Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Microsoft and Europol Dismantle Three Cybercrime-as-a-Service Operations
Microsoft and Europol Dismantle Three Cybercrime-as-a-Service Operations
NEWS

Microsoft and Europol Dismantle Three Cybercrime-as-a-Service Operations

Microsoft and Europol jointly targeted the full CaaS supply chain, seizing 300+ servers and disrupting SocGholish, Amadey, and StealC malware infrastructure.

Dylan H.

News Desk

June 24, 2026
4 min read

Three CaaS Operations Simultaneously Dismantled

In one of the most coordinated cybercrime infrastructure takedowns of 2026, Microsoft's Digital Crimes Unit and Europol announced the simultaneous disruption of three distinct Cybercrime-as-a-Service (CaaS) operations: SocGholish, Amadey, and StealC. The operation targeted over 300 servers spanning multiple jurisdictions and represents a deliberate shift in law enforcement strategy — going after the full criminal supply chain rather than individual threat actors.

Microsoft described the approach as targeting the "assembly lines" that cybercriminals use to build, deploy, and monetize attacks at scale.


The Three Targets

SocGholish (FakeUpdates)

SocGholish is a JavaScript-based malware delivery framework that has operated for years as a dropper-for-hire. It works by injecting malicious JavaScript into compromised websites, presenting visitors with convincing fake browser update prompts. When users click the fake update, they download a malicious JavaScript payload that establishes a foothold and typically drops secondary malware — including ransomware, remote access trojans, and infostealers.

SocGholish has been linked to multiple initial access broker operations and has served as the entry point for Evil Corp and other major ransomware groups.

Amadey

Amadey is a lightweight malware loader that has been sold on underground forums since 2018. It functions primarily as a botnet builder and payload dropper, enabling threat actors to deploy additional malware on infected machines with minimal effort. Amadey is commonly used to:

  • Download and execute secondary payloads (ransomware, infostealers, RATs)
  • Harvest basic system information and browser credentials
  • Maintain persistent access to compromised endpoints

Its low price point and ease of use made it a staple of entry-level cybercriminal operations.

StealC

StealC is a newer infostealer (first observed in 2023) that targets browser credentials, cryptocurrency wallets, and application data. It is distributed as a Malware-as-a-Service and competes in the same market as RedLine and Raccoon Stealer. StealC's infrastructure is used to aggregate stolen credentials and data from thousands of infected machines into centralized panels accessible to paying customers.


The "Supply Chain" Strategy

What makes this operation notable is Microsoft's explicit framing around supply chain disruption. Rather than arresting a single actor or seizing one C2 server, the joint action targeted the interconnected infrastructure that enables many different criminal groups to operate simultaneously:

LayerTarget
Initial AccessSocGholish fake update lures
Loader / DropperAmadey botnet infrastructure
Credential TheftStealC infostealer panels
Coordination300+ seized servers across jurisdictions

By hitting all three layers in a single coordinated action, investigators aim to disrupt the "assembly line" that criminals use to convert compromised websites → infected machines → stolen credentials → monetization.


Private Sector Collaboration

Europol confirmed that the operation involved a significant private sector component, with security companies including Bitdefender, Bitsight, and ESET contributing threat intelligence. This public-private partnership model has become increasingly common in major takedowns — private companies provide the technical telemetry and malware analysis while law enforcement executes the server seizures and coordinates cross-border legal action.


Significance

This action comes at a time when the CaaS ecosystem has become the dominant force behind ransomware attacks, data breaches, and financial fraud. By treating cybercrime as a supply chain problem — with raw materials (malware tools), manufacturing (loader services), and distribution (credential markets) — law enforcement is adopting a model more similar to how physical drug trafficking networks are disrupted.

Whether the disruption proves durable depends on how quickly the criminal ecosystem rebuilds. Past takedowns of similar operations (Emotet, Raccoon, Genesis Market) showed that while infrastructure seizures cause significant short-term disruption, successor services often emerge within months.

Security teams should treat this as an opportunity to re-audit endpoint telemetry for any signs of historical Amadey or StealC infections, as post-takedown credential dumps sometimes surface on underground markets.

#Malware#Supply Chain#Microsoft#Europol#SocGholish#Amadey#StealC#Law Enforcement#Cybercrime-as-a-Service

Related Articles

Amadey and StealC Malware Networks Disrupted, 27 Million Stolen Credentials Recovered

A coordinated law enforcement operation backed by Bitdefender, Bitsight, ESET, and Microsoft has dismantled the infrastructure powering Amadey and StealC,...

4 min read

In a First, a Court Takedown Goes After Two Cybercrime Tools at Once

Microsoft and Europol dismantled both StealC and Amadey simultaneously in a single RICO filing — the first time a court-authorized takedown has targeted...

4 min read

Three 'Cybercrime-as-a-Service' Operations Undercut by Microsoft and Law Enforcement

A two-week joint operation by Microsoft and Europol dismantled three major malware-as-a-service platforms — StealC, Amadey, and SocGholish — seizing 326...

2 min read
Back to all News