INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Operation Endgame Disrupts Malware Network Linked to Ransomware Gang

| 2026-06-24 14:35 CRITICAL HIGH
JSON
Executive Summary AI-generated
The international operation to take down the StealC malware infrastructure has been a long-running effort, announced on June 24 as part of Operation Endgame. Since January 2023, StealC has been an active malware-as-a-service tool used in cybercrime, designed to steal browser passwords, cookies, autofill data and credentials from various platforms including Telegram, Discord, Outlook, FileZilla, WinSCP, OpenVPN, ProtonVPN, and gaming platforms. Europol coordinated with international agencies such as ProofPoint and IBM X-Force to disrupt the operation affecting 66 domains and 296 servers linked to Amadey and StealC, resulting in over 25.6 million unique stolen credentials taken from compromised systems.
Technical Mitigations AI-generated
• Secure Command-Line Arguments: Implementing secure command-line arguments can prevent malware like StealC from delivering payloads to infected machines. This involves validating and sanitizing user input, using environment variables instead of hardcoded commands, and limiting the number of possible arguments. • Regularly Update Software and Systems: Keeping software and systems up-to-date with the latest security patches is crucial in preventing exploitation by malware like Amadey and StealC. Regular updates ensure that known vulnerabilities are patched before they can be used to gain unauthorized access or deliver payloads. • Implement Network Segmentation: Segmenting networks into smaller, isolated areas ( VLANs ) can limit the spread of malware like StealC and Amadey by making it more difficult for attackers to move laterally within a network. This approach also enables better monitoring and incident response. • Use Secure File Systems and Storage: Utilizing secure file systems and storage solutions, such as encrypted volumes or cloud-based services with robust security features (e.g., encryption at rest), can protect sensitive data from being accessed by malware like StealC and Amadey.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation EndgameOperation EndgameOperation Endgame DisruptsOperation Endgame Disrupts BumblebeeBumblebeeSocGholishSocGholishLockBit BlackLockBit BlackFakeUpdatesFakeUpdatesAmadeyAmadeyLockBit 3.0LockBit 3.0
Target & Sectors
DACH DACH NORDICS NORDICS BENELUX BENELUX NORTH_AMERICA NORTH_AMERICA healthcarehealthcare
Incident Timeline
‎January 2023
Threat actors used malware-as-a-service (MaaS) tool StealC to disrupt Amadey, a ransomware operation.
‎the first two weeks of May 2026
The incident involved approximately 140,000 infected devices.
infrastructure 140,000 infected devices
The company said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.
‎May 2026
Threat actors used a malware called StealC to target 200 malicious domains and nearly 200 active command-and-control servers.
infrastructure 200 malicious domains
The company reported that the action affected roughly 50 domains used by the operations and nearly 200 active command-and-control servers.
infrastructure 50 domains
The company reported that the action affected roughly 50 domains used by the operations and nearly 200 active command-and-control servers.
organisation EDR
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
‎June 18
The Dutch police took action to disrupt the Amadey, StealC malware operations and dismantle its botnet.
target_region Netherlands
Announced by the Dutch police on June 18 , action was taken to remediate infections of 15,000 websites controlled by SocGholish group and to dismantle the botnet associated with the group.
tactic Botnet
Announced by the Dutch police on June 18 , action was taken to remediate infections of 15,000 websites controlled by SocGholish group and to dismantle the botnet associated with the group.
malware SocGholish
Announced by the Dutch police on June 18 , action was taken to remediate infections of 15,000 websites controlled by SocGholish group and to dismantle the botnet associated with the group.
general_metric 15,000 websites
Announced by the Dutch police on June 18 , action was taken to remediate infections of 15,000 websites controlled by SocGholish group and to dismantle the botnet associated with the group.
‎24 June 2026
Threat actors used malware to target the Operation Endgame entities.
campaign Operation Endgame
The latest action was announced on 24 June 2026 as part of Operation Endgame , a long-running effort aimed at malware families and services that help cybercriminals steal credentials, gain access to systems, and prepare follow-up attacks.
‎2026/06/24
The Amadey and StealC malware operations were disrupted in Operation Endgame action.
organisation Maikel Rollman
This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware,” said Maikel Rollman of the Netherlands National High Tech Crime Unit (NHCTU).
organisation the Netherlands National High Tech Crime Unit (
This prevents further damage to the digital systems of citizens, businesses and organizations worldwide and limits the spread of malware,” said Maikel Rollman of the Netherlands National High Tech Crime Unit (NHCTU).
organisation Operation Endgame
Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs.
organisation Microsoft
Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs.
Private partners included Microsoft, Proofpoint, IBM X-Force, Infoblox, Bitdefender, The Shadowserver Foundation, Have I Been Pwned, Spamhaus, and others.
organisation Europol
Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs.
