Microsoft, law enforcement, and several cybersecurity companies have collaborated to take down infrastructure shared by two widely used malware families: Amadey and StealC.
The action, part of the long-running Operation Endgame, involved the use of AI, legal action, and the exploitation of a vulnerability in a malware control panel, and resulted in hundreds of domains and servers being targeted for takedown.
While many cybercrime operations have been disrupted in recent years as part of Operation Endgame, this one stands out because law enforcement and companies targeted what they described as the “cybercrime assembly line”.
Making the rounds since 2018, Amadey is a malware-as-a-service loader that gives threat actors access to systems, enabling them to deliver secondary payloads. StealC is an infostealer that has been around since 2023, helping cybercriminals obtain credentials, cryptocurrency wallets, cookies, and other valuable data.
Amadey and StealC have often been used together — the former has enabled hackers to gain access to systems, while the latter has been used to steal information from the breached systems.
AI-powered analysis of the two malware families revealed that they use the same command-and-control (C&C) infrastructure, making it easier for Microsoft and its partners to conduct takedown activities.
“This operation marked a shift in strategy: instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners disrupted the entire chain that allows cyberattacks to scale,” said Europol.
More than 25 million unique credentials stolen from over 385,000 systems were seized, and 18,000 compromised computers were identified and secured. Europol said crypto assets valued at more than $47 million were identified and flagged to restrict their use.
Researchers also discovered a vulnerability in the StealC C&C panel that enabled uploading a web shell to the server. While this flaw was exploited to collect data in support of the takedown operation, there is evidence that a StealC affiliate also used it to steal other affiliates’ data.
Microsoft, Europol, ESET, Bitsight, IBM X-Force, Proofpoint, and Japan’s Mitsui Bussan Secure Directions (MBSD) have published blog posts describing the action taken against Amadey and StealC.
The announcement comes shortly after law enforcement and cybersecurity companies worked together to take down the SocGholish botnet.
Related: Russian Initial Access Broker Behind FortiBleed Campaign
Related: New ‘Mistic’ RAT Opens Door to Several Ransomware Families
Related: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor
