Operation Endgame Dismantles Amadey and StealC Networks

Law enforcement and private-sector partners have struck another major blow against the criminal infrastructure feeding ransomware and fraud attacks worldwide. The latest Operation Endgame phase targeted two widely deployed malware families, Amadey and StealC, seizing hundreds of servers, blocking domains, and recovering tens of millions of dollars in criminal cryptocurrency.

Europol coordinated the action alongside agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, and several other private partners supported the effort.

A Campaign Built on Two Malware Families

Amadey and StealC are sold to cybercriminals through malware-as-a-service models. Affiliates pay for access to builders, control panels, and infrastructure, with no need to develop their own tools. Microsoft found that operators of both families relied on shared infrastructure, a discovery that shaped how the legal case was built.

Amadey functions as a loader. It gains a foothold on a victim's device and pulls down additional malware from there. Ransomware gangs have used it to breach corporate networks, and state-sponsored groups have deployed it in espionage campaigns. StealC is an infostealer. It harvests credentials, cryptocurrency wallets, browser cookies, and session tokens, then sends the data back to operators. Criminal buyers sell the stolen material on underground markets or pass it to initial access brokers, who resell network entry to ransomware groups.

Together, the two tools form the early stages of an attack chain that routinely ends in data extortion or ransomware deployment.

What Operation Endgame Disrupted

The June 24 action resulted in 326 servers and 142 domains seized, blocked, or sinkholed. Investigators recovered approximately 27 million credentials from over 385,000 compromised systems and identified more than €41 million (around $47 million) in cryptocurrency tied to criminal activity.

Microsoft's Digital Crimes Unit identified over 200 malicious command-and-control domains and IP addresses linked to the two malware families. It secured court orders for domain seizures and worked with providers to cut off infrastructure directly. AI-assisted analysis revealed that Amadey and StealC affiliates shared the same infrastructure. That finding allowed prosecutors to treat both operations as a single conspiracy and bring charges under RICO statutes.

ESET reported that the action hit approximately 50 domains and nearly 200 active command-and-control servers. Researchers mapped 53 distinct Amadey affiliate clusters and 73 separate StealC clusters. The numbers reflect how both malware families rely on decentralized infrastructure run by individual criminal customers, not a single shared backend.

Proofpoint and IBM X-Force also disclosed their role in the disruption. In early 2026, the two firms found a vulnerability in StealC's command-and-control panel. The flaw allowed attackers to exploit improper filename handling, creating a directory traversal issue that could expose a webshell on StealC servers. Researchers developed an exploit, tested it, and used it during active disruption of live StealC infrastructure. The developers patched the vulnerability in February, though researchers noted that additional security issues remained in the panel code.

Part of a Sustained Campaign

Operation Endgame launched its first major phase in 2024 and has run continuously since. The June 24 Amadey and StealC action came six days after a separate phase targeting SocGholish, the fake-browser-update malware framework linked to the Russian cybercrime group Evil Corp. That operation cleaned malware from nearly 15,000 compromised WordPress sites and took 106 servers and domains offline.

Operation Endgame has now disrupted infrastructure tied to DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, SmokeLoader, SocGholish, Amadey, and StealC. Each action has focused on the tools criminals use to gain initial access, the layer that sits upstream of ransomware deployment and large-scale data theft.

Europol described the approach plainly: by taking down multiple tools at once, the joint effort raises friction across the entire attack chain. It becomes harder for criminals to infect new systems, harvest credentials, and rebuild after disruptions.

The Limits of Infrastructure Takedowns

The scale of this action is significant. Amadey and StealC were linked to more than 140,000 infected devices in the first two weeks of May 2026 alone. But law enforcement has consistently noted the difficulty of keeping disrupted operations offline without arrests.

Both malware families are sold as services. The developers stay at a distance from the affiliate customers who run individual campaigns. When infrastructure falls without operator arrests, criminal groups often rebuild on new servers and resume operations within weeks. Prior Operation Endgame targets, including DanaBot and Bumblebee, returned after initial disruptions.

The June 24 announcement confirmed no arrests in the Amadey or StealC actions. That matters. Seizures raise costs and slow operators down. Arrests are what keep operations from returning.

What This Means for Businesses and Users

The 27 million recovered credentials represent real exposure. Credentials stolen by StealC move through underground markets and fuel account takeovers, fraud, and follow-on breaches. Anyone with online accounts could find their login details circulating in those markets.

Businesses face a sharper risk. Amadey opens doors inside corporate networks, and the access it creates has repeatedly ended up in the hands of ransomware operators. Employees who encounter fake browser update prompts, click phishing links, or download compromised software can hand attackers a route in.

Operation Endgame continues to build pressure on the malware-as-a-service ecosystem. The operators it targets have shown they can adapt, but every disruption forces a rebuild, and every rebuild costs time, money, and exposure. The question is not whether these operations will try to return. It is how much harder coordinated international action has made it.