A coalition of law enforcement agencies, led by Europol, and private sector partners including Microsoft, ESET, IBM X-Force, BitSight, and Proofpoint has disrupted three major cybercrime tools in a coordinated global operation.
The campaign targeted Amadey, a modular botnet loader, Stealc, a credential-stealing infostealer, and SocGholish, a dropper distributed through fake browser updates on compromised websites. All three operate as malware-as-a-service and can be rented by criminal affiliates who use them as the first stage of ransomware, fraud, and espionage campaigns.
Over two weeks, 326 servers and 142 domains were seized or disabled. Europol said 27 million stolen login credentials were recovered and criminal crypto assets worth more than EUR 41 million ($47 million) were frozen. Seperately, Microsoft identified over 18,000 victim computers and worked with telecoms providers to protect affected customers.
The investigation revealed that Amadey and Stealc, though built by separate developers, shared infrastructure. Microsoft said it used Copilot to analyze the malware, surfacing connections between the two families.
ESET, which has tracked both families for three years, found Amadey priced at $600 per license with $50 per rebuild, while Stealc subscriptions start at $1,000 for six months. Both are sold on darknet forums with dedicated affiliate panels.
SocGholish, which is linked to Russian cybercriminal group Evil Corp, was disrupted separately. Almost 15,000 infected WordPress sites were remediated, and website owners were notified to update credentials and enable multi-factor authentication.
The operation is part of Operation Endgame, which Europol describes as the largest international action ever undertaken against ransomware enablers.
To stay secure organizations should check published indicators of compromise from ESET and Microsoft, audit for Amadey and Stealc activity in endpoint logs, and rotate credentials on any systems where infostealer exposure is suspected.
