Operation Endgame, dismantled the networks of Amadey and StealC: 326 servers taken down and 27 million credentials recovered

In recent days, a new phase of Operation Endgame has dismantled the infrastructure of two of the most widespread malware-as-a-service platforms, the loader Amadey and the infostealer StealC. The tally reports 326 servers and 142 domains taken down, about 27 million stolen credentials recovered, and around 47 million dollars in criminally sourced cryptocurrencies blocked. The action took place between June 15 and June 19 and involved Europol, Eurojust, and the authorities of Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, supported by a large coalition of private partners.

The distinguishing element of this operation is how Amadey and StealC were targeted together. Microsoft, through its Digital Crimes Unit, reported having analyzed the binaries of the two families using artificial intelligence, including Copilot, and discovered that despite being developed by distinct groups, they shared the same infrastructure. As the company explains, investigators could interrogate the code by asking natural language questions instead of manually sifting through it. Based on this, Microsoft claims to have applied the RICO statute, the U.S. law against organized crime, for the first time to treat the two operations as a single conspiracy and hit their infrastructures with a single legal action.

Two cogs in the same chain Amadey and StealC play complementary roles in the cybercrime market. The former is a loader designed to gain initial access to systems and deliver additional payloads; the latter is an infostealer that extracts credentials, session cookies, cryptocurrency wallets, and browser data. In the first two weeks of May, the two families were linked to over 140,000 infected computers worldwide, while the recovered credentials come from more than 385,000 compromised systems. Amadey has been in circulation since October 2018: it is sold by an actor known as InCrease for $600 per license, with an additional $50 for each rebuild, and is now at version 5.87. StealC appeared in January 2023, offered by an actor known as plymouth for $300 a month or $1,000 for six months, with unlimited build generation, and is currently at version 2.2.1. Both malware types check the localization of the targeted system: StealC self-terminates if it detects Russian, Ukrainian, Belarusian, Kazakh, or Uzbek settings, while Amadey skips certain features on the same hosts. The highest concentrations of StealC infections have been detected in the United States, Poland, and Italy.

The work of private partners On the technical front, ESET hit about fifty domains and nearly 200 active command and control servers of the two families. IBM X-Force and Proofpoint developed an emulator of StealC to track its operations and infrastructure, identifying vulnerabilities in the malware's command and control panel, including a directory traversal that allowed the uploading of a web shell: exploits then utilized by law enforcement during the operation. Microsoft's Digital Crimes Unit struck down over 200 domains and IP addresses used as C2 and identified more than 18,000 victim computers, removing criminal control over the devices. A more extensive technical analysis is available in a dedicated Microsoft report.

The scope of the problem goes beyond profit-driven crime. Microsoft reports having observed the Russian actor Secret Blizzard leveraging Amadey infections to distribute tailored malware against targets in Ukraine, indicating how these services also fuel state-sponsored operations. The declared goal of Europol was, after all, to strike the assembly lines used by cybercriminals to launch ransomware, financial fraud, and attacks on critical infrastructure. Amadey and StealC thus join the list of families already targeted by Operation Endgame, which in the past has dismantled others such as DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.

In May 2024, a first phase of Operation Endgame had crippled one of the largest botnets used for malware distribution.