GMOPlus
Operation Endgame Disrupts Amadey and StealC Malware Infrastructure
ONLINEEN

Operation Endgame Disrupts Amadey and StealC Malware Infrastructure

Microsoft, Europol, and global partners dismantle infrastructure behind Amadey and StealC malware in the latest Operation Endgame action.

26 Haziran 2026·5 dk okuma

Operation Endgame Strikes Again: Amadey and StealC Malware Operations Dismantled

In one of the most significant coordinated cybersecurity actions of the year, Microsoft, Europol, and a coalition of international law enforcement and technology partners have successfully disrupted the infrastructure powering two notorious malware families — Amadey and StealC. This latest move is part of the ongoing Operation Endgame, a sweeping global initiative specifically designed to dismantle cybercriminal services and the ransomware ecosystems that depend on them. The takedown sends a clear message to threat actors worldwide: the infrastructure they rely on is no longer beyond reach.

What Is Operation Endgame?

Operation Endgame is a large-scale, multi-agency law enforcement and private sector initiative that targets the foundational infrastructure enabling ransomware attacks, data theft, and other forms of cybercrime. Rather than focusing solely on individual hackers or ransomware groups, the operation takes a strategic approach by going after the upstream services — loaders, stealers, botnets, and bulletproof hosting providers — that cybercriminals use to deploy their payloads and monetize their attacks.

The operation has already seen numerous successful actions since its launch, with earlier phases disrupting major malware loaders and dropper services. The inclusion of Amadey and StealC in this latest phase demonstrates how broad and adaptive the operation's scope has become, targeting not just large ransomware syndicates but also the commodity malware market that feeds them.

Understanding Amadey: A Persistent Loader Threat

Amadey is a modular malware loader that has been active in the cybercriminal underground for several years. It is primarily sold as a Malware-as-a-Service (MaaS) offering, meaning that virtually anyone with the financial means can purchase access to it and deploy it against targets of their choosing. Once Amadey infects a victim's machine, it serves as a staging ground for additional payloads, including ransomware, remote access trojans (RATs), and information stealers.

What makes Amadey particularly dangerous is its versatility. It is capable of fingerprinting infected systems, collecting basic system information, and downloading and executing secondary malware with high reliability. Threat actors have used Amadey extensively to deliver ransomware strains and other destructive tools into enterprise environments, making it a critical link in the cybercriminal supply chain.

  • Amadey operates as a Malware-as-a-Service (MaaS) platform available on dark web forums.
  • It is used to deploy secondary payloads including ransomware and RATs.
  • The loader has been active for several years and has been linked to multiple ransomware campaigns.
  • Its modular design allows operators to customize attack capabilities on demand.

Understanding StealC: A Credential-Harvesting Powerhouse

StealC is an information stealer that emerged more recently but quickly gained traction among cybercriminals due to its effectiveness and low barrier to entry. Like Amadey, it is offered as a subscription-based service on underground markets. StealC is engineered to extract sensitive data from compromised systems, including browser-stored passwords, session cookies, cryptocurrency wallet credentials, email client data, and files of interest stored locally on the victim's device.

The stolen data harvested by StealC is then typically sold on dark web markets or used directly by the operators to conduct follow-on fraud, business email compromise (BEC), or account takeover attacks. In many observed campaigns, StealC and Amadey have been deployed together — Amadey loading StealC as a secondary payload — creating a highly effective one-two punch for cybercriminal operations.

  • StealC targets browser credentials, cookies, cryptocurrency wallets, and local files.
  • It is sold on underground forums as a subscription service.
  • Harvested data is frequently sold on dark web marketplaces or leveraged for further fraud.
  • It is commonly deployed as a secondary payload alongside Amadey infections.

How the Disruption Was Carried Out

The joint action by Microsoft, Europol, and their international partners involved the identification and takedown of command-and-control (C2) servers, hosting infrastructure, and distribution networks used by both Amadey and StealC operators. By severing these critical communication channels, law enforcement effectively cut off the malware operators' ability to issue commands to infected machines, retrieve stolen data, or push new payloads to victims.

Microsoft's Digital Crimes Unit (DCU) played a central role in the technical analysis and legal coordination required to execute the infrastructure takedowns. Europol served as the operational hub, coordinating across national law enforcement agencies from multiple countries to ensure simultaneous action against assets spread across different jurisdictions — a complexity that has historically made such operations difficult to execute effectively.

Why Targeting Malware Infrastructure Matters

Traditional cybercrime enforcement often focuses on arresting individual operators, which — while impactful — rarely destroys the underlying criminal ecosystem. Infrastructure-focused operations like Operation Endgame address the root of the problem by making it significantly harder and more expensive for cybercriminals to rebuild and resume operations. When C2 infrastructure is seized or disrupted, active botnets are neutralized, stolen data pipelines are broken, and the criminal return on investment collapses.

This approach also creates lasting deterrence. When cybercriminals see that even well-established MaaS platforms are not immune to disruption, it raises the perceived risk of operating such services and may discourage new entrants from investing in similar criminal infrastructure.

What Organizations Should Do Now

While this operation is a major win for defenders, organizations should not treat it as a reason to lower their guard. Malware ecosystems are resilient, and new variants or successor services often emerge in the wake of disruptions. Security teams are encouraged to review endpoint detection capabilities, ensure up-to-date threat intelligence feeds include Amadey and StealC indicators of compromise (IoCs), and conduct fresh audits of credential exposure across their environments.

Patching systems promptly, enforcing multi-factor authentication, and investing in behavioral-based endpoint detection and response (EDR) solutions remain the most reliable defenses against loader and stealer malware, regardless of which specific variant is in circulation.

Conclusion

The disruption of Amadey and StealC infrastructure as part of Operation Endgame represents a meaningful and strategically important step forward in the global fight against cybercrime. By targeting the criminal supply chain rather than just its end products, international partners are reshaping how cyber law enforcement operates. As Operation Endgame continues to evolve, it stands as a powerful reminder that coordinated action between public institutions and private technology companies can make a real difference in protecting businesses and individuals from the growing threat of malware-enabled cybercrime.

Operation EndgameAmadey malwareStealC malwareEuropol cybercrimeransomware disruption