OPERATION ENDGAME DISRUPTS GLOBAL CYBERCRIME INFRASTRUCTURE SUPPORTING STEALC, AMADEY, AND SOCGHOLISH MALWARE

Threat Summary

Category: Global Cybercrime Disruption
Affected Infrastructure: StealC, Amadey, and SocGholish Malware Ecosystems
Primary Risk: Credential Theft, Initial Network Compromise, Ransomware Deployment, Financial Fraud
Operation Status: International Law Enforcement Action Completed
Target Environment: Enterprises, Government Networks, Critical Infrastructure, WordPress Websites, General Internet Users
Operational Impact: Hundreds of Servers and Domains Seized, Millions of Stolen Credentials Recovered, Criminal Infrastructure Severely Disrupted
Threat Surface: Malware-as-a-Service (MaaS), Initial Access Brokers, Infostealer Infrastructure, Fake Browser Update Campaigns

---

A coordinated international cyber operation has significantly disrupted three major malware ecosystems widely used to enable ransomware attacks, financial fraud, credential theft, and large-scale network intrusions.

The operation, conducted as part of Operation Endgame, brought together law enforcement agencies, Microsoft, Europol, and multiple cybersecurity partners to dismantle infrastructure supporting the StealC, Amadey, and SocGholish malware operations. According to Europol, authorities disrupted 326 servers, seized 142 domains, identified cryptocurrency assets valued at approximately €41 million ($47 million) believed to be connected to criminal activity, and recovered approximately 27 million stolen login credentials.

Unlike many previous takedown operations that focused on individual malware families, investigators targeted the shared infrastructure supporting multiple criminal services simultaneously. Microsoft described the effort as an attack on the cybercrime “assembly line,” disrupting the underlying infrastructure that allows multiple threat actors to deploy malware, conduct ransomware operations, steal credentials, and carry out financial fraud at scale.

---

Malware Breakdown

StealC

StealC is a malware-as-a-service information stealer designed to harvest:

• Usernames and passwords
• Browser cookies
• Session tokens
• Cryptocurrency wallet information
• Other sensitive credentials

The stolen information is commonly sold on criminal marketplaces or used to facilitate additional intrusions.

Amadey

Amadey primarily functions as a malware loader and initial access platform.

Once a victim system is compromised, Amadey enables attackers to deploy additional malware payloads, making it a common first-stage infection used before ransomware, credential theft, or other malicious activity.

Microsoft researchers determined that although StealC and Amadey were developed by different criminal groups, both relied on shared command-and-control infrastructure, allowing investigators to disrupt both ecosystems simultaneously.

SocGholish

SocGholish is commonly distributed through compromised websites that present visitors with fraudulent browser update prompts.

Victims who install the fake updates unknowingly download malware that provides attackers with initial access into enterprise networks. Europol reported that investigators identified 14,971 compromised websites distributing the malware, many belonging to legitimate businesses and retailers. Authorities also linked SocGholish to the Russian cybercrime organization Evil Corp, a group previously associated with ransomware and large-scale money laundering activity.

---

Infrastructure Impact

Authorities reported the operation resulted in:

• 326 servers disrupted
• 142 domains seized or disabled
• Approximately €41 million ($47 million) in suspected criminal cryptocurrency identified
• Approximately 27 million stolen login credentials recovered
• Approximately 18,000 compromised victim computers identified
• Nearly 15,000 compromised websites remediated during related enforcement activity targeting SocGholish infrastructure

Microsoft also reported that Amadey and StealC were linked to more than 140,000 infected computers worldwide during the first two weeks of May 2026, demonstrating the scale of the malware ecosystem prior to the disruption.

---

Threat Activity

Cybercrime-as-a-service operations have transformed modern cybercrime by allowing threat actors to rent malware, infrastructure, and supporting services instead of developing their own capabilities.

StealC and Amadey have frequently been used together during multi-stage attacks. Amadey establishes initial access into victim environments, while StealC harvests credentials and other sensitive information that can later be leveraged for ransomware deployment, account compromise, financial fraud, or additional intrusion activity.

By disrupting shared infrastructure rather than individual malware families, investigators increased the operational cost required for cybercriminals to rebuild their infrastructure and resume large-scale operations.

---

Defensive Guidance

Organizations should:

• Reset passwords for potentially exposed accounts
• Enforce multi-factor authentication across enterprise environments
• Monitor authentication logs for suspicious activity
• Review systems for indicators of compromise
• Patch internet-facing systems promptly
• Monitor outbound communications to suspicious infrastructure
• Educate users about fake browser update campaigns
• Ensure endpoint detection and response platforms remain fully updated
• Audit privileged accounts for unauthorized access

Organizations operating WordPress websites should also verify that plugins, themes, and core installations remain fully updated and inspect systems for unauthorized modifications or malicious scripts.

---

Forecast — 30 Days

• Continued international follow-on investigations targeting malware operators and affiliates
• Additional domain seizures and infrastructure disruptions
• Increased attempts by threat actors to rebuild command-and-control infrastructure
• Elevated monitoring for replacement malware services entering the cybercrime marketplace
• Continued law enforcement collaboration targeting malware-as-a-service ecosystems
• Increased enterprise password resets and credential hygiene efforts following the recovery of millions of stolen credentials

---

TRJ Verdict

Operation Endgame represents one of the more significant coordinated disruptions of cybercrime infrastructure in recent years because investigators focused on the ecosystem supporting multiple malware families rather than a single threat. By simultaneously targeting StealC, Amadey, and SocGholish infrastructure, law enforcement and private-sector partners disrupted services relied upon by numerous cybercriminal groups.

Although operations of this scale can temporarily slow criminal activity, history suggests that threat actors will attempt to rebuild infrastructure, establish new command-and-control networks, and migrate to alternative hosting providers. Organizations should view this operation as an opportunity to strengthen credential security, verify system integrity, and prepare for evolving malware campaigns rather than assuming the threat has been eliminated.

---

---

---

---

---

---

---

---

🔥 NOW AVAILABLE! 🔥

‎👉 Eclipsera – Apple Music

---

---

---

---

---