Amadey Network With StealC Malware Disrupted, 27M Stolen Credentials Found
A coordinated operation by law enforcement, in collaboration with private companies, including Bitdefender, Bitsight, ESET, and Microsoft, resulted in the dismantling of the criminal infrastructure that powers Amadey and StealC.
“The main common objective was to disrupt the ‘assembly lines’ used by cybercriminals to launch ransomware, financial fraud, and attack critical infrastructure,” Europol said in a statement.
The development comes days after authorities from the Netherlands, Canada, Germany and the US disrupted the malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites.
As part of the two-week operation, cryptocurrency assets of criminal origin valued at more than $47 million were identified, tagged, and banned from use. In addition, up to 27 million stolen login credentials have been recovered, and the malware’s distribution network has been disrupted by taking down 326 servers and 142 domains.
“This takedown is powerful evidence of what public-private partnerships can accomplish in dismantling the infrastructure that enables cybercrime to scale,” said Alex Cosoi, chief security strategist at Bitdefender, in a statement. “And it sends a clear message to those behind the malware ecosystem: no matter how sophisticated the tools or how distributed the network, coordinated international actions will find them.”
All three malware families are known to be marketed under the malware-as-a-service (MaaS) model, which allows customers to deliver additional payloads or steal sensitive information from vulnerable hosts.
SocGholish and Amadey serve as next-stage malware launch loaders, with malware distributed using vulnerable WordPress sites and phishing campaigns, respectively. Amadey is also distributed by other loaders such as Emmenhtal and SmokeLoader.
A C++-based backdoor, it has been known to be active since October 2018 and was promoted by a threat actor known as InCrease. The service is priced at $600 per license, with an additional $50 per build. The latest version of Amadey is 5.87. Some of the supported commands are listed below –
- Machine fingerprints
- Downloads files, DLLs, MSI, or PowerShell scripts
- Run commands using “cmd.exe”
- Take screenshots
- Create a SOCKS proxy
- Open a VNC proxy session or log off
- Capture clipboard contents and details
- Enable RDP
According to data published by Mitsui Bussan Secure Directions, the daily number of active Amadey command-and-control (C2 or C&C) servers was between two and 18 until September 2022.
“From January 2023 to early December 2023, however, this number increased to between 5 and 30, suggesting that Amadey has begun to be widely used,” the Japanese cybersecurity company said. “In 2024, after a short period of sleeplessness, the number of days has gradually decreased from 17 and has continued to decrease until today.”
The number of malware samples distributed through Amadey is said to have increased to 11,635 in 2025, up from 66 in 2019, 260 in 2020, 1,231 in 2021, 3,500 in 2022, 8,360 in 203, and 203 starting in 203. per year, 1,837 payloads were distributed via the malware loader.
 |
| Malware dropped by Amadey in 2025 and 2026 and StealC in 2026 |
StealC, on the other hand, used various initial access vectors from malware loaders (including Amadey) and ClickFix lure, and is equipped to extract sensitive information, such as screenshots, credentials, session cookies, automatic entries, credit card data, browsing history, and extension data.
The malware first appeared in the wild in January 2023 and is being sold for $300 per month (or $1,000 for six months) by a threat actor using the moniker “plymouth.” Like Amadey, StealC is actively maintained by its operators. As of June 2026, the latest version of the debugger is 2.2.1. The highest concentrations of infection were reported in the US, Poland and Italy.
Besides targeting Chromium browsers, the malware harvests data from desktop applications such as Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, and Telegram, as well as files that match certain naming patterns. It also acts as a secondary loader, capable of downloading and running an executable EXE, MSI, or PowerShell based on commands from an external server.
Written in C++, a notable feature of the hacker is its ability to query the system’s default language and automatically debug if the region matches countries like Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan. Amadey also has similar checks to bypass certain activities such as identity theft and clipboard theft when running on a Russian, Ukrainian, or Belarusian host.
 |
| An infostealer representative in the ransomware attack chain |
