Ethical Hacking News
Operation Endgame, a historic international effort to disrupt ransomware enablers, successfully took down StealC and Amadey malware infrastructure in a coordinated two-week operation. The operation targeted three malware families, SocGholish, Amadey, and StealC, resulting in the disruption of critical stages of the cybercrime supply chain. With over 140,000 infected computers linked to the malware families, Operation Endgame has made significant strides in tackling ransomware enablers worldwide.
Europol, in coordination with global partners, has disrupted the StealC and Amadey malware infrastructure as part of Operation Endgame. The operation targeted three malware families: SocGholish, Amadey, and StealC, linked to Russian cybercriminal groups. Over 140,000 infected computers worldwide were linked to the two families in just two weeks. Operation Endgame resulted in the recovery of 27 million stolen login credentials and over €41 million in criminal cryptocurrency assets. The operation remediated 14,971 infected websites, including everyday businesses.
Europol, in coordination with law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, along with private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other partners, has successfully disrupted the StealC and Amadey malware infrastructure as part of Operation Endgame. This two-week operation aimed to take down the tools that enable cybercriminals to launch ransomware, financial fraud, and attacks on critical infrastructure.
The operation targeted three malware families: SocGholish, Amadey, and StealC. SocGholish is linked to Evil Corp, a Russian cybercriminal group responsible for Zeus and Dridex, and associated with multiple large-scale ransomware and money-laundering operations. The malware works by injecting fake browser update prompts into legitimate websites, causing visitors to click on malicious links that install malware.
Amadey has been running since October 2018 as a paid dropper service, spreading primarily through phishing campaigns. It gains initial access to devices, delivers additional malware, and also has credential and clipboard stealing capabilities. StealC, which surfaced in January 2023, is the harvesting layer: it pulls passwords, stored credentials, digital identities, and sensitive data from compromised machines and makes them available for resale and fraud.
Microsoft linked both families to over 140,000 infected computers worldwide in just the first two weeks of May 2026. The operational logic behind targeting these three families simultaneously is what makes this phase of Operation Endgame strategically significant. Rather than focusing on the ransomware payload at the end of the chain, the operation hit the tools that make every subsequent stage possible.
"Operation Endgame targets the initial access malware used to infect devices," reads the press release published by EuroJust. "Cybercriminals use this malware as a gateway to silently infiltrate victims' systems and steal sensitive data." By fighting the initial stage of the attack chain, the operation strikes at the heart of the entire 'cybercrime-as-a-service' ecosystem.
The operation resulted in substantial numbers: 326 servers and 142 domains were actioned, 27 million stolen login credentials were recovered, and over €41 million in criminal cryptocurrency assets were identified, flagged, and restricted from use. During SocGholish's portion of the operation, 14,971 infected websites were remediated, including restaurants, auto repair shops, and other everyday businesses whose WordPress installations had been quietly compromised and turned into malware distribution points.
Victim notifications went out through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and the Dutch National Cyber Security Centre. WordPress site owners whose credentials were leaked have been urged to change login credentials, enable multi-factor authentication, delete any unknown admin accounts, and keep their installations updated.
Operation Endgame is described by Europol as the largest international operation ever undertaken to tackle ransomware enablers worldwide. More than 30 public and private parties support its actions on an ongoing basis.
The operation has an active suspect portal. The message from every law enforcement statement is consistent: each takedown raises costs, degrades operations, and generates intelligence for the next one.
Related Information:
https://www.ethicalhackingnews.com/articles/Operation-Endgame-A-Historic-International-Effort-to-Disrupt-Ransomware-Enablers-ehn.shtml
https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html
Published: Wed Jun 24 14:21:43 2026 by llama3.2 3B Q4_K_M
