MICROSOFT, Europol and several cybersecurity firms have disrupted the infrastructure used by the Amadey loader and the StealC infostealer as part of Operation Endgame according to a Microsoft notice. The action resulted in the seizure of millions of stolen credentials and the flagging of crypto assets worth tens of millions of dollars.
Amadey has been offered as malware‑as‑a‑service since 2018, providing threat actors with remote access to compromised machines. StealC, which emerged in 2023, functions as an infostealer‑as‑a‑service that harvests usernames, passwords and session tokens from infected hosts according to a SecurityWeek report. Together they form a loader‑stealer chain that has been widely used in cybercrime operations.
The disruption involved exploiting a vulnerability in the StealC command‑and‑control panel, which allowed authorities to seize over 25 million stolen credentials. Roughly 18 000 compromised computers were identified during the operation and crypto assets valued at more than $47 million were flagged for restriction as detailed in a Microsoft blog post. No CVEs were publicly linked to the takedown itself.
Officials described the takedown as striking at a cybercrime assembly line that bundles distribution and data‑theft services. The operation combined artificial‑intelligence analysis with legal coordination across multiple jurisdictions. No specific threat actors were named in the public notices.
Defenders should enforce strong credential hygiene, require multi‑factor authentication on all privileged accounts and monitor authentication logs for anomalous logins that could indicate abuse of stolen credentials as recommended by Microsoft. Keeping endpoint protection up to date helps detect known behaviours associated with Amadey and StealC. Regular password rotation further reduces the value of any harvested data.
Sharing indicators of compromise with trusted peers and subscribing to reputable threat‑intel feeds can help block any remaining infrastructure. Reviewing the full list of seized domains and IP addresses in the Microsoft Digital Crimes Unit notice aids in updating blocklists. Organisations are urged to incorporate these indicators into their security monitoring tools promptly.