Amadey, StealC malware operations disrupted in Operation Endgame action
Microsoft, Europol, and international partners disrupted the infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame. These malware families are sold as malware-as-a-service and are used to gain initial access to victim devices, steal credentials, and facilitate ransomware and financial fraud. The operation resulted in the takedown of hundreds of servers and domains, recovery of stolen credentials, and seizure of cryptocurrency linked to criminal activity. Amadey is used by ransomware gangs and state-sponsored groups, while StealC steals credentials and cryptocurrency wallets. The disruption increases friction for cybercriminals but threat actors may rebuild infrastructure unless arrests are made. No specific software versions are affected as this is a malware campaign disruption rather than a software vulnerability.
AI Analysis
Technical Summary
Operation Endgame, coordinated by Microsoft, Europol, and international law enforcement and private partners, targeted the infrastructure supporting the Amadey and StealC malware operations. These malware families operate as malware-as-a-service, enabling affiliates to deploy malware for credential theft, ransomware deployment, and financial fraud. The operation disrupted 326 servers and 142 domains, seized over €41 million in cryptocurrency, and recovered approximately 27 million stolen credentials. Amadey is a botnet used by ransomware and state-sponsored groups, while StealC is used for credential and wallet theft, often leveraged in ransomware attacks. The coordinated takedown involved court orders, domain seizures, and provider notifications. Despite the disruption, threat actors may rebuild infrastructure if arrests are not made. This action is part of a broader campaign against cybercrime infrastructure.
Potential Impact
The disruption of Amadey and StealC infrastructure significantly hampers the ability of cybercriminals to conduct initial access, credential theft, and ransomware deployment. The takedown of hundreds of servers and domains, along with the seizure of substantial cryptocurrency and stolen credentials, reduces active infections and criminal operations. However, the threat actors behind these malware families may rebuild their infrastructure, meaning the threat persists. The operation reduces the scale and success of attacks relying on these malware families in the short term.
Mitigation Recommendations
This disruption was achieved through coordinated law enforcement and private sector action involving domain seizures, server takedowns, and court orders. There is no direct patch or software fix since this is a malware infrastructure disruption. Organizations should continue to apply standard security practices to detect and prevent infections by Amadey, StealC, and related malware. Monitoring for indicators of compromise related to these malware families and applying threat intelligence updates from security vendors is recommended. The operation increases friction for attackers but does not eliminate the threat entirely.
Amadey, StealC malware operations disrupted in Operation Endgame action
Description
Microsoft, Europol, and international partners disrupted the infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame. These malware families are sold as malware-as-a-service and are used to gain initial access to victim devices, steal credentials, and facilitate ransomware and financial fraud. The operation resulted in the takedown of hundreds of servers and domains, recovery of stolen credentials, and seizure of cryptocurrency linked to criminal activity. Amadey is used by ransomware gangs and state-sponsored groups, while StealC steals credentials and cryptocurrency wallets. The disruption increases friction for cybercriminals but threat actors may rebuild infrastructure unless arrests are made. No specific software versions are affected as this is a malware campaign disruption rather than a software vulnerability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation Endgame, coordinated by Microsoft, Europol, and international law enforcement and private partners, targeted the infrastructure supporting the Amadey and StealC malware operations. These malware families operate as malware-as-a-service, enabling affiliates to deploy malware for credential theft, ransomware deployment, and financial fraud. The operation disrupted 326 servers and 142 domains, seized over €41 million in cryptocurrency, and recovered approximately 27 million stolen credentials. Amadey is a botnet used by ransomware and state-sponsored groups, while StealC is used for credential and wallet theft, often leveraged in ransomware attacks. The coordinated takedown involved court orders, domain seizures, and provider notifications. Despite the disruption, threat actors may rebuild infrastructure if arrests are not made. This action is part of a broader campaign against cybercrime infrastructure.
Potential Impact
The disruption of Amadey and StealC infrastructure significantly hampers the ability of cybercriminals to conduct initial access, credential theft, and ransomware deployment. The takedown of hundreds of servers and domains, along with the seizure of substantial cryptocurrency and stolen credentials, reduces active infections and criminal operations. However, the threat actors behind these malware families may rebuild their infrastructure, meaning the threat persists. The operation reduces the scale and success of attacks relying on these malware families in the short term.
Mitigation Recommendations
This disruption was achieved through coordinated law enforcement and private sector action involving domain seizures, server takedowns, and court orders. There is no direct patch or software fix since this is a malware infrastructure disruption. Organizations should continue to apply standard security practices to detect and prevent infections by Amadey, StealC, and related malware. Monitoring for indicators of compromise related to these malware families and applying threat intelligence updates from security vendors is recommended. The operation increases friction for attackers but does not eliminate the threat entirely.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/","fetched":true,"fetchedAt":"2026-06-24T14:39:28.462Z","wordCount":905}
Threat ID: 6a3bec20eed863c81ef9a469
Added to database: 06/24/2026, 14:39:28 UTC
Last enriched: 06/24/2026, 14:39:53 UTC
Last updated: 06/24/2026, 16:10:02 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.