In a significant coordinated effort, Europol and law enforcement agencies from multiple countries have successfully disrupted the infrastructure supporting the StealC and Amadey malware, both integral components of the cybercrime-as-a-service ecosystem. This operation, part of the broader Operation Endgame, targeted the networks facilitating ransomware deployment, credential theft, and large-scale financial fraud.
The two-week operation saw collaboration between authorities from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside Europol, Eurojust, and private sector partners such as Microsoft, Proofpoint, IBM X-Force, Bitdefender, and Shadowserver. The concerted effort aimed to dismantle the criminal ‘assembly lines’ that enable cyberattacks to scale globally.
Key Outcomes of the Operation
- 326 servers and 142 domains were taken down, crippling malware distribution networks.
- Approximately €41 million (around $47 million) in cryptocurrency assets of criminal origin were identified and frozen.
- 27 million stolen login credentials were recovered.
- 14,971 infected websites were remediated, including those belonging to small businesses, restaurants, and auto repair shops.
StealC: A Notorious Infostealer
StealC, classified as an infostealer with dropper functionality, was a primary target of this operation. Distributed through multiple attack vectors, StealC was engineered to silently extract passwords, stored access credentials, session tokens, and digital identities from compromised systems, feeding stolen data directly into underground marketplaces for fraud and resale.
Working in tandem with Amadey, a dropper/loader primarily spread through phishing campaigns, the two malware families formed a critical link in the cybercrime supply chain. Amadey establishes initial access on a victim’s device, while StealC executes credential harvesting in the background. According to Microsoft’s threat intelligence, in just the first two weeks of May 2026, Amadey and StealC were collectively linked to over 140,000 infected computers worldwide.
SocGholish and the Evil Corp Connection
SocGholish, another malware targeted in this operation, is a dropper/loader distributed through fake browser update pop-ups on compromised WordPress sites. This malware is attributed to Evil Corp, the Russian cybercriminal group previously responsible for Zeus and Dridex, and associated with numerous ransomware and money-laundering operations.
Dutch Police have already patched vulnerabilities on infected sites and notified affected owners. WordPress administrators are urged to immediately change login credentials, enable multi-factor authentication, remove unknown admin accounts, and keep their platforms updated. To avoid SocGholish infection, users should never act on browser pop-up update prompts and should only apply updates through official system settings or verified app stores.
Operation Endgame represents a strategic evolution in law enforcement’s approach to cybercrime, moving beyond individual threat actors to dismantle the broader infrastructure enabling attacks at scale. Europol’s European Cybercrime Center (EC3) provided analytical support, crypto tracing, and victim notifications via platforms like HaveIBeenPwned, Spamhaus, and Shadowserver.
This operation underscores the importance of international collaboration in combating cyber threats. By targeting the infrastructure that supports widespread malware distribution, authorities have dealt a significant blow to cybercriminal operations. However, the persistence of such threats highlights the need for continuous vigilance and proactive measures by both organizations and individuals to safeguard against evolving cyber risks.
