Cybercrime , Fraud Management & Cybercrime

Police in a multi-national crackdown disrupted infrastructure powering the malware-as-a-service offerings Amadey and StealC.

See Also: Why Cyberattackers Love 'Living Off the Land'

Law enforcement agencies announced Wednesday that coordinated, public-private efforts over the past two weeks have resulted in the takedown of 326 servers and seizure of 142 domains tied to the popular malware-as-a-service offerings Amadey and StealC. Researchers said more than 140,000 PCs globally were infected with one of those strains of malware, just in the first two weeks of May.

The disruptions are the latest to take place under the banner of the Operation Endgame, an international law enforcement and judicial effort launched in 2024 for disrupting criminal services and providers. Police cooperating through the initiative days ago also disrupted the initial access service SocGholish, resulting in the seizure of 76 domains and 30 servers operated by the notorious Russian-speaking cybercrime syndicate Evil Corp (see: Cybercrime Initial Access Service SocGholish Disrupted).

For Amadey, StealC and SocGholish, "the neutralized malware variants were offered as a service - 'cybercrime-as-a-service' - with other cybercriminals using them as a tool for the initial infection of targeted systems," said Europol, the EU's law enforcement intelligence agency.

Cybercriminals often use these services together to support the entire lifecycle of any given cyberattack. "Specialized tools handle each step: one gains access, another steals credentials and others sell or exploit that access for fraud, ransomware, espionage or other nefarious purposes. Different actors may be involved at each stage, but together they turn access into profit, quickly and at scale," said Steven Masada, assistant general counsel with Microsoft's Digital Crimes Unit.

The primary purpose of information-stealing malware such as the popular StealC, which debuted in 2023, is to steal credentials, including corporate logins, cryptocurrency wallet passwords and sensitive data being stored in browsers. Initial access brokers often subscribe to infostealer services and resell harvested credentials directly to cybercrime and nation-state clients, or through highly automated "cloud of logs" marketplaces (see: Infostealers Run Wild).

Microsoft said it's been tracking Amadey due to Windows customers being infected, in coordination with cybersecurity firms Eset, BitSight, Lumen and Mitsui Bussan Secure Directions. Separately, Europol's European Cybercrime Centre, together with German and Dutch law enforcement agencies, probed StealC as part of Operation Endgame, with help from IBM X-Force and Proofpoint.

On the legal front, Microsoft facilitated the seizure of infrastructure used by Amadey and StealC, as it has done with previous criminal services. Microsoft presented evidence Amadey and StealC shared a common attack infrastructure and should be treated as a single conspiracy despite coming from separate developers. That allows multiple cybercriminals to be charged at once under America's Racketeer Influenced and Corrupt Organizations Act, Microsoft's Masada said.

The court approved, allowing Microsoft's Digital Crimes Unit to disrupt over 200 malicious command-and-control domains and IP addresses tied to the malware, and "to shut them down through a mix of court orders, domain seizures, registrations and provider notifications," he said.

To further disrupt StealC, law enforcement agencies exploited a vulnerability in the Linux-based C2 control panel used by subscribers to generate unique copies of the malware, said Proofpoint.

Collaborating with IBM X-Force, Proofpoint said researchers found the vulnerability in the StealC C2 panels and shared it with law enforcement agencies, who built an exploit "to search and seize StealC servers," it said.

StealC was one of the most-used infostealers but its operators' business acumen apparently didn't translate into code quality. Proofpoint said the codebase for the C2 panel "appears to have been coded on top of older codebases of other infostealers and indicates a much less skilled developer in comparison to other malware," and as new flaws continued to get discovered, subscribers on cybercrime forums regularly questioned if it was fit for purpose.

Proofpoint said one vulnerability it found resulted from the control panel failing to remove forward slashes from filenames obtained from a victim's system, which could be exploited to write an arbitrary file to any path on the attacker's server.

While Proofpoint didn't state if this was the precise flaw exploited by law enforcement, it did note that "evidence uncovered during the investigation also suggests that the same vulnerability may have also been exploited by an affiliate to steal data from other affiliates."

Infostealers Stay Popular

The disruption of StealC arrives amid an ongoing flurry of infostealer infections, with many different offerings available to criminals. Among the more than 30 active infostealer services currently on offer, the most prevalent in 2025 was Lumma, followed by Acreed, Rhadamanthys, Vidar and StealC, reported threat intelligence firm Flashpoint.

Infostealers infected over 11 million devices last year. As of this month, 3.3 billion stolen credentials are circulating across underground cybercrime markets, Flashpoint said.

One challenge for defenders is that when infostealers are used to steal credentials, the initial attack may not come to light until attackers use the stolen credentials to breach a network.

"Because the initial infection usually happens outside managed endpoints, defenders might see the breach only after valid credentials are abused, underscoring the importance of identity protection, credential hygiene and rapid response," Microsoft said.