A coordinated two-week operation involving Microsoft's Digital Crimes Unit and Europol has dealt a significant blow to three interconnected malware-as-a-service ecosystems, targeting the shared infrastructure underpinning StealC, Amadey, and SocGholish — tools responsible for hundreds of thousands of infections across the globe.
Operation Overview
Announced on June 24, 2026, the joint law enforcement action resulted in:
- 326 servers dismantled
- 142 domains taken offline
- 14,971 compromised websites (primarily retailers, used to distribute SocGholish)
- 18,000 victim computers identified and notified during the operation
- 27 million stolen login credentials recovered
- €41 million (~$47M USD) in cryptocurrency seized
The Malware Triad
StealC is an infostealer designed to harvest passwords, browser cookies, and session tokens from infected machines, enabling follow-on account takeover and fraud.
Amadey functions as a dropper — a malware loader used to establish initial access on a victim machine and stage further payloads, including ransomware and remote access tools.
SocGholish (also attributed to Evil Corp, a Russian cybercrime group) is a JavaScript-based malware framework delivered through compromised legitimate websites using fake browser update lures. In May 2026 alone, it infected over 140,000 computers worldwide.
Microsoft's AI-Driven Approach
What made this operation notable was Microsoft's use of artificial intelligence to identify a critical tactical insight: Amadey and StealC shared identical backend command-and-control infrastructure. By targeting both simultaneously — rather than sequentially — the operation achieved compounding disruption, collapsing what Microsoft described as a full criminal "supply chain" that fueled ransomware deployment, financial fraud, and attacks on critical infrastructure.
This approach marks a shift in how tech companies partner with law enforcement: moving from reactive response to proactive supply-chain-level disruption.
No Arrests Reported
Despite the scale of the seizures, no arrests were announced as part of this operation. The perpetrators behind Evil Corp and affiliated SocGholish infrastructure remain at large, highlighting the ongoing challenge of achieving accountability for cybercriminals operating from jurisdictions that are uncooperative with Western law enforcement.
Takeaway
Operations like this demonstrate that the most effective disruptions target shared criminal infrastructure — the servers, domains, and tooling that multiple threat actors depend on — rather than chasing individual malware samples. For defenders, it underscores the importance of monitoring for SocGholish-style fake update lures on corporate endpoints and auditing for StealC/Amadey indicators of compromise across email and credential stores.