In a major victory against cybercrime, a multi-national law enforcement initiative, in collaboration with private sector partners including **Bitdefender**, **Bitsight**, **ESET**, and **Microsoft**, has targeted and dismantled the criminal infrastructure behind the **Amadey** and **StealC** malware. This operation follows closely on the heels of another successful disruption by authorities from the Netherlands, Canada, Germany, and the U.S., which targeted malicious infrastructure linked to **SocGholish** and cleaned nearly 15,000 compromised WordPress websites. Over a two-week period, the coordinated action led to the identification and restriction of cryptocurrency assets valued at over $47 million. Additionally, approximately 27 million stolen login credentials were recovered, and the malware distribution network was severely hampered by the dismantling of 326 servers and 142 domains. "This takedown is a powerful demonstration of what public and private sector collaboration can achieve in dismantling the infrastructure that enables cybercrime at scale," stated Alex Cosoi, Chief Security Strategist at **Bitdefender**. "It also sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them." **Amadey** and **StealC** are both widely advertised under a malware-as-a-service (MaaS) model, providing cybercriminals with tools to deliver additional payloads or exfiltrate sensitive data from infected systems. ### Amadey: A Persistent Loader **Amadey** functions primarily as a loader, facilitating the introduction of subsequent malware stages. It has been propagated through various means, including compromised WordPress sites and phishing campaigns. Other loaders like **Emmenhtal** and **SmokeLoader** have also been observed distributing **Amadey**. Active since October 2018, this C++-based modular backdoor is advertised by a threat actor known as **InCrease**. The service was priced at $600 for a single license, with an additional $50 for each rebuild. The latest known version is 5.87. Its capabilities include: * Machine fingerprinting * Downloading files, DLLs, MSI, or PowerShell scripts * Executing commands via `cmd.exe` * Taking screenshots * Spawning a SOCKS proxy * Opening VNC or reverse proxy sessions * Capturing clipboard contents and credentials * Enabling RDP Data from **Mitsui Bussan Secure Directions** indicates a significant increase in active **Amadey** command-and-control (C2) servers from January 2023 to early December 2023, suggesting widespread adoption. The number of malware samples distributed via **Amadey** peaked at 11,635 in 2025.  ### StealC: A Potent Infostealer **StealC** first emerged in January 2023, sold by a threat actor using the moniker "plymouth" for $300 per month or $1,000 for six months. It has been actively maintained, with the latest version being 2.2.1 as of June 2026. High infection concentrations have been observed in the U.S., Poland, and Italy. This infostealer leverages various initial access vectors, including malware loaders (such as **Amadey**) and **ClickFix** lures. Its extensive capabilities allow it to extract sensitive information, including: * Screenshots * Credentials * Session cookies * Autofill entries * Credit card data * Browsing history * Extension data Beyond Chromium browsers, **StealC** targets desktop applications like **Discord**, **FileZilla**, **Foxmail**, **Microsoft Outlook**, **Steam**, and **Telegram**. It also functions as a secondary loader, capable of downloading and executing EXE, MSI, or PowerShell payloads. Both **Amadey** and **StealC** include checks to avoid certain functionalities when running on systems with Russian, Ukrainian, or Belarusian locales, a common tactic among some Eastern European threat actors.  ### Vulnerabilities in Criminal Infrastructure Interestingly, vulnerabilities have been identified within the criminal infrastructure itself. In January, **CyberArk** disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by **StealC** operators. This flaw allowed insights into the MaaS operation, revealing one customer, **YouTubeTA**, who used Google's video-sharing platform to distribute the stealer via cracked software. **IBM X-Force** and **Proofpoint** also reported multiple security flaws in the **StealC** C2 panel, including a directory traversal bug that could enable the upload of web shells. While the **StealC** developers patched this issue in February 2026, it was likely exploited by affiliates to steal data from other affiliates prior to the fix. ESET researchers Jakub Tomanek and Tomáš Procházka noted that in both the **Amadey** and **StealC** ecosystems, affiliates receive a self-hosted administration panel. **Amadey** utilized a pay-per-rebuild model, requiring affiliates to pay an additional fee for each new build generated, for example, when rotating to new infrastructure.