Global Law Enforcement Takedown Disrupts Amadey and StealC Malware Operations
A coordinated international law enforcement operation, supported by private cybersecurity firms including Bitdefender, Bitsight, ESET, and Microsoft, has dismantled the infrastructure behind the Amadey and StealC malware families. The effort, part of Operation Endgame, targeted cybercriminal "assembly lines" used to deploy ransomware, financial fraud, and attacks on critical infrastructure.
Conducted between June 15 and 19, 2026, the operation involved authorities from Belgium, Canada, Denmark, France, Germany, the Netherlands, the U.K., and the U.S. Key outcomes included:
- Seizure of 326 servers and 142 domains linked to malware distribution.
- Recovery of 27 million stolen login credentials.
- Restriction of over $47 million in cryptocurrency assets tied to criminal activity.
- Disruption of 15,000 infected WordPress sites used to spread SocGholish malware.
Amadey: A Persistent Malware Loader
Active since October 2018, Amadey operates as a malware-as-a-service (MaaS) loader, sold for $600 per license with an additional $50 per rebuild. Its capabilities include:
- Executing commands, downloading payloads, and stealing credentials.
- Deploying secondary malware like Lumma Stealer, Vidar Stealer, and RedLine Stealer.
- Peaking in activity in 2025, with 11,635 samples distributed up from just 66 in 2019.
Amadey’s command-and-control (C2) servers saw a surge in 2023, averaging 5–30 active servers daily, before declining in 2024. The malware avoids execution in Russia, Ukraine, and Belarus by checking system locales.
StealC: A Versatile Information Stealer
First detected in January 2023, StealC is a C++-based stealer sold for $300/month (or $1,000 for six months). It targets:
- Browser data (credentials, cookies, autofill entries).
- Desktop apps (Discord, Telegram, Steam, Outlook).
- Files matching specific naming patterns.
Like Amadey, StealC terminates if running in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan. A cross-site scripting (XSS) vulnerability in its control panel was patched in February 2026 after being exploited to steal data from affiliates.
Shared Infrastructure and Global Impact
Microsoft reported that Amadey and StealC shared infrastructure, infecting over 140,000 computers worldwide in early May 2026. The company seized control of 18,000 victim devices and shut down 200 malicious C2 domains and IPs.
The operation highlights the growing collaboration between public and private sectors to dismantle cybercrime ecosystems, particularly those enabling ransomware and credential theft at scale.
Source: https://thehackernews.com/2026/06/amadey-and-stealc-malware-network.html
ESET cybersecurity rating report: https://www.rankiteo.com/company/eset
"id": "ESE1782332741",
"linkid": "eset",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '140,000 computers worldwide',
'industry': 'cybercrime',
'location': 'global',
'name': 'Amadey Malware',
'type': 'malware'},
{'customers_affected': '140,000 computers worldwide',
'industry': 'cybercrime',
'location': 'global',
'name': 'StealC Malware',
'type': 'malware'}],
'attack_vector': ['malware-as-a-service (MaaS)',
'compromised WordPress sites',
'cross-site scripting (XSS)'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '27 million',
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['login credentials',
'browser data',
'autofill entries',
'desktop app data']},
'date_detected': '2026-06-15',
'date_publicly_disclosed': '2026-06-19',
'description': 'A coordinated international law enforcement operation, '
'supported by private cybersecurity firms including '
'Bitdefender, Bitsight, ESET, and Microsoft, has dismantled '
'the infrastructure behind the Amadey and StealC malware '
"families. The effort targeted cybercriminal 'assembly lines' "
'used to deploy ransomware, financial fraud, and attacks on '
'critical infrastructure.',
'impact': {'data_compromised': '27 million stolen login credentials',
'financial_loss': '$47 million in cryptocurrency assets restricted',
'identity_theft_risk': 'high',
'operational_impact': 'disruption of malware distribution '
'infrastructure',
'systems_affected': '140,000 computers worldwide, 15,000 infected '
'WordPress sites'},
'investigation_status': 'ongoing',
'lessons_learned': 'The operation highlights the growing collaboration '
'between public and private sectors to dismantle '
'cybercrime ecosystems, particularly those enabling '
'ransomware and credential theft at scale.',
'motivation': ['financial gain', 'data exfiltration', 'ransomware deployment'],
'post_incident_analysis': {'corrective_actions': ['seizure of infrastructure',
'disruption of malware '
'distribution networks',
'patching of XSS '
'vulnerability'],
'root_causes': ['malware-as-a-service (MaaS) model',
'compromised WordPress sites',
'XSS vulnerability in StealC '
'control panel']},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'Operation Endgame'}, {'source': 'Microsoft'}],
'response': {'containment_measures': ['seizure of 326 servers and 142 domains',
'restriction of $47 million in '
'cryptocurrency assets',
'shutdown of 200 malicious C2 domains '
'and IPs'],
'law_enforcement_notified': True,
'recovery_measures': ['seizure of 18,000 victim devices'],
'remediation_measures': ['recovery of 27 million stolen login '
'credentials',
'disruption of 15,000 infected '
'WordPress sites'],
'third_party_assistance': ['Bitdefender',
'Bitsight',
'ESET',
'Microsoft']},
'title': 'Global Law Enforcement Takedown Disrupts Amadey and StealC Malware '
'Operations',
'type': ['malware', 'ransomware', 'credential theft'],
'vulnerability_exploited': ['XSS vulnerability in StealC control panel',
'compromised WordPress sites']}