraged in follow-on ransomware attacks. The coordinated action also targeted SocGholish (also known as FakeUpdates), a malware loader that infects visitors via compromised websites that serve fake browser update prompts.
Microsoft’s complaint tied Amadey and StealC to more than 140,000 infected devices during the first two weeks of May 2026 alone. The report also notes that StealC is commonly sold through malware-as-a-service operations and that stolen credentials harvested through StealC are commonly sold on underground marketplaces and through initial-access brokers (IABs). The source material adds that StealC has been widely used in ClickFix-style attacks, for example fake instructional videos on TikTok and FileFix attacks.
Private-sector contributions and technical findings
Multiple security vendors contributed intelligence and analysis. ESET reported it helped identify and disrupt infrastructure for both malware families, affecting roughly 50 domains and nearly 200 active command-and-control servers. Proofpoint and IBM X-Force contributed intelligence and malware analysis; Bitsight assisted by mapping servers and related command-and-control infrastructure. Microsoft’s civil action and coordination with partners used legal and operational measures—court orders, domain seizures, registrations, and provider notifications—to take down infrastructure.
The disruption is described as the latest phase of Operation Endgame, which previously targeted other malware families including DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.
What this means for security teams, enterprises, and threat actors
- Security teams and technologists: The seizures removed hundreds of servers and domains, but defenders should note the operational reality acknowledged in the reporting—that unless arrests are made, threat actors commonly rebuild infrastructure. The source also cites a detection-related metric: security teams log 54% of successful attacks and alert on just 14%, a statistic included in related material showing how detection gaps permit threats to move unseen.
- Affected enterprises and procurement leaders: Stolen credentials and harvested wallets remain a lucrative resale item on underground markets and through initial-access brokers, per Microsoft’s complaint. Organizations that rely on credential hygiene and monitoring will find the recovered dataset (27 million credentials from over 385k systems) and domain disruptions useful for containment, but the underlying trade in credentials persists.
- Threat actors and crime services: The coordinated takedown increased operational friction by simultaneously removing builders, panels, and infrastructure used to sell and operate Amadey and StealC. Still, the reporting warns that disruption without arrests often permits rapid reconstruction of service chains and hosting.
The action removed substantial infrastructure, disrupted large credential theft operations, and recovered significant crypto proceeds—but it stopped short of an enforcement outcome that the reporting says is critical to preventing rebuilds. As Europol framed it, the move raises the cost of operations for cybercriminals; the unanswered practical question left by the action is whether subsequent investigations will produce arrests that prevent those costs from being shrugged off and the services from reappearing.
Original story: https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/
