Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware
Microsoft, law enforcement, and cybersecurity partners disrupted the shared command-and-control infrastructure used by the Amadey malware loader and the StealC infostealer. The operation, part of Operation Endgame, targeted hundreds of domains and servers, seizing over 25 million stolen credentials and identifying thousands of compromised systems. A vulnerability in the StealC C&C panel was exploited during the takedown to upload a web shell, aiding the disruption. This coordinated effort aimed to dismantle the cybercrime supply chain enabling large-scale attacks and data theft.
AI Analysis
Technical Summary
Amadey is a malware-as-a-service loader active since 2018 that facilitates system access for threat actors to deploy secondary payloads. StealC, active since 2023, is an infostealer used to harvest credentials, cryptocurrency wallets, cookies, and other sensitive data. Both malware families share the same command-and-control infrastructure, which was targeted and disrupted by a coalition including Microsoft, Europol, and cybersecurity firms. The takedown leveraged AI analysis, legal actions, and exploitation of a vulnerability in the StealC C&C panel to upload a web shell, enabling control over the infrastructure. The operation resulted in the seizure of millions of stolen credentials, identification and securing of thousands of compromised computers, and flagging of crypto assets worth over $47 million. This marks a strategic shift from targeting individual threats to dismantling the entire cybercrime assembly line.
Potential Impact
The disruption of the shared infrastructure significantly impedes the operation of Amadey and StealC malware campaigns, reducing the ability of cybercriminals to gain access to systems and steal sensitive information. The seizure of over 25 million credentials and identification of 18,000 compromised systems limits ongoing and future attacks. The vulnerability in the StealC C&C panel, while exploited for takedown, was also used maliciously by affiliates to steal data from each other, indicating potential insider threats within the malware ecosystem. The operation also restricts the use of crypto assets valued at over $47 million linked to these campaigns.
Mitigation Recommendations
This threat has been actively mitigated through a coordinated takedown operation involving law enforcement and cybersecurity companies. The shared command-and-control infrastructure used by Amadey and StealC has been disrupted, and compromised systems have been identified and secured. No additional immediate action is required from defenders specifically for this infrastructure disruption. Organizations should continue to apply standard security practices to prevent infection by these malware families and monitor for any resurgence or new variants.
Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware
Description
Microsoft, law enforcement, and cybersecurity partners disrupted the shared command-and-control infrastructure used by the Amadey malware loader and the StealC infostealer. The operation, part of Operation Endgame, targeted hundreds of domains and servers, seizing over 25 million stolen credentials and identifying thousands of compromised systems. A vulnerability in the StealC C&C panel was exploited during the takedown to upload a web shell, aiding the disruption. This coordinated effort aimed to dismantle the cybercrime supply chain enabling large-scale attacks and data theft.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Amadey is a malware-as-a-service loader active since 2018 that facilitates system access for threat actors to deploy secondary payloads. StealC, active since 2023, is an infostealer used to harvest credentials, cryptocurrency wallets, cookies, and other sensitive data. Both malware families share the same command-and-control infrastructure, which was targeted and disrupted by a coalition including Microsoft, Europol, and cybersecurity firms. The takedown leveraged AI analysis, legal actions, and exploitation of a vulnerability in the StealC C&C panel to upload a web shell, enabling control over the infrastructure. The operation resulted in the seizure of millions of stolen credentials, identification and securing of thousands of compromised computers, and flagging of crypto assets worth over $47 million. This marks a strategic shift from targeting individual threats to dismantling the entire cybercrime assembly line.
Potential Impact
The disruption of the shared infrastructure significantly impedes the operation of Amadey and StealC malware campaigns, reducing the ability of cybercriminals to gain access to systems and steal sensitive information. The seizure of over 25 million credentials and identification of 18,000 compromised systems limits ongoing and future attacks. The vulnerability in the StealC C&C panel, while exploited for takedown, was also used maliciously by affiliates to steal data from each other, indicating potential insider threats within the malware ecosystem. The operation also restricts the use of crypto assets valued at over $47 million linked to these campaigns.
Mitigation Recommendations
This threat has been actively mitigated through a coordinated takedown operation involving law enforcement and cybersecurity companies. The shared command-and-control infrastructure used by Amadey and StealC has been disrupted, and compromised systems have been identified and secured. No additional immediate action is required from defenders specifically for this infrastructure disruption. Organizations should continue to apply standard security practices to prevent infection by these malware families and monitor for any resurgence or new variants.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/","fetched":true,"fetchedAt":"2026-06-24T15:09:16.583Z","wordCount":1107}
Threat ID: 6a3bf31ceed863c81e02d1d9
Added to database: 06/24/2026, 15:09:16 UTC
Last enriched: 06/24/2026, 15:09:23 UTC
Last updated: 06/24/2026, 16:05:45 UTC
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.