Europol-Led Operation Endgame Disrupts Amadey and StealC Malware Networks

Law enforcement agencies from multiple countries, working with private sector partners including Bitdefender, ESET, Microsoft, and Proofpoint, disrupted the criminal infrastructure behind the Amadey and StealC malware families last week. The operation, part of the ongoing Operation Endgame campaign, targeted the shared assembly lines these malware groups use to launch ransomware and financial fraud.

Over a two week period, authorities dismantled 326 servers and 142 domains associated with the two malware strains. They also recovered 27 million stolen login credentials and flagged more than $47 million in cryptocurrency assets of criminal origin, according to Europol.

Malware as a Service Under Pressure

Both Amadey and StealC operate under a malware as a service model, charging customers monthly or per-build fees to distribute the tools. Amadey, a C++ based modular loader active since October 2018, is sold by a threat actor known as InCrease at $600 per license with a $50 rebuild fee. StealC, a credential and data stealer that first appeared in January 2023, costs $300 per month or $1,000 for six months and is sold by a threat actor using the moniker plymouth.

• Amadey version 5.87 supports commands for fingerprinting machines, downloading payloads, running cmd.exe commands, taking screenshots, spawning SOCKS proxies, opening VNC or reverse proxy sessions, and capturing clipboard contents and credentials.
• StealC version 2.2.1 targets Chromium browsers, Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, Telegram, and files with specific naming patterns. It can also act as a secondary loader for EXE, MSI, or PowerShell payloads.
• Both malware families include language checks that cause them to terminate or skip certain functions on systems configured for Russian, Ukrainian, Belarusian, or Kazakh locales.

Growing Scale and Infection Volumes

Amadey infections have surged dramatically since its emergence in 2018. Cybersecurity firm Mitsui Bussan Secure Directions recorded 66 samples distributed via Amadey in 2019, rising to 260 in 2020, 1,231 in 2021, 3,500 in 2022, 8,360 in 2023, and 7,619 in 2024. In 2025, the number peaked at 11,635 samples. Since the start of 2026, 1,837 payloads have been distributed through the loader. Active command and control servers for Amadey ranged between 5 and 30 daily from January 2023 through early December 2023, after an earlier period of 2 to 18 per day until September 2022.

StealC infections have concentrated most heavily in the United States, Poland, and Italy. The malware is often distributed via loaders like Amadey itself, as well as through ClickFix lures and YouTube videos advertising cracked versions of Adobe Photoshop and After Effects. In January 2026, CyberArk disclosed a cross site scripting vulnerability in StealC's web based control panel that exposed details about one customer named YouTubeTA.

Alex Cosoi, chief security strategist at Bitdefender, said the operation sends a clear message that coordinated international action will find those behind malware ecosystems regardless of sophistication or distribution.