Microsoft, Europol, and a coalition of international law enforcement partners have disrupted the operational infrastructure behind the Amadey malware loader and StealC infostealer as part of the latest action under Operation Endgame — the long-running coordinated initiative targeting cybercriminal services that enable ransomware and data theft operations.
The takedown follows Operation Endgame's inaugural action in May 2024, which seized servers and arrested individuals linked to several major malware dropper operations. This latest wave represents a continued strategic focus on dismantling the infrastructure layer — loaders, stealers, and bulletproof hosting — that enables ransomware affiliates to operate.
What Is Amadey?
Amadey is a widely-deployed malware loader that functions as an initial-access and payload-delivery vehicle for cybercriminals. First observed in 2018, Amadey operates as a Malware-as-a-Service (MaaS) platform, rented to affiliates who use it to:
- Deploy second-stage malware on compromised systems
- Establish botnet command-and-control (C2) infrastructure
- Deliver ransomware, infostealers, and remote access trojans
- Perform reconnaissance on infected hosts
Amadey has been consistently observed in the attack chains of multiple ransomware groups, serving as the first foothold before operators pivot to more destructive payloads. Its persistence in the threat landscape since 2018 — through multiple law enforcement actions and takedowns of related operations — underscores its value to the cybercriminal ecosystem.
Amadey Capabilities
| Capability | Description |
|---|---|
| Payload delivery | Downloads and executes secondary malware from C2 |
| Persistence | Registry-based persistence on Windows systems |
| Reconnaissance | System fingerprinting, AV product enumeration |
| Credential harvesting | Browser credential extraction |
| Plugin system | Modular architecture for extended functionality |
| Anti-analysis | Sandbox detection and evasion |
What Is StealC?
StealC is a modern infostealer marketed on cybercrime forums since 2023. Built in C++ and sold as a subscription MaaS product, StealC targets:
- Browser credentials and session cookies (Chrome, Firefox, Edge, and others)
- Cryptocurrency wallet files and seeds
- VPN client credentials
- FTP client credentials
- Messenger application data (Telegram, Discord)
- System information and screenshots
StealC gained rapid adoption following the decline of other popular infostealers like Raccoon (disrupted in 2022) and Mars Stealer. Its lightweight architecture and active development cycle made it a preferred tool for cybercriminal affiliates seeking to harvest credentials for resale or for use in ransomware initial access operations.
StealC in the Ransomware Ecosystem
The connection between infostealers like StealC and ransomware operations is well-established:
- Credential theft — StealC harvests VPN credentials, RDP passwords, and corporate account logins
- Credential resale — stolen credentials are sold on underground markets or used directly
- Initial access — ransomware affiliates or initial access brokers (IABs) purchase and use these credentials
- Ransomware deployment — established access enables ransomware deployment and data exfiltration
Disrupting the infostealer layer cuts off a significant supply of initial access vectors for ransomware groups.
Operation Endgame Context
Operation Endgame was first publicly announced in May 2024 as a coordinated international law enforcement effort targeting the cybercriminal services ecosystem — specifically the "enabler" infrastructure that ransomware groups depend on:
| Phase | Date | Targets |
|---|---|---|
| Phase 1 | May 2024 | IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, Trickbot |
| Phase 2 | 2025 | Follow-on arrests, asset seizures |
| Phase 3 | June 2026 | Amadey, StealC infrastructure |
The operational model targets the supply chain of cybercrime rather than pursuing individual ransomware groups directly — a strategy designed to degrade the efficiency of the entire ransomware ecosystem by removing shared infrastructure.
Participating agencies and organizations in the current action include:
- Europol (coordination and intelligence)
- Microsoft's Digital Crimes Unit (DCU) (threat intelligence, civil legal actions)
- Law enforcement agencies from multiple European Union member states
- US federal law enforcement partners
What Was Seized
While complete details of the takedown action remain partially classified pending ongoing criminal proceedings, confirmed actions include:
- Server seizures across multiple hosting jurisdictions
- Domain takedowns of C2 infrastructure
- Criminal referrals filed against identified operators
- Infrastructure disruption preventing current botnet clients from receiving commands
Amadey's C2 servers used a distributed architecture across multiple countries, requiring coordinated simultaneous action to prevent operators from migrating to backup infrastructure.
Impact on Threat Landscape
Short-Term
In the immediate aftermath of a C2 takedown:
- Active Amadey bots lose command connectivity and become dormant
- StealC operators lose access to data collection infrastructure
- Affiliates renting these platforms face temporary service disruption
Long-Term Uncertainty
Law enforcement agencies acknowledge that complete eradication of these malware families is unlikely from a single takedown. Historical precedent — including the Emotet takedown (2021), Raccoon Stealer arrest (2022), and LockBit disruption (2024) — shows that successor operations often emerge within months.
However, each major disruption:
- Forces operators to rebuild infrastructure at significant cost
- Degrades trust in the platform among renting affiliates
- Introduces uncertainty that reduces short-term attack volume
- Generates intelligence for future law enforcement actions
Detection and Response Guidance
Organizations should treat this takedown as an opportunity to audit for existing Amadey and StealC infections:
Indicators of Compromise (IoCs)
# Common Amadey persistence locations (Windows)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
C:\Users\<user>\AppData\Roaming\<random-name>\
C:\ProgramData\<random-name>\
# StealC process indicators
# Looks for short-lived processes spawned by browser processes
# Check for unusual network connections from browser directories
# Network: Look for connections to .top, .xyz, .ru domains
# from non-browser processesRecommended Actions
- Run AV/EDR scans — updated signatures should detect Amadey and StealC variants
- Review credential exposure — if StealC was present on employee devices, rotate all corporate credentials including VPN, email, and SaaS platform logins
- Check for persistence — review startup entries, scheduled tasks, and Run keys for unfamiliar entries
- Monitor for lateral movement — if Amadey was used as a loader, secondary payloads may already be present on the network
Broader Significance
The Amadey/StealC disruption under Operation Endgame is significant for several reasons:
Microsoft's role: The inclusion of Microsoft's Digital Crimes Unit alongside Europol reflects the growing integration of private sector threat intelligence into law enforcement operations. Microsoft's visibility into threat actor infrastructure through its cloud services provides actionable intelligence that accelerates takedown timelines.
Sustained pressure strategy: Operation Endgame's phased approach — targeting new malware operations in each phase — signals a long-term commitment to degrading the cybercriminal infrastructure layer rather than one-off headline actions.
Ecosystem disruption: By simultaneously targeting a loader (Amadey) and an infostealer (StealC), this action hits two critical points in the ransomware attack chain: initial access delivery and credential harvesting.