Microsoft-Led Takedown Disrupts StealC and Amadey Malware Infrastructure, Seizes Over 200 C2 Domains
Microsoft's Digital Crimes Unit, in coordination with Europol and industry partners, has disrupted the infrastructure behind the StealC infostealer and Amadey loader, taking down over 200 command-and-control domains and IPs.
Microsoft's Digital Crimes Unit (DCU), working alongside Europol and industry partners, announced on June 24, 2026, a coordinated disruption action against the StealC infostealer and Amadey malware loader, resulting in the takedown, suspension, and blocking of over 200 malicious command-and-control (C2) domains and IPs. The operation targeted the backbone of these malware-as-a-service (MaaS) offerings, which have enabled widespread credential theft and enterprise intrusions.
StealC is a sophisticated infostealer-as-a-service that harvests credentials, cookies, session tokens, and cryptocurrency wallet data from browsers, messaging apps, email clients, and gaming platforms. It operates through a centralized web panel that allows threat actors to generate customized payloads and manage stolen data. Amadey, meanwhile, functions as a loader-as-a-service, delivering StealC and other malware payloads onto compromised systems. Together, they represent a modular, pay-as-you-go cybercrime model that enables attackers to escalate a single initial infection into multiple downstream threats.
The takedown was the result of months of technical analysis by Microsoft's DCU, which engineered custom tools—including leveraging Microsoft Copilot—to analyze StealC and Amadey binaries efficiently. The team created a prompt agent for comprehensive function analysis, used prompt engineering to generate Python scripts for string decryption and configuration extraction, analyzed disassembled malware code to identify hardcoded C2 servers, and wrote software with Copilot's assistance to confirm C2 activity. This technical work enabled the identification of over 200 malicious domains and IPs, which were then shut down through a mix of court orders, domain seizures, registrations, and provider notifications.
Infostealers like StealC play a central role in the modern cybercrime ecosystem by enabling a division of labor: initial operators deploy the malware at scale, access brokers validate and monetize stolen credentials, and ransomware gangs purchase that access to launch devastating attacks. A single infostealer infection on an employee's personal device can yield corporate VPN credentials, single sign-on tokens, and session cookies that allow attackers to bypass multifactor authentication. The stolen data flows through an underground economy that feeds ransomware operations and other cybercrimes.
The disruption of StealC and Amadey infrastructure is a significant blow to the cybercrime supply chain, but experts warn that similar MaaS offerings will quickly fill the void. Microsoft's DCU continues to monitor the threat landscape and work with law enforcement and industry partners to disrupt these operations. The company recommends that organizations implement strong identity protection measures, credential hygiene practices, and rapid incident response capabilities to defend against infostealer-enabled intrusions.
This takedown underscores the growing importance of disrupting the infrastructure that underpins the cybercrime economy. By targeting the C2 servers and domains that enable malware operations, law enforcement and industry partners can degrade the capabilities of threat actors and protect potential victims. However, the persistence of infostealer threats highlights the need for continued vigilance and proactive defense measures across the cybersecurity community.
The CyberScoop report adds that the takedown was authorized under the Racketeer Influenced and Corrupt Organizations (RICO) Act, marking the first time a court order has simultaneously targeted two distinct malware families as part of a single criminal conspiracy. Microsoft credited its Copilot AI with analyzing infrastructure overlaps between Amadey and StealC, enabling the legal team to treat them as one operation. The joint effort involved Europol, Germany's Federal Criminal Police Office, Dutch and Danish police, and private partners including ESET, BitSight, Lumen, IBM X-Force, and Proofpoint.
Law enforcement agencies from the Netherlands, Canada, the United States, and Germany, working with Europol and Eurojust, announced a follow-up action that disrupted 326 servers and 142 domains tied to StealC and Amadey, and froze over €41 million (roughly $47 million) in cryptocurrency. Researchers at Proofpoint and IBM X-Force revealed they exploited a vulnerability in the StealC C2 panel to extract configurations and built a bot emulator that traced downstream payload delivery, including cases where StealC ultimately dropped LockBit Black ransomware. Nearly 27 million stolen login credentials were identified, though it's not yet clear if they will be added to Have I Been Pwned as with the prior SocGholish operation.
The takedown, part of Operation Endgame, leveraged AI to uncover shared C2 infrastructure and exploited a vulnerability in the StealC control panel to upload a web shell for data collection. More than 25 million unique credentials stolen from over 385,000 systems were seized, and crypto assets valued at over $47 million were identified and flagged.
The latest phase of Operation Endgame expanded the disruption to include 326 servers and 142 domains, with Europol reporting the recovery of approximately 27 million credentials stolen from over 385,000 compromised systems and the identification of more than €41 million ($47 million) in cryptocurrency linked to criminal activity. The coordinated action also targeted SocGholish (FakeUpdates), a malware loader that infects visitors via compromised websites serving fake browser update prompts, and involved law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with private-sector support from ESET, Proofpoint, IBM X-Force, Bitsight, and others.
Europol's Operation Endgame announcement provides additional operational details, specifying that approximately 50 domains and nearly 200 active IP-based servers were seized in the coordinated action against StealC and Amadey infrastructure. While the earlier Microsoft-led disclosure focused on the takedown of over 200 command-and-control domains and IPs, the Europol statement emphasizes the cross-border law enforcement coordination and notes that authorities have not yet disclosed specific arrest counts, though the disruption removes a significant portion of the botnet's command-and-control capacity.