Operation Endgame: Global Crackdown Dismantles Amadey and StealC Malware Networks
June 24, 2026
Bitsight TRACE contributed C2 mappings, IoCs, and real-time infection telemetry to enable targeted disruption and ongoing tracking of new builds despite attacker retooling.
The tracking pipeline features live sample hunting, config extraction, C2 emulation, domain sinkholing, and detection development, offering campaign visibility, victim geolocation, and insight into cross-family C2 sharing across Bulletproof hosts.
The initiative aims to prevent further digital extortion by shutting down infrastructure and providing transparency for victims.
Operation Endgame disrupted the shared infrastructure of Amadey and StealC malware, taking down hundreds of domains and servers used to power both threats with a coordinated effort by Microsoft, law enforcement, and cybersecurity firms.
Researchers from Proofpoint and IBM X-Force built a StealC bot emulator and discovered a vulnerability in StealC’s C2 panel, enabling analysis and disruption.
National agencies from Germany, Denmark, France, the Netherlands, the United Kingdom, the United States, and Canada, with Eurojust and Europol, coordinated under a cross-border framework to execute the disruption.
Emulation showed StealC clients can reveal payload URLs, enabling researchers to download real payloads and trace actor clusters across multiple C2 servers.
Industry perspectives highlight the cost structure and rapid rotation of C2 infrastructure within these ecosystems, including affiliate models.
The announcement follows recent cross-industry efforts against other malware campaigns and fits into broader cooperation against initial access brokers and related threats.
Across the operation, authorities recovered up to 27 million stolen credentials and identified or seized about $47 million in criminal-origin crypto assets.
Defenders should prioritize identity protection, credential hygiene, rapid response, and cloud-delivered antivirus with Defender features and attack-surface reduction rules.
Analysts say commodity loaders and stealers tend to retool after disruption, so new C2 infrastructure and rebuilds are expected, with Bitsight TRACE continuing to monitor and report updates.
Summary based on 16 sources
Get a daily email with more Tech stories
Sources

Ars Technica • Jun 24, 2026
One-two punch delivered in global operation disrupts cybercrime "assembly line"
The Hacker News • Jun 24, 2026
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
Microsoft On the Issues • Jun 24, 2026
Scaling cybercrime disruption through innovation and AI