Microsoft, Europol, and international partners disrupted the Amadey and StealC malware operations under Operation Endgame, seizing 326 servers, 142 domains, and identifying over $47 million in linked cryptocurrency.
Microsoft, Europol, and a coalition of international law enforcement agencies and private-sector partners have dismantled infrastructure supporting the Amadey and StealC malware operations, the latest phase of a sustained campaign against cybercriminal services known as Operation Endgame.
The action resulted in the disruption of 326 servers and 142 domains, according to Europol. Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from more than 385,000 compromised systems.
Microsoft's Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with the two malware families and worked with partners to shut down infrastructure through court orders, domain seizures, registrations, and provider notifications, according to a civil complaint the company filed in the United States.
The company said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.
Amadey and StealC are sold through malware-as-a-service operations, where affiliates pay for access to builders, management panels, support, and infrastructure. Criminals use Amadey to establish an initial foothold on victim devices before deploying additional malware. StealC is designed to harvest credentials, cryptocurrency wallets, and other sensitive data, which are then sold on underground marketplaces or used to facilitate ransomware deployments.
Amadey has been employed by both ransomware gangs and state-sponsored hacking groups. StealC has more recently appeared in a range of ClickFix-style attacks, including schemes that use fake instructional videos on TikTok.
Security vendor ESET said it assisted the operation by identifying and disrupting infrastructure tied to both malware families, reporting that the action affected roughly 50 domains and nearly 200 active command-and-control servers. Proofpoint and IBM X-Force contributed intelligence and malware analysis. Bitsight said it helped investigators map servers and related infrastructure used by the threat actors.
The operation also targeted SocGholish, also known as FakeUpdates, a malware loader that infects visitors through compromised websites serving fake browser update prompts.
"By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover," Europol announced.
Law enforcement participants included agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating the effort. Private-sector support came from Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.
This disruption follows earlier Operation Endgame phases that targeted other malware families, including DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.
Analysts note a persistent challenge with such operations: without arrests, threat actors typically rebuild infrastructure and resume activity. How quickly Amadey and StealC operators reconstitute their networks—and whether the coordinated takedown generates leads that produce criminal charges—will be a key indicator of the action's long-term impact.
Sara Montes de Oca is the Editor in Chief of TechEchelon. Previously a correspondent and producer in Washington, D.C., covering business, finance, and politics.
More from Sara →CISA has confirmed active exploitation of CVE-2026-20253, a critical Splunk Enterprise flaw that allows unauthenticated remote attackers to manipulate files, and ordered federal civilian agencies to patch by Sunday under Binding Operational Directive 26-04.
Market intelligence platform Klue has confirmed attackers stole OAuth tokens connected to customer Salesforce environments on June 12, as the newly emerged Icarus extortion group publicly claims responsibility and the list of affected organizations continues to grow.
Human Rights Watch obtained Bulgarian export licensing records showing surveillance firm Circles sold phone-interception and geolocation tools to ten governments — including the UAE, Bahrain, and Azerbaijan — between 2018 and 2023, raising fresh questions about the EU's export control enforcement.
Written for readers who already know the basics — markets, AI, and the policy decisions that shape both.