A collaborative effort between law enforcement agencies and private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has successfully dismantled the infrastructure supporting the Amadey and StealC malware networks. This operation aimed to disrupt the mechanisms cybercriminals employ to execute ransomware attacks, financial fraud, and assaults on critical infrastructure.
In a related development, authorities from the Netherlands, Canada, Germany, and the U.S. recently took down malicious infrastructure linked to SocGholish, cleaning up nearly 15,000 infected WordPress websites. This underscores a broader initiative to combat cyber threats at their source.
During the two-week operation targeting Amadey and StealC, over $47 million in illicit cryptocurrency assets were identified and restricted. Additionally, approximately 27 million stolen login credentials were recovered, and the malware distribution network was significantly disrupted by dismantling 326 servers and 142 domains.
Amadey and StealC are known to operate under a malware-as-a-service (MaaS) model, enabling cybercriminals to deploy additional payloads or exfiltrate sensitive information from compromised systems. Both function as loaders, introducing subsequent malware stages. Amadey, active since October 2018, is a C++-based modular backdoor advertised by a threat actor known as InCrease. Priced at $600 per license with an additional $50 per rebuild, its latest version is 5.87. Amadey’s capabilities include system fingerprinting, downloading and executing files, running commands via “cmd.exe,” taking screenshots, spawning SOCKS proxies, initiating VNC or reverse proxy sessions, capturing clipboard contents and credentials, and enabling RDP.
Data from Mitsui Bussan Secure Directions indicates that the daily number of active Amadey command-and-control (C2) servers fluctuated between two and 18 until September 2022. From January 2023 to early December 2023, this figure increased to between five and 30, suggesting a rise in Amadey’s usage. In 2024, after a brief dormant period, the daily count peaked at 17 before gradually declining.
The number of malware samples distributed via Amadey escalated from 66 in 2019 to 11,635 in 2025, reflecting its growing utilization. Since the beginning of 2026, 1,837 payloads have been distributed through Amadey.
StealC has employed various initial access vectors, including malware loaders like Amadey and ClickFix lures, to extract sensitive information such as screen captures, credentials, and clipboard data from infected systems.
This takedown highlights the effectiveness of coordinated international action in disrupting sophisticated cybercriminal operations. It serves as a stark reminder to cybercriminals that no matter the complexity or distribution of their networks, collaborative efforts between public and private sectors can and will dismantle their operations.
