Listen to this Post
Microsoft, Europol, and Cybersecurity Giants Dismantle Amadey and StealC Malware Infrastructure in Historic Operation
Introduction
The global fight against cybercrime has entered another decisive chapter as Microsoft, international law enforcement agencies, and leading cybersecurity firms successfully coordinated one of the most significant malware disruption campaigns of recent years. Rather than targeting a single criminal gang, investigators focused on dismantling the shared infrastructure that powered multiple cybercriminal operations simultaneously. The coordinated effort represents a strategic evolution in cyber defense, demonstrating how intelligence sharing, artificial intelligence, legal intervention, and technical exploitation can collectively weaken the ecosystem that enables malware campaigns to flourish worldwide.
The latest phase of Operation Endgame has not only disrupted two notorious malware families but has also exposed the interconnected nature of today’s cybercrime economy. By attacking the infrastructure behind both Amadey and StealC, authorities managed to interrupt the operational chain used by countless threat actors across the globe.
Operation Endgame Expands Its Reach
Operation Endgame has become one of the largest international campaigns ever launched against cybercriminal infrastructure. Previous operations focused on dismantling botnets, malware servers, and ransomware infrastructure. This latest action goes a step further by targeting what investigators describe as the cybercrime assembly line.
Instead of merely shutting down one malware family, authorities attacked the ecosystem responsible for delivering malware, stealing information, and enabling additional cyberattacks. Hundreds of domains and command-and-control servers were identified and neutralized during the coordinated operation.
The collaboration involved Microsoft, Europol, ESET, IBM X-Force, Proofpoint, Bitsight, Mitsui Bussan Secure Directions (MBSD), and multiple international law enforcement agencies working together under a unified strategy.
Understanding Amadey Malware
Amadey first appeared in 2018 as a Malware-as-a-Service (MaaS) platform that enables cybercriminals to compromise systems with minimal technical expertise.
Unlike ransomware that immediately encrypts files, Amadey primarily acts as a loader. Once installed, it provides attackers with persistent access to infected devices, allowing them to deploy additional malware depending on their objectives.
Threat actors frequently use Amadey as the first stage of an attack because it offers flexibility. Once a computer is infected, criminals can install ransomware, banking trojans, credential stealers, cryptocurrency miners, or remote access tools without requiring another successful compromise.
Its commercial availability within underground cybercrime markets made Amadey one of the most popular malware loaders over the past several years.
StealC Became the Perfect Partner
Introduced during 2023, StealC rapidly became one of the fastest-growing information-stealing malware families operating on underground forums.
Unlike Amadey, StealC specializes in harvesting valuable information from compromised computers. It targets:
Login credentials
Browser cookies
Cryptocurrency wallets
Password databases
Session tokens
Autofill information
Financial data
The combination proved extremely effective.
Amadey infected systems while StealC extracted everything valuable from victims, creating an efficient cybercriminal workflow capable of supporting phishing campaigns, ransomware operations, financial fraud, and identity theft.
Artificial Intelligence Helped Reveal Shared Infrastructure
One of the most interesting aspects of the investigation was Microsoft’s use of artificial intelligence to analyze malware infrastructure.
AI-assisted analysis identified similarities between the command-and-control infrastructure used by both malware families. Investigators discovered that many servers, domains, and management systems overlapped significantly.
This intelligence dramatically accelerated attribution efforts and enabled investigators to prioritize infrastructure for legal seizure and technical disruption.
Artificial intelligence continues to reshape cybersecurity by processing enormous datasets far faster than traditional manual investigations, allowing defenders to identify hidden operational relationships that would otherwise remain undetected.
Exploiting the
Researchers discovered an unexpected vulnerability inside the StealC command-and-control management panel.
The flaw allowed a web shell to be uploaded directly onto criminal infrastructure.
Rather than exploiting the vulnerability for offensive purposes, investigators legally leveraged the weakness to gather intelligence supporting the takedown effort.
Ironically, evidence also indicated that one StealC affiliate had already abused the same vulnerability to steal operational data from rival affiliates, illustrating the lack of trust that often exists within cybercriminal communities.
Massive Results From the International Operation
The coordinated action produced impressive operational results.
Authorities seized more than 25 million stolen credentials collected from over 385,000 compromised computers.
Investigators also identified approximately 18,000 infected systems that were subsequently secured, reducing the number of devices available for future criminal abuse.
Additionally, cryptocurrency assets valued at more than $47 million were identified and flagged, limiting criminals’ ability to profit from stolen digital assets.
These figures demonstrate both the enormous scale of credential theft worldwide and the growing effectiveness of coordinated international cyber operations.
A Shift in Cybercrime Strategy
Europol described the operation as a strategic shift rather than another routine malware takedown.
Historically, cybersecurity operations focused on individual malware families or isolated criminal groups.
This campaign instead targeted the infrastructure supporting multiple independent threat actors simultaneously.
Disrupting shared infrastructure increases operational costs for cybercriminals, forces attackers to rebuild their networks, interrupts malware delivery chains, and weakens the broader cybercrime ecosystem.
Such strategies are becoming increasingly important as cybercriminal groups continue sharing services through Malware-as-a-Service business models.
Why Shared Infrastructure Matters
Modern cybercrime increasingly resembles legitimate cloud businesses.
Different criminal groups frequently rent servers from the same operators, purchase malware subscriptions from identical developers, and exchange stolen credentials through common marketplaces.
