Operation Endgame disrupts Amadey and Stealc
ESET Research contributed to a global disruption operation targeting the Amadey botnet and Stealc infostealer, both malware-as-a-service offerings. The operation, coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, and MBSD, impacted approximately 50 domains and nearly 200 active IP-based command and control servers. ESET provided technical analyses, statistical information, C&C server lists, encryption keys, campaign identifiers, and affiliate-level insights gathered from three years of tracking. Both malware families operate through affiliate networks where operators deploy their own infrastructure, making disruption efforts particularly challenging. Amadey primarily functions as a modular loader distributing additional payloads, while Stealc focuses on credential theft from browsers, crypto wallets, and applications. The largest Amadey botnet cluster accounted for 34% of all samples and distributed an average of 14 payloads per victim, operating a pay-per-install model that monetized compromi...
AI Analysis
Technical Summary
This threat concerns a global law enforcement and security industry operation named Operation Endgame, which disrupted the infrastructure of two malware-as-a-service families: Amadey and Stealc. Amadey functions primarily as a modular loader distributing additional malicious payloads, while Stealc is an infostealer targeting credentials from browsers, crypto wallets, and applications. The operation, coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, MBSD, and supported by ESET Research, took down approximately 50 domains and nearly 200 IP-based command and control servers. The malware operates through affiliate networks where operators deploy their own infrastructure, making takedown efforts challenging. The largest Amadey cluster accounted for 34% of samples and distributed an average of 14 payloads per victim, monetizing infections via a pay-per-install model. The disruption was enabled by extensive intelligence including encryption keys, campaign identifiers, and affiliate insights collected over three years. No CVE or patch applies as this is a malware campaign disruption rather than a software vulnerability.
Potential Impact
The disruption of Amadey and Stealc botnets reduces the operational capacity of these malware-as-a-service platforms, limiting their ability to distribute payloads and steal credentials. This directly impacts cybercriminal operations relying on these services, potentially reducing infections and data theft. However, due to the affiliate-based infrastructure, complete eradication is challenging and residual threats may persist. There are no known exploits in the wild related to this disruption, and no direct impact on specific software versions.
Mitigation Recommendations
This is a law enforcement and industry-led disruption operation targeting malware infrastructure rather than a software vulnerability requiring patching. No direct patch or fix is applicable. Organizations should continue to apply standard endpoint protection and credential security best practices. Monitoring for indicators of compromise such as the listed IP addresses, domains, and hashes can help detect residual infections. The vendor advisory does not indicate any required action beyond awareness of the disruption.
Indicators of Compromise
- ip: 176.124.199.207
- ip: 176.111.174.140
- hash: ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed
- ip: 62.60.226.159
- ip: 94.154.35.25
- domain: mi.overlapsnowbound.com
- ip: 64.188.91.237
- ip: 196.251.107.130
- ip: 193.143.1.16
- ip: 95.85.238.4
- hash: 09002d4668a778853e8da5c488c6e421c0628357
- hash: 11a42ef076686cb27ba2c8845301943652a5aadc
- hash: 32d0c3300825b0bb991c4a8f1e6244f0ad2da989
- hash: 38d744543b2051e6f749af171b5ef8d6df8aac7b
- hash: 5f3f99b14243404c7cf57b40bb101244cce394bf
- hash: 87867ad29e621bf9ebf57e1757f75090842458be
- hash: b4101027bf2f1261402bf6318c6eb016ce249037
- hash: c0e178d26e1e67985a9c67e649d71d54642e0eed
- hash: f61e3a643f2417e1a1ab2c83bbdbfc8a7cb96756
Operation Endgame disrupts Amadey and Stealc
Description
ESET Research contributed to a global disruption operation targeting the Amadey botnet and Stealc infostealer, both malware-as-a-service offerings. The operation, coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, and MBSD, impacted approximately 50 domains and nearly 200 active IP-based command and control servers. ESET provided technical analyses, statistical information, C&C server lists, encryption keys, campaign identifiers, and affiliate-level insights gathered from three years of tracking. Both malware families operate through affiliate networks where operators deploy their own infrastructure, making disruption efforts particularly challenging. Amadey primarily functions as a modular loader distributing additional payloads, while Stealc focuses on credential theft from browsers, crypto wallets, and applications. The largest Amadey botnet cluster accounted for 34% of all samples and distributed an average of 14 payloads per victim, operating a pay-per-install model that monetized compromi...
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat concerns a global law enforcement and security industry operation named Operation Endgame, which disrupted the infrastructure of two malware-as-a-service families: Amadey and Stealc. Amadey functions primarily as a modular loader distributing additional malicious payloads, while Stealc is an infostealer targeting credentials from browsers, crypto wallets, and applications. The operation, coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, MBSD, and supported by ESET Research, took down approximately 50 domains and nearly 200 IP-based command and control servers. The malware operates through affiliate networks where operators deploy their own infrastructure, making takedown efforts challenging. The largest Amadey cluster accounted for 34% of samples and distributed an average of 14 payloads per victim, monetizing infections via a pay-per-install model. The disruption was enabled by extensive intelligence including encryption keys, campaign identifiers, and affiliate insights collected over three years. No CVE or patch applies as this is a malware campaign disruption rather than a software vulnerability.
Potential Impact
The disruption of Amadey and Stealc botnets reduces the operational capacity of these malware-as-a-service platforms, limiting their ability to distribute payloads and steal credentials. This directly impacts cybercriminal operations relying on these services, potentially reducing infections and data theft. However, due to the affiliate-based infrastructure, complete eradication is challenging and residual threats may persist. There are no known exploits in the wild related to this disruption, and no direct impact on specific software versions.
Mitigation Recommendations
This is a law enforcement and industry-led disruption operation targeting malware infrastructure rather than a software vulnerability requiring patching. No direct patch or fix is applicable. Organizations should continue to apply standard endpoint protection and credential security best practices. Monitoring for indicators of compromise such as the listed IP addresses, domains, and hashes can help detect residual infections. The vendor advisory does not indicate any required action beyond awareness of the disruption.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/"]
- Adversary
- null
- Pulse Id
- 6a3c278cadbc5a0ba0a18ce3
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip176.124.199.207 | — | |
ip176.111.174.140 | — | |
ip62.60.226.159 | — | |
ip94.154.35.25 | — | |
ip64.188.91.237 | — | |
ip196.251.107.130 | — | |
ip193.143.1.16 | — | |
ip95.85.238.4 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hashff8d2afd9d7f0a828592fee34ca55d1a3542f7ed | — | |
hash09002d4668a778853e8da5c488c6e421c0628357 | — | |
hash11a42ef076686cb27ba2c8845301943652a5aadc | — | |
hash32d0c3300825b0bb991c4a8f1e6244f0ad2da989 | — | |
hash38d744543b2051e6f749af171b5ef8d6df8aac7b | — | |
hash5f3f99b14243404c7cf57b40bb101244cce394bf | — | |
hash87867ad29e621bf9ebf57e1757f75090842458be | — | |
hashb4101027bf2f1261402bf6318c6eb016ce249037 | — | |
hashc0e178d26e1e67985a9c67e649d71d54642e0eed | — | |
hashf61e3a643f2417e1a1ab2c83bbdbfc8a7cb96756 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainmi.overlapsnowbound.com | — |
Threat ID: 6a3d46404853345fc11c395a
Added to database: 06/25/2026, 15:16:16 UTC
Last enriched: 06/25/2026, 15:31:27 UTC
Last updated: 06/26/2026, 01:24:20 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.