Operation Endgame deals fresh blow to StealC and Amadey malware networks

International law enforcement and private-sector partners have disrupted infrastructure tied to StealC, Amadey and SocGholish—malware families used to enable ransomware attacks.

Key takeaways

• Operation Endgame targeted infrastructure behind StealC, Amadey and SocGholish.
• Authorities and private partners actioned 326 servers and 142 domains.
• Investigators recovered roughly 27 million stolen login credentials.
• More than €41 million in criminal crypto assets was identified and restricted.

A coordinated strike against malware supply chains

Europol, Eurojust and law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States have announced a new phase of Operation Endgame, this time targeting malware services that help cybercriminals scale attacks.

The action focused on the infrastructure behind SocGholish, Amadey and StealC—three malware families that often sit early in the attack chain. Rather than targeting only individual operators, the operation sought to disrupt the criminal “assembly lines” that feed credential theft, fraud and ransomware deployment.

Why StealC and Amadey matter

StealC is an infostealer built to harvest passwords, browser data, cryptocurrency wallet information and other sensitive details from infected devices. Stolen credentials can be sold, reused in account takeovers, or passed on to initial access brokers that serve ransomware groups.

Amadey plays a complementary role. It’s primarily a malware loader, giving attackers a foothold on compromised systems and allowing them to deploy additional payloads. Security researchers say both malware families have been offered through malware-as-a-service models, making them accessible to affiliates with varying levels of skill.

Disruption helps, but users remain exposed

The takedown affected hundreds of servers and domains, and the recovery of 27 million credentials shows the scale of the victim pool. However, infrastructure disruption does not automatically undo infections, reset stolen passwords, or prevent operators from rebuilding elsewhere.

Individuals should change exposed passwords, enable multi-factor authentication, use password managers like Bitdefender SecurePass to prevent password fatigue, avoid browser-stored credentials where possible, and treat fake updates, cracked software and suspicious “fix” instructions as signs of danger. Businesses should prioritize endpoint visibility, phishing-resistant authentication, rapid patching and detection for loaders, stealers and unusual credential use.

How to protect against infostealers and malware loaders

For home users, Bitdefender Ultimate Security adds multi-layered protection against malware, ransomware, scams and unsafe web activity, alongside VPN, password management and digital identity protection.