Three CaaS Operations Simultaneously Dismantled
In one of the most coordinated cybercrime infrastructure takedowns of 2026, Microsoft's Digital Crimes Unit and Europol announced the simultaneous disruption of three distinct Cybercrime-as-a-Service (CaaS) operations: SocGholish, Amadey, and StealC. The operation targeted over 300 servers spanning multiple jurisdictions and represents a deliberate shift in law enforcement strategy — going after the full criminal supply chain rather than individual threat actors.
Microsoft described the approach as targeting the "assembly lines" that cybercriminals use to build, deploy, and monetize attacks at scale.
The Three Targets
SocGholish (FakeUpdates)
SocGholish is a JavaScript-based malware delivery framework that has operated for years as a dropper-for-hire. It works by injecting malicious JavaScript into compromised websites, presenting visitors with convincing fake browser update prompts. When users click the fake update, they download a malicious JavaScript payload that establishes a foothold and typically drops secondary malware — including ransomware, remote access trojans, and infostealers.
SocGholish has been linked to multiple initial access broker operations and has served as the entry point for Evil Corp and other major ransomware groups.
Amadey
Amadey is a lightweight malware loader that has been sold on underground forums since 2018. It functions primarily as a botnet builder and payload dropper, enabling threat actors to deploy additional malware on infected machines with minimal effort. Amadey is commonly used to:
- Download and execute secondary payloads (ransomware, infostealers, RATs)
- Harvest basic system information and browser credentials
- Maintain persistent access to compromised endpoints
Its low price point and ease of use made it a staple of entry-level cybercriminal operations.
StealC
StealC is a newer infostealer (first observed in 2023) that targets browser credentials, cryptocurrency wallets, and application data. It is distributed as a Malware-as-a-Service and competes in the same market as RedLine and Raccoon Stealer. StealC's infrastructure is used to aggregate stolen credentials and data from thousands of infected machines into centralized panels accessible to paying customers.
The "Supply Chain" Strategy
What makes this operation notable is Microsoft's explicit framing around supply chain disruption. Rather than arresting a single actor or seizing one C2 server, the joint action targeted the interconnected infrastructure that enables many different criminal groups to operate simultaneously:
| Layer | Target |
|---|---|
| Initial Access | SocGholish fake update lures |
| Loader / Dropper | Amadey botnet infrastructure |
| Credential Theft | StealC infostealer panels |
| Coordination | 300+ seized servers across jurisdictions |
By hitting all three layers in a single coordinated action, investigators aim to disrupt the "assembly line" that criminals use to convert compromised websites → infected machines → stolen credentials → monetization.
Private Sector Collaboration
Europol confirmed that the operation involved a significant private sector component, with security companies including Bitdefender, Bitsight, and ESET contributing threat intelligence. This public-private partnership model has become increasingly common in major takedowns — private companies provide the technical telemetry and malware analysis while law enforcement executes the server seizures and coordinates cross-border legal action.
Significance
This action comes at a time when the CaaS ecosystem has become the dominant force behind ransomware attacks, data breaches, and financial fraud. By treating cybercrime as a supply chain problem — with raw materials (malware tools), manufacturing (loader services), and distribution (credential markets) — law enforcement is adopting a model more similar to how physical drug trafficking networks are disrupted.
Whether the disruption proves durable depends on how quickly the criminal ecosystem rebuilds. Past takedowns of similar operations (Emotet, Raccoon, Genesis Market) showed that while infrastructure seizures cause significant short-term disruption, successor services often emerge within months.
Security teams should treat this as an opportunity to re-audit endpoint telemetry for any signs of historical Amadey or StealC infections, as post-takedown credential dumps sometimes surface on underground markets.