EUROPOL and Microsoft have seized control of the command‑and‑control servers that powered the StealC infostealer and the Amadey malware‑as‑a‑service platform, disrupting a major source of credential theft according to Microsoft’s announcement. The operation follows months of joint investigation into the malware’s distribution networks.
StealC operates as a subscription‑based infostealer that harvests usernames, passwords, session cookies and other stored data from browsers and applications on infected machines. It is sold to cybercriminals who use the stolen data to gain unauthorized access to online accounts.
Amadey serves as a loader and distribution mechanism, often delivered via phishing emails or compromised websites, to install StealC and other payloads onto victim systems. Its modular design allows attackers to chain multiple malware stages before the final infostealer runs.
The taken‑down infrastructure had been used in numerous campaigns targeting both consumers and corporate employees, allowing attackers to harvest valid credentials that could be reused for further intrusions. No specific CVEs were associated with these families, but their activity was observed in the wild for several months.
Organisations should enforce strong password policies, enable multi‑factor authentication wherever possible and monitor login attempts for unusual patterns. Regular credential rotation and the use of password managers can also limit the usefulness of stolen data.
Deploying up‑to‑date anti‑malware solutions, limiting the execution of unknown scripts and educating users about phishing risks will reduce the chance of initial infection. Continued cooperation between industry and law enforcement remains essential to dismantle similar services in the future.