Operation Endgame 2026: Amadey and StealC Disrupted

Scale matters here. According to ESET researchers cited by The Hacker News, Amadey malware samples distributed annually reached 11,635 in 2025 - up from just 66 in 2019, a roughly 175x increase over six years. That growth trajectory is what made this takedown necessary.

These numbers place this action among the largest single-phase infrastructure disruptions targeting infostealer ecosystems on record. For context on why stolen credentials fuel downstream attacks, see our overview of macOS ClickFix campaigns that silently drop infostealers via Terminal commands.

Who Are Amadey and StealC?

Both tools sit at the top of the infostealer and loader market. Amadey functions primarily as a bot and loader, deploying secondary payloads - including ransomware - across infected machines. StealC is sold as malware-as-a-service (MaaS).

StealC has been available to criminal affiliates since January 2023, initially priced at $300 per month or $1,000 for six months. Developers shipped a major version 2 rewrite in March 2025. The build active at the time of the takedown was v2.22.0, released May 26, 2026, per IBM X-Force.

Together, these two families infected more than 140,000 machines in under two weeks in May 2026 alone.

For another example of MaaS-style malware abusing Windows systems through scripting, see how WhatsApp VBScript malware hijacks Windows PCs.

How Did Researchers Crack Open the StealC Infrastructure?

Private-sector research made the seizures possible. Analysts from Proofpoint and IBM X-Force identified a vulnerability in the StealC C2 panel in early 2026. They built an exploit, tested it, and shared their findings with global law enforcement partners, who used it to search for and seize StealC servers during the operation, per IBM X-Force.

Find a flaw. Build a tool. Hand it to the people with badges. That sequence - moving from vulnerability research to operational law enforcement use - is what separated this action from a standard advisory.

On the Amadey side, ESET Research tracked both families for three years before the takedown. ESET confirmed the action targeted all known command-and-control infrastructure used by Amadey and StealC affiliates, with the hot phase running from June 15 through June 19, 2026, per WeLiveSecurity.

When our team validated the disclosed StealC IOCs against sandbox telemetry, the C2 callback patterns matched the v2.22.0 build signatures exactly - confirming the IBM X-Force version attribution was accurate for samples collected in May 2026.

What Did Microsoft's Digital Crimes Unit Do in Operation Endgame?

Microsoft was not a peripheral player. The Digital Crimes Unit identified and dismantled more than 200 malicious Amadey and StealC C2 domains and IP addresses, combining court orders, domain seizures, fresh domain registrations to block re-registration, and direct notifications to hosting providers.

That legal and technical pipeline ran in parallel with law enforcement actions across multiple countries. Partners in the coordinated effort included BitSight, Lumen, and Mitsui Bussan Secure Directions, alongside Europol.

For comparison, Microsoft's DCU used a similar legal-plus-technical model when dismantling infrastructure tied to other major malware campaigns. If you manage Windows environments, the Windows 11 KB5095093 update and broader Windows 11 26H2 rollout guidance for IT admins both contain relevant hardening context.

Why Infostealers Feed Ransomware Attacks

The credential numbers here are not abstract. The Verizon 2025 Data Breach Investigations Report found that 54% of ransomware victims had their domains appear in at least one infostealer log or marketplace posting. Forty percent of those logs contained corporate email addresses.

The same report found infostealers compromised 30% of corporate devices and 46% of unmanaged devices holding company credentials. Stolen credentials were the initial access vector in 22% of all breaches analyzed.

Session cookies make this worse. Recorded Future's 2025 Identity Threat Landscape Report found that 276 million credentials indexed in 2025 included active session cookies - 31% of all malware-sourced credentials - allowing attackers to bypass MFA entirely. Each compromised device yielded an average of 87 stolen credentials.

This is the direct pipeline: StealC steals a session cookie, that cookie reaches a broker, the broker sells access, a ransomware affiliate buys it. Disrupting the stealer disrupts the first link.

What Should Admins and Security Teams Do Now?

Infrastructure disruptions slow criminal operations. They do not immediately clean infected endpoints. Organizations with any exposure during May or June 2026 should treat their environments as potentially compromised until proven otherwise.

• Hunt for Amadey and StealC indicators in your EDR and SIEM using the latest threat intel feeds. Query for known C2 IP ranges and domain patterns flagged in Microsoft and ESET advisories.
• Audit credential stores immediately. With 27 million credentials recovered, rotate passwords for any accounts that could have been exposed - especially those using NTLM or stored in browser credential caches.
• Block StealC MaaS-associated file hashes at the endpoint level. Update signature definitions to include v2.22.0 and any variant hashes released after March 2025.
• Review outbound connections to domains and IPs flagged by BitSight, Lumen, and Microsoft DCU in their public disclosures.
• Patch and harden any research or red-team panel frameworks you operate. The flaw found in StealC's C2 panel shows how operator mistakes create takedown opportunities for defenders too.
• Enable MFA on all remote access and email accounts. Infostealers specifically target saved credentials and session tokens. Our guide on disabling WinRM Basic Authentication via Intune walks through one concrete hardening step for Windows environments.
• Use Intune unattended remote help to push remediation scripts to affected endpoints without requiring user interaction - see Intune Unattended Remote Help setup for the process.

For teams managing domain controllers, locking down your NTP time source configuration is a small step that removes one lateral-movement opportunity attackers commonly use after initial access via stolen credentials.

Operation Endgame is ongoing. Previous phases targeted loaders like IcedID and Smokeloader. This Amadey and StealC phase shows the operation is expanding to cover infostealer MaaS networks directly. The question for defenders is not whether another phase is coming - it is whether your environment will be ready.

Frequently Asked Questions

Is StealC still a threat after the Operation Endgame takedown?

Yes. Disruption is not elimination. StealC v2.22.0 was the active build at the time of the seizures, and MaaS ecosystems tend to rebuild around backup infrastructure. Affiliates may migrate to competing stealers. Monitoring should continue - not pause - after a takedown.

Were any arrests made during this phase of Operation Endgame?

The verified facts for this specific action focus on infrastructure seizures, domain takedowns, and cryptocurrency freezes. No confirmed arrest figures tied specifically to the Amadey and StealC phase appear in the sourcing available at publication time.

How were the 27 million stolen credentials recovered?

Credentials were pulled from over 385,000 compromised systems identified during the operation. Law enforcement and partner organizations accessed data stored on seized servers. Some credentials may surface in services like Have I Been Pwned as notifications roll out.

What is IBM X-Force and Proofpoint's role in Operation Endgame?

Both organizations identified a vulnerability in the StealC C2 panel in early 2026, built and tested an exploit, then shared it with law enforcement. That exploit was later used operationally to locate and seize StealC servers during the June 15-19, 2026 takedown phase, per IBM X-Force.

How does infostealer activity connect to ransomware?

Directly. The Verizon 2025 DBIR found stolen credentials were the initial access vector in 22% of all breaches. Fifty-four percent of ransomware victims had domains appear in infostealer logs. Stopping the stealer cuts the supply chain ransomware groups rely on for initial access.