What happened
Microsoft, Europol, and international partners disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame.
The coordinated law enforcement action targeted cybercriminal services used to gain initial access, steal credentials, support financial fraud, and enable ransomware attacks.
Authorities and private-sector partners from multiple countries helped identify, take down, seize, block, or sinkhole infrastructure tied to the malware families. The operation disrupted 326 servers and 142 domains.
Investigators also identified more than €41 million, or roughly $47 million, in cryptocurrency linked to criminal activity. They recovered approximately 27 million stolen credentials from more than 385,000 compromised systems.
The action also targeted SocGholish, also known as FakeUpdates, a malware loader that compromises visitors through hacked websites serving fake browser update prompts.
Operation Endgame included law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating the effort.
Private-sector support came from Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and other partners.
Amadey and StealC are sold through malware-as-a-service operations. Affiliates pay for access to malware builders, management panels, support, and infrastructure.
Amadey is used to gain an initial foothold on victim systems and deploy additional malware. StealC is used to steal credentials, cryptocurrency wallets, and other sensitive information that can be sold or used in ransomware attacks.
Microsoft’s Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC. The company worked with partners to shut down infrastructure through court orders, domain seizures, registrations, and provider notifications.
Microsoft said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.
ESET said the action affected roughly 50 domains and nearly 200 active command-and-control servers. Other partners, including Proofpoint, IBM X-Force, and Bitsight, contributed intelligence, malware analysis, and infrastructure mapping.
Who is affected
Organizations and individuals infected by Amadey, StealC, or SocGholish are directly affected.
The disruption recovered approximately 27 million credentials stolen from more than 385,000 compromised systems, showing the scale of the exposure tied to these malware operations.
Enterprises may be affected if stolen credentials from employees, contractors, customers, or administrators were harvested and later sold through underground markets or initial access brokers.
Organizations targeted by ransomware groups should also treat this operation as relevant because Amadey and StealC support the earlier stages of the attack chain, including initial access, credential theft, and follow-on compromise.
Why CISOs should care
This action shows how malware-as-a-service operations support the broader ransomware and cybercrime ecosystem. Amadey and StealC are not just isolated malware families. They provide access, credentials, and infrastructure that other criminals can use to breach networks and escalate attacks.
For CISOs, the credential recovery figure is the most important detail. Stolen credentials can remain useful long after a malware infection is removed, especially if passwords are reused, tokens remain active, or accounts lack strong authentication.
The disruption also shows the value of coordinated public-private action. Law enforcement agencies and security companies combined infrastructure takedowns, domain seizures, sinkholing, intelligence sharing, and malware analysis to increase friction for criminal operators.
However, CISOs should not treat disruption as eradication. Without arrests or full dismantling of criminal networks, threat actors can rebuild infrastructure and resume campaigns under the same or new malware brands.
3 practical actions
- Check whether recovered credentials affect your organization: The operation recovered approximately 27 million stolen credentials. CISOs should monitor Have I Been Pwned, credential exposure feeds, identity threat intelligence, and dark web alerts for employee, contractor, and customer account exposure.
- Hunt for Amadey, StealC, and SocGholish activity: These malware families are used for initial access, credential theft, and follow-on malware deployment. Security teams should review endpoint detections, proxy logs, DNS activity, browser update lures, suspicious downloads, and command-and-control indicators tied to these operations.
- Rotate credentials and invalidate active sessions after infostealer exposure: StealC is used to steal credentials, cryptocurrency wallets, and other sensitive data. Organizations should reset affected passwords, revoke tokens, invalidate sessions, review MFA status, and inspect accounts for suspicious access after suspected infection.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.