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
The action also received support from Europol, Eurojust and cybersecurity industry partners.
organisation Digital Crimes Unit
In a civil action filed by Microsoft in the US, Microsoft's Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC and worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.
organisation IP
In a civil action filed by Microsoft in the US, Microsoft's Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC and worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.
infrastructure 200 malicious domains
In a civil action filed by Microsoft in the US, Microsoft's Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC and worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.
infrastructure 66 domains
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC. Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems.
infrastructure 296 servers
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC. Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems.
data_breach 25.6 unique stolen credentials
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC. Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems.
infrastructure 326 servers
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
infrastructure 142 domains
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
data_breach 27 credentials
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
organisation Hackread.com
“We are extremely pleased to have supported Europol in the successful disruption of the SocGholish, StealC, and Amadey operations, and congratulate all those involved in this effort,” said Alex Cosoi, Chief Security Strategist at Bitdefender in a comment to Hackread.com.
organisation Spamhaus
Private partners included Microsoft, Proofpoint, IBM X-Force, Infoblox, Bitdefender, The Shadowserver Foundation, Have I Been Pwned, Spamhaus, and others.
Private-sector support was provided by Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.
organisation The Shadowserver Foundation
Private partners included Microsoft, Proofpoint, IBM X-Force, Infoblox, Bitdefender, The Shadowserver Foundation, Have I Been Pwned, Spamhaus, and others.
organisation Eurojust
The action also received support from Europol, Eurojust and cybersecurity industry partners.
organisation WordPress
SocGholish hacked or used previously leaked credentials to gain access to legitimate WordPress sites.
infrastructure 106 servers
The international law enforcement has taken action against SocGholish has seen the takedown of 106 servers and domains associated with the malware, as well as remediating infections of the compromised websites.
organisation ESET
Private-sector support was provided by Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.
organisation IBM
Private-sector support was provided by Microsoft, ESET, Proofpoint, IBM X-Force, Bitsight, Infoblox, Orange Cyberdefense, Shadowserver, Have I Been Pwned, Spamhaus, and others.
Proofpoint and IBM X-Force researchers observed StealC-linked activity delivering malware families, including the following:
organisation ClickFix
More recently, StealC has been widely used in a variety of ClickFix attacks, such as fake instructional videos on TikTok and FileFix attacks .
organisation TikTok
More recently, StealC has been widely used in a variety of ClickFix attacks, such as fake instructional videos on TikTok and FileFix attacks .
organisation FileFix
More recently, StealC has been widely used in a variety of ClickFix attacks, such as fake instructional videos on TikTok and FileFix attacks .
financial €41 Investigators
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
organisation Telegram
The malware is designed to steal browser passwords, cookies, autofill data, credit card details, tokens, crypto wallet data, and credentials from tools such as Telegram, Discord, Outlook, FileZilla, WinSCP, OpenVPN, ProtonVPN, and gaming platforms.
organisation FileZilla
The malware is designed to steal browser passwords, cookies, autofill data, credit card details, tokens, crypto wallet data, and credentials from tools such as Telegram, Discord, Outlook, FileZilla, WinSCP, OpenVPN, ProtonVPN, and gaming platforms.
organisation VirusTotal
To track the malware, Proofpoint and IBM X-Force collected StealC samples from internal sources, VirusTotal, and sharing partners.
organisation Cosoi
It also sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them,” Cosoi emphasised.
organisation Infoblox Threat Intel
Their activities reach deep into public sector and commercial environments, paving the way for other cybercriminals to gain access to networks”, said Dr. Renée Burton, vice president of Infoblox Threat Intel, one of the industry partners which supporting the action.
organisation Enable multi‑factor
The owners of WordPress sites have also been issued with the following advice: Change their login credentials Enable multi‑factor authentication Delete any unknown additional WordPress accounts Keep their WordPress site up‑to‑date in the future
organisation Delete
The owners of WordPress sites have also been issued with the following advice: Change their login credentials Enable multi‑factor authentication Delete any unknown additional WordPress accounts Keep their WordPress site up‑to‑date in the future
organisation Keep
The owners of WordPress sites have also been issued with the following advice: Change their login credentials Enable multi‑factor authentication Delete any unknown additional WordPress accounts Keep their WordPress site up‑to‑date in the future
‎early 2026
Threat actors used a previously unknown vulnerability in the early 2026 timeframe to target Proofpoint and IBM X-Force.
Tactical Metrics
Metrics
infrastructure
200
Malicious Domains
In a civil action filed by Microsoft in the US, Microsoft's Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC and worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.
The company reported that the action affected roughly 50 domains used by the operations and nearly 200 active command-and-control servers.
Metrics
infrastructure
140,000
Infected Devices
The company said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.
Metrics
infrastructure
326
Servers
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
Metrics
infrastructure
142
Domains
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
Metrics
financial
41,000,000
Investigators
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
Metrics
data_breach
27,000,000
Credentials
According to Europol, the operation resulted in the disruption of 326 servers and 142 domains, Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
Metrics
infrastructure
50
Domains
The company reported that the action affected roughly 50 domains used by the operations and nearly 200 active command-and-control servers.
Metrics
infrastructure
66
Domains
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC. Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems.
Metrics
infrastructure
296
Servers
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC. Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems.
Metrics
data_breach
25,600,000
Unique Stolen Credentials
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC. Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems.
Metrics
infrastructure
106
Servers
The international law enforcement has taken action against SocGholish has seen the takedown of 106 servers and domains associated with the malware, as well as remediating infections of the compromised websites.
Intelligence Sources
Infosecurity-Magazine 2026-06-19
BleepingComputer 2026-06-24
HackRead 2026-06-24