Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Amadey and StealC Malware Operations Disrupted in Operation Endgame Action
Amadey and StealC Malware Operations Disrupted in Operation Endgame Action
NEWS

Amadey and StealC Malware Operations Disrupted in Operation Endgame Action

Microsoft, Europol, and international law enforcement partners have dismantled infrastructure supporting the Amadey malware loader and StealC infostealer...

Dylan H.

News Desk

June 24, 2026
6 min read

Microsoft, Europol, and a coalition of international law enforcement partners have disrupted the operational infrastructure behind the Amadey malware loader and StealC infostealer as part of the latest action under Operation Endgame — the long-running coordinated initiative targeting cybercriminal services that enable ransomware and data theft operations.

The takedown follows Operation Endgame's inaugural action in May 2024, which seized servers and arrested individuals linked to several major malware dropper operations. This latest wave represents a continued strategic focus on dismantling the infrastructure layer — loaders, stealers, and bulletproof hosting — that enables ransomware affiliates to operate.

What Is Amadey?

Amadey is a widely-deployed malware loader that functions as an initial-access and payload-delivery vehicle for cybercriminals. First observed in 2018, Amadey operates as a Malware-as-a-Service (MaaS) platform, rented to affiliates who use it to:

  • Deploy second-stage malware on compromised systems
  • Establish botnet command-and-control (C2) infrastructure
  • Deliver ransomware, infostealers, and remote access trojans
  • Perform reconnaissance on infected hosts

Amadey has been consistently observed in the attack chains of multiple ransomware groups, serving as the first foothold before operators pivot to more destructive payloads. Its persistence in the threat landscape since 2018 — through multiple law enforcement actions and takedowns of related operations — underscores its value to the cybercriminal ecosystem.

Amadey Capabilities

CapabilityDescription
Payload deliveryDownloads and executes secondary malware from C2
PersistenceRegistry-based persistence on Windows systems
ReconnaissanceSystem fingerprinting, AV product enumeration
Credential harvestingBrowser credential extraction
Plugin systemModular architecture for extended functionality
Anti-analysisSandbox detection and evasion

What Is StealC?

StealC is a modern infostealer marketed on cybercrime forums since 2023. Built in C++ and sold as a subscription MaaS product, StealC targets:

  • Browser credentials and session cookies (Chrome, Firefox, Edge, and others)
  • Cryptocurrency wallet files and seeds
  • VPN client credentials
  • FTP client credentials
  • Messenger application data (Telegram, Discord)
  • System information and screenshots

StealC gained rapid adoption following the decline of other popular infostealers like Raccoon (disrupted in 2022) and Mars Stealer. Its lightweight architecture and active development cycle made it a preferred tool for cybercriminal affiliates seeking to harvest credentials for resale or for use in ransomware initial access operations.

StealC in the Ransomware Ecosystem

The connection between infostealers like StealC and ransomware operations is well-established:

  1. Credential theft — StealC harvests VPN credentials, RDP passwords, and corporate account logins
  2. Credential resale — stolen credentials are sold on underground markets or used directly
  3. Initial access — ransomware affiliates or initial access brokers (IABs) purchase and use these credentials
  4. Ransomware deployment — established access enables ransomware deployment and data exfiltration

Disrupting the infostealer layer cuts off a significant supply of initial access vectors for ransomware groups.

Operation Endgame Context

Operation Endgame was first publicly announced in May 2024 as a coordinated international law enforcement effort targeting the cybercriminal services ecosystem — specifically the "enabler" infrastructure that ransomware groups depend on:

PhaseDateTargets
Phase 1May 2024IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, Trickbot
Phase 22025Follow-on arrests, asset seizures
Phase 3June 2026Amadey, StealC infrastructure

The operational model targets the supply chain of cybercrime rather than pursuing individual ransomware groups directly — a strategy designed to degrade the efficiency of the entire ransomware ecosystem by removing shared infrastructure.

