The infrastructure of two infamous information stealer malware strains (infostealers), StealC and Amadey, has been disrupted by an international law enforcement takedown.
The action against formed the latest part of Operation Endgame, an ongoing global police investigation to combat ransomware and cybercrime worldwide.
It specifically involved Germany’s Federal Criminal Police Office and was coordinated by Europol, which provided intelligence and technical analysis support via its European Cybercrime Centre (EC3) and had strategic oversight through the Joint Cybercrime Action Taskforce (J-CAT), with additional legal support by Eurojust.
It also involved several industry partners, including BitSight, ESET, IBM X-Force, Lumen, Microsoft, Mitsui Bussan Secure Directions and Proofpoint.
This new episode comes just a few days after the Dutch police announced the takedown of the SocGholish botnet – also as part of Operation Endgame – which was widely used by ransomware groups such as Evil Corp.
Amadey and StealC Explained
Operation Endgame seized around 50 domains and nearly 200 active IP-based command-and-control (C2) servers associated with Amadey and StealC.
Both are infostealers with a dropper function that have been widely used by cybercriminals.
StealC was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers and to make them available for subsequent illicit use, especially data trading and fraudulent use.
While Amadey had similar features, it primarily served as the first link in a larger attack chain. It was equipped with the capability of introducing additional malware into compromised systems.
“Together, they form a critical link in the cybercrime supply chain,” noted Europol.
According to insight collected by Microsoft, in the first two weeks of May 2026 Amadey and StealC were linked to over 140 000 infected computers worldwide.
Breaking the Infostealer Supply Chain With AI
In a blog explaining the takedown, Microsoft said it disrupted the Amadey and StealC infostealers by executing a simultaneous, court-authorized takedown.
During this operation, the tech giant’s Digital Crimes Unit (DCU) disrupted more than 200 command-and-control (C2) servers. The team also identified over 18,000 victim computers, severed criminal control of those devices and began working with telecommunications providers to help protect affected customers globally.
To achieve this, Microsoft utilized AI, including Copilot, to analyze the malware. Instead of manually combing through complex code, investigators asked questions in plain English.
According to the blog, this approach helped "surface key details, uncover hidden data, and test findings in a fraction of the time".
The AI turned tasks that normally took hours or days into minutes, enabling investigators to quickly realize that although Amadey and StealC were developed by separate cybercriminals, they relied on the same infrastructure.
These AI-driven insights ultimately "allowed the legal team to treat both malware families as part of a single conspiracy".
For this takedown, Microsoft explained that it focused on "targeting the cyber-attack supply chain, not just individual services."
Historically, Microsoft has used civil legal actions and the US Racketeer Influenced and Corrupt Organizations Act (RICO) to target organized crime, but this action was unique because they combined "AI analysis with an expanded use of that law."
Instead of tackling each malware tool separately, they used RICO to "charge multiple complicit enablers involved across the operation" under one single conspiracy.
Steven Masada, assistant general counsel at Microsoft's DCU, explained, "When multiple parts of an operation are disrupted together, attacks are harder to launch, scale and recover from".
He further noted that "it's no longer enough to go after threats one by one" and concluded that defenders "need to interrupt how the attacks are put together".
In separate blogs, ESET, BitSight and Mitsui Bussan Secure Directions said they contributed to this effort by providing technical analyses, statistical information, known C2 servers, encryption keys, campaign, build identifiers and other threat intelligence information.
Proofpoint and IBM X-Force threat researchers also developed a StealC emulator to identify and track operations, infrastructure and payloads.
€41m of Criminal Crypto Assets Frozen
In a public statement on June 24, Europol said the main goal of the takedown of SocGholish, StealC and Amadey was “to disrupt the ‘assembly lines’ cybercriminals use to launch ransomware, financial fraud and attacks on critical infrastructure.”
The Hague-based European law enforcement agency said beyond the takedowns, this new chapter of Operation Endgame resulted in €41m ($46.5m) of crypto assets of criminal origin identified and frozen and 27 million stolen login credentials recovered.
Officers and their private sector partners also took down 326 servers and seized 142 domains, “severely crippling the malware’s distribution network,” Europol noted.
Aside from Germany and the Netherlands, Operation Endgame has involved many other countries, such as Canada, Denmark, the UK and the US.
Additional partners of the wider operation also include the Shadowserver Foundation, Registrar of Last Resort (RoLR), Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned and Spamhaus.
Image credits: PixelBiss / Menno van der Haven / Shutterstock.com
Read now: Operation Endgame 3.0 Dismantles Three Major Malware Networks