International law enforcement agencies, in conjunction with private sector cybersecurity firms, have launched a major offensive against two pervasive malware families: **Amadey** and **StealC**. This latest phase of 'Operation Endgame' aims to dismantle the foundational infrastructure used by cybercriminals for initial system access, credential theft, and ultimately, ransomware deployment or financial fraud. ### Operation Endgame: A Coordinated Takedown The operation saw the disruption of 326 servers and 142 domains. Investigators also identified over €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials from more than 385,000 compromised systems. "By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover," **Europol** announced. This coordinated action also targeted **SocGholish (FakeUpdates)**, a malware loader known for infecting users via compromised websites presenting fake browser update prompts. ### Key Players in the Disruption The effort involved law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with coordination from **Europol** and **Eurojust**. Crucial private-sector support was provided by **Microsoft**, **ESET**, **Proofpoint**, **IBM X-Force**, **Bitsight**, **Infoblox**, **Orange Cyberdefense**, **Shadowserver**, **Have I Been Pwned**, and **Spamhaus**, among others. ### Understanding Amadey and StealC **Amadey** and **StealC** are prominent malware-as-a-service offerings, where affiliates pay for access to malware builders, management panels, and supporting infrastructure. * **Amadey**: Primarily used to gain initial access to victim devices, it serves as a botnet for deploying additional malware. It has been leveraged by both ransomware gangs and state-sponsored hacking groups. * **StealC**: An information stealer, it targets credentials, cryptocurrency wallets, and other sensitive data. This stolen information is then sold on underground marketplaces or used in subsequent ransomware attacks. Recently, **StealC** has been heavily featured in **ClickFix** attacks, including fake instructional videos on TikTok and **FileFix** attacks using steganography. ### Microsoft's Civil Action and Industry Contributions **Microsoft's Digital Crimes Unit** filed a civil action in the US, identifying over 200 malicious command-and-control domains and IP addresses linked to **Amadey** and **StealC**. Through court orders, domain seizures, and provider notifications, **Microsoft** and its partners worked to dismantle this infrastructure. According to **Microsoft's** complaint, credentials harvested by **StealC** are frequently sold on underground markets and by initial-access brokers (IABs), enabling further network breaches and ransomware deployments. The company noted that these two malware families infected more than 140,000 devices in the first two weeks of May 2026 alone. Other private partners have detailed their involvement: * **ESET**: Assisted by identifying and disrupting infrastructure for both malware families, affecting approximately 50 domains and nearly 200 active command-and-control servers. * **Proofpoint** and **IBM X-Force**: Contributed critical intelligence and malware analysis. * **Bitsight**: Aided in mapping servers and command-and-control infrastructure associated with the malware families. ### The Ongoing Battle This disruption marks another significant victory for 'Operation Endgame,' which has previously targeted malware families such as **DanaBot**, **Bumblebee**, **Rhadamanthys**, **VenomRAT**, **Elysium**, and **SmokeLoader**. However, the nature of cybercrime means that without arrests, threat actors often rebuild their infrastructure to launch new attacks, underscoring the continuous cat-and-mouse game between law enforcement and cybercriminals. Ongoing vigilance and proactive security measures remain paramount for IT security professionals and privacy-conscious users alike.