Participating agencies and organizations in the current action include:

  • Europol (coordination and intelligence)
  • Microsoft's Digital Crimes Unit (DCU) (threat intelligence, civil legal actions)
  • Law enforcement agencies from multiple European Union member states
  • US federal law enforcement partners

What Was Seized

While complete details of the takedown action remain partially classified pending ongoing criminal proceedings, confirmed actions include:

  • Server seizures across multiple hosting jurisdictions
  • Domain takedowns of C2 infrastructure
  • Criminal referrals filed against identified operators
  • Infrastructure disruption preventing current botnet clients from receiving commands

Amadey's C2 servers used a distributed architecture across multiple countries, requiring coordinated simultaneous action to prevent operators from migrating to backup infrastructure.

Impact on Threat Landscape

Short-Term

In the immediate aftermath of a C2 takedown:

  • Active Amadey bots lose command connectivity and become dormant
  • StealC operators lose access to data collection infrastructure
  • Affiliates renting these platforms face temporary service disruption

Long-Term Uncertainty

Law enforcement agencies acknowledge that complete eradication of these malware families is unlikely from a single takedown. Historical precedent — including the Emotet takedown (2021), Raccoon Stealer arrest (2022), and LockBit disruption (2024) — shows that successor operations often emerge within months.

However, each major disruption:

  • Forces operators to rebuild infrastructure at significant cost
  • Degrades trust in the platform among renting affiliates
  • Introduces uncertainty that reduces short-term attack volume
  • Generates intelligence for future law enforcement actions

Detection and Response Guidance

Organizations should treat this takedown as an opportunity to audit for existing Amadey and StealC infections:

Indicators of Compromise (IoCs)

# Common Amadey persistence locations (Windows)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C:\Users\<user>\AppData\Roaming\<random-name>\
C:\ProgramData\<random-name>\
 
# StealC process indicators
# Looks for short-lived processes spawned by browser processes
# Check for unusual network connections from browser directories
 
# Network: Look for connections to .top, .xyz, .ru domains
# from non-browser processes

Recommended Actions

  1. Run AV/EDR scans — updated signatures should detect Amadey and StealC variants
  2. Review credential exposure — if StealC was present on employee devices, rotate all corporate credentials including VPN, email, and SaaS platform logins
  3. Check for persistence — review startup entries, scheduled tasks, and Run keys for unfamiliar entries
  4. Monitor for lateral movement — if Amadey was used as a loader, secondary payloads may already be present on the network

Broader Significance

The Amadey/StealC disruption under Operation Endgame is significant for several reasons:

Microsoft's role: The inclusion of Microsoft's Digital Crimes Unit alongside Europol reflects the growing integration of private sector threat intelligence into law enforcement operations. Microsoft's visibility into threat actor infrastructure through its cloud services provides actionable intelligence that accelerates takedown timelines.

Sustained pressure strategy: Operation Endgame's phased approach — targeting new malware operations in each phase — signals a long-term commitment to degrading the cybercriminal infrastructure layer rather than one-off headline actions.

Ecosystem disruption: By simultaneously targeting a loader (Amadey) and an infostealer (StealC), this action hits two critical points in the ransomware attack chain: initial access delivery and credential harvesting.

Sources

  • BleepingComputer — Amadey, StealC malware operations disrupted in Operation Endgame action

Related Coverage

  • Operation Poweroff Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts
  • European Commission Investigating Breach After Amazon Cloud Account Hack
  • Europol Disrupts Audia6 Crypto Laundering Service Used by Ransomware Gangs
#Ransomware#Malware#Microsoft#Europol#Cybercrime#Law Enforcement#Operation Endgame

Related Articles

In a First, a Court Takedown Goes After Two Cybercrime Tools at Once

Microsoft and Europol dismantled both StealC and Amadey simultaneously in a single RICO filing — the first time a court-authorized takedown has targeted...

4 min read

Malicious Edge Extension "Edgecution" Abuses Native Messaging to Deploy Ransomware Backdoor

Zscaler researchers exposed 'Edgecution', a rogue Microsoft Edge extension that exploits Chrome's Native Messaging protocol to escape the browser sandbox...

4 min read

Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered

A coordinated law enforcement operation backed by Bitdefender, Bitsight, ESET, and Microsoft has dismantled the infrastructure powering Amadey and StealC,...

4 min read
Back to all News