Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation
Cybersecurity NewsArchived Jun 24, 2026✓ Full text saved
Europol and law enforcement partners across multiple countries have dealt a significant blow to the cybercriminal ecosystems powering StealC, Amadey, and SocGholish malware, three widely deployed tools in the modern “cybercrime-as-a-service” supply chain. Announced as part of Operation Endgame, the coordinated action dismantled key infrastructure enabling ransomware deployment, credential theft, and large-scale financial fraud. Spanning […] The post Authorities Disrupt Stealer Malware StealC and
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation
By Guru Baran
June 24, 2026
Europol and law enforcement partners across multiple countries have dealt a significant blow to the cybercriminal ecosystems powering StealC, Amadey, and SocGholish malware, three widely deployed tools in the modern “cybercrime-as-a-service” supply chain.
Announced as part of Operation Endgame, the coordinated action dismantled key infrastructure enabling ransomware deployment, credential theft, and large-scale financial fraud.
Spanning two weeks of coordinated action, the operation involved law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside Europol, Eurojust, and private sector partners including Microsoft, Proofpoint, IBM X-Force, Bitdefender, and Shadowserver.
The combined effort targeted the criminal “assembly lines” that allow cyberattacks to scale globally.
Key outcomes of the operation include:
326 servers and 142 domains were taken down, crippling malware distribution networks.
EUR 41 million (≈ USD 47 million) in crypto assets of criminal origin identified and frozen.
27 million stolen login credentials recovered.
14,971 infected websites remediated, including small businesses, restaurants, and auto repair shops.
Password-Stealing Malware StealC
StealC, classified as an infostealer with dropper functionality, was a primary target of this operation. Distributed through multiple attack vectors, StealC was engineered to silently extract passwords, stored access credentials, session tokens, and digital identities from compromised systems, feeding stolen data directly into underground marketplaces for fraud and resale.
Working in tandem with Amadey, a dropper/loader primarily spread through phishing campaigns, the two malware families formed a critical link in the cybercrime supply chain.
Amadey establishes initial access on a victim’s device, while StealC executes credential harvesting in the background. According to Microsoft’s threat intelligence, in just the first two weeks of May 2026, Amadey and StealC were collectively linked to over 140,000 infected computers worldwide.
SocGholish and the Evil Corp Connection
SocGholish, a dropper/loader distributed through fake browser update pop-ups on compromised WordPress sites, rounded out the trio of neutralized malware.
The malware is attributed to Evil Corp, the Russian cybercriminal group previously responsible for Zeus and Dridex, and associated with numerous ransomware and money-laundering operations.
Dutch Police have already patched vulnerabilities on infected sites and notified affected owners. WordPress administrators are urged to immediately change login credentials, enable multi-factor authentication, remove unknown admin accounts, and keep their platforms updated.
To avoid SocGholish infection, users should never act on browser pop-up update prompts and should only apply updates through official system settings or verified app stores.
Operation Endgame represents a strategic evolution in law enforcement’s approach to cybercrime, moving beyond individual threat actors to dismantle the broader infrastructure enabling attacks at scale.
Europol’s European Cybercrime Center (EC3) provided analytical support, crypto tracing, and victim notifications via platforms like HaveIBeenPwned, Spamhaus, and Shadowserver. The Joint Cybercrime Action Taskforce (J-CAT) aligned national investigations under a unified framework.
Victim notifications are being distributed through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and NL-NCSC.
Operation Endgame remains the largest international operation ever undertaken against ransomware enablers, with more than 30 public and private partners actively supporting ongoing actions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
15 Best Linux Network Monitoring Tools in 2026
Microsoft Office Applications Might Fail to Open Following Windows 11 June Update
AWS Warns Outbound Traffic Blind Spots Can Enable Cloud Data Exfiltration
GTA 6 Scam Websites Use AI-Generated Images and Fake Download Buttons to Lure Gamers
QNAP Patches Multiple Injection Vulnerabilities Leads to Arbitrary Command Execution
Latest News
Cyber Security News
Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users
Cyber Security News
PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability
Cyber Security News
Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability
Cyber Security News
Critical Webmin Vulnerabilities Allow Attackers to Impersonate as Any User
Cyber Security News
White House Orders Federal Agencies to Migrate Systems to Post-Quantum Cryptography