In a monumental display of international collaboration, law enforcement agencies and leading cybersecurity firms have delivered a significant blow to the global cybercrime ecosystem. A coordinated operation has successfully dismantled the criminal infrastructure behind the notorious Amadey and StealC malware families, leading to the recovery of an astonishing 27 million stolen login credentials and the restriction of over $47 million in illicit cryptocurrency assets.
Global Alliance Strikes Back Against Malware-as-a-Service
This extensive two-week action, spearheaded by Europol and involving partners like Bitdefender, Bitsight, ESET, and Microsoft, targeted the “assembly lines” cybercriminals utilize to orchestrate ransomware attacks, financial fraud, and assaults on critical infrastructure. The disruption follows closely on the heels of another successful operation by Dutch, Canadian, German, and U.S. authorities, which neutralized infrastructure linked to SocGholish malware and cleaned nearly 15,000 compromised WordPress sites.
“This takedown is a powerful demonstration of what public and private sector collaboration can achieve in dismantling the infrastructure that enables cybercrime at scale,” stated Alex Cosoi, Chief Security Strategist at Bitdefender. “It also sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them.”
Unpacking the Threat: Amadey and StealC
Both Amadey and StealC operate under a prevalent “malware-as-a-service” (MaaS) model, offering their malicious capabilities to a wide array of cybercriminals. This model allows customers to deploy additional payloads or exfiltrate sensitive data from compromised systems with relative ease.
Amadey: The Versatile Loader
Active since October 2018 and advertised by a threat actor known as “InCrease,” Amadey is a C++-based modular backdoor functioning primarily as a loader for subsequent malware stages. It has been widely disseminated through phishing campaigns and compromised WordPress sites, and even propagated by other loaders like Emmenhtal and SmokeLoader. A single license for Amadey reportedly cost $600, with an additional $50 per rebuild for its latest version, 5.87.
Amadey’s extensive command set includes:
- Machine fingerprinting
- Downloading various file types (DLLs, MSIs, PowerShell scripts)
- Executing arbitrary commands via “cmd.exe”
- Capturing screenshots
- Spawning SOCKS proxy sessions
- Opening VNC or reverse proxy sessions
- Capturing clipboard contents and credentials
- Enabling Remote Desktop Protocol (RDP)
Analysis by Mitsui Bussan Secure Directions revealed a significant surge in Amadey’s activity. While daily active command-and-control (C2) servers hovered between 2 and 18 until late 2022, this figure jumped to 5-30 from January to December 2023, indicating widespread adoption. Although activity saw a brief decline in early 2024, the sheer volume of malware samples distributed via Amadey escalated dramatically, reaching a peak of 11,635 in 2025 (projected), a stark increase from just 66 in 2019.
StealC: The Potent Infostealer
Emerging in January 2023 and sold by a threat actor named “plymouth” for $300 per month (or $1,000 for six months), StealC is a formidable information stealer. It leverages diverse initial access vectors, including other malware loaders like Amadey and ClickFix lures, to extract a treasure trove of sensitive data. Its capabilities include harvesting screenshots, credentials, session cookies, autofill entries, credit card data, browsing history, and extension data.
With its latest version, 2.2.1 (as of June 2026), StealC has shown high infection concentrations in the U.S., Poland, and Italy. Beyond targeting Chromium browsers, it actively pilfers data from popular desktop applications such as Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, and Telegram. Notably, StealC, also written in C++, incorporates a unique defense mechanism: it queries the system’s default language and self-terminates if the locale matches countries like Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan. Amadey employs a similar check, skipping credential and clipboard stealing functionalities on Russian, Ukrainian, or Belarusian hosts.
The recent operation underscores the critical importance of sustained international cooperation between public and private sectors in the ongoing battle against sophisticated cyber threats. By dismantling these “assembly lines,” authorities are not only recovering stolen assets but also sending a powerful deterrent message to the architects of cybercrime.
For more details, visit our website.
Source: Link
Leave a comment