Disrupting these shared services creates ripple effects that extend far beyond a single malware family.
One successful infrastructure seizure can simultaneously interrupt hundreds or even thousands of criminal operations.
This broader approach delivers far greater long-term impact than pursuing individual hackers one by one.
The Broader Trend in Global Cyber Defense
The operation follows recent coordinated actions against major malware ecosystems, including the disruption of the SocGholish botnet.
Law enforcement agencies are increasingly working alongside private cybersecurity companies because neither side possesses all necessary capabilities independently.
Technology companies contribute threat intelligence, malware research, artificial intelligence, and infrastructure visibility.
Governments provide legal authority, international cooperation, criminal investigations, and judicial enforcement.
Together, these partnerships are transforming global cyber defense into a far more proactive model than ever before.
Deep Analysis (Linux Commands): Investigating Malware Infrastructure Like Security Researchers
Cybersecurity professionals often investigate malware indicators using Linux-based forensic tools before conducting deeper analysis. Below are examples of commands commonly used during malware investigations in controlled environments.
whois suspicious-domain.com
dig suspicious-domain.com
host suspicious-domain.com
nslookup suspicious-domain.com
curl -I http://suspicious-domain.com
wget --spider http://suspicious-domain.com
netstat -tulnp
ss -plant
lsof -i
tcpdump -i eth0
sudo tshark
strings malware_sample.bin
file malware_sample.bin
sha256sum malware_sample.bin
md5sum malware_sample.bin
readelf -a malware_sample.bin
objdump -x malware_sample.bin
xxd malware_sample.bin
hexdump -C malware_sample.bin
exiftool malware_sample.bin
clamscan malware_sample.bin
yara malware_sample.bin rules.yar
journalctl
last
lastlog
ps aux
pstree
top
htop
find / -perm -4000
find /tmp
find /var/tmp
crontab -l
systemctl list-units
iptables -L
ip addr
ip route
hostnamectl
uname -a
cat /etc/os-release
history
These commands illustrate the foundational techniques analysts use when examining suspicious infrastructure, validating malware samples, monitoring network traffic, identifying persistence mechanisms, and collecting forensic evidence during incident response.
What Undercode Say:
The dismantling of Amadey and StealC infrastructure highlights a growing maturity in global cyber defense. Rather than chasing individual malware campaigns, defenders are now focusing on disrupting the economic foundations that support cybercrime.
This strategy mirrors how authorities combat organized crime in the physical world by targeting logistics instead of only arresting individual participants.
The integration of artificial intelligence into malware attribution significantly reduced the complexity of correlating infrastructure shared across multiple campaigns.
The discovery of overlapping command-and-control servers demonstrates how modern malware developers increasingly reuse infrastructure to reduce operational costs.
Such reuse becomes a weakness once investigators identify common operational patterns.
The exploited vulnerability inside the StealC control panel is another reminder that criminal software frequently lacks the rigorous security engineering found in legitimate enterprise software.
Ironically, cybercriminals often become victims of their own insecure development practices.
Credential theft remains one of the largest underground industries.
Twenty-five million stolen credentials illustrate how password reuse and weak endpoint protection continue fueling cybercrime.
The identification of 18,000 compromised devices represents a significant reduction in future attack potential.
Each secured endpoint removes another launching platform for ransomware, phishing, or credential theft.
International cooperation continues to evolve faster than many criminal organizations anticipated.
Microsoft’s infrastructure visibility combined with Europol’s legal authority created an effective partnership that neither organization could achieve independently.
The operation also demonstrates how private-sector telemetry has become indispensable to modern law enforcement.
Future cyber operations will likely rely even more heavily on machine learning models capable of identifying relationships across billions of infrastructure indicators.
Cybercrime has evolved into a service economy where malware developers, initial access brokers, credential sellers, hosting providers, and ransomware affiliates collaborate.
Targeting this ecosystem produces broader disruption than targeting isolated malware families.
Operations like Endgame increase operational costs for criminals, forcing infrastructure rebuilds and reducing attacker efficiency.
Although cybercrime will not disappear, repeated infrastructure disruption weakens criminal profitability over time.
Organizations should not assume these takedowns eliminate all threats.
Variants, successor malware, and rebuilt infrastructure will inevitably emerge.
Continuous monitoring, endpoint detection, zero-trust architecture, phishing awareness, and timely patch management remain essential defensive measures.
Ultimately, this operation reflects a broader transformation in cybersecurity from reactive incident response toward proactive ecosystem disruption.
✅ Microsoft collaborated with Europol, law enforcement agencies, and major cybersecurity companies to disrupt infrastructure used by Amadey and StealC.
✅ Amadey functions primarily as a malware loader, while StealC specializes in credential and information theft, making their combined use highly effective for cybercriminal operations.
✅ Investigators identified over 25 million stolen credentials, secured approximately 18,000 compromised systems, and traced cryptocurrency assets exceeding $47 million during the operation.
Prediction
(+1) International operations similar to Operation Endgame will increasingly target shared cybercrime infrastructure instead of focusing solely on individual malware families, leading to more disruptive long-term results.
(-1) Cybercriminal groups will likely adapt by decentralizing their command-and-control infrastructure, improving operational security, and developing replacement malware ecosystems to restore their capabilities despite continued law enforcement pressure.
▶️ Related Video (80% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.securityweek.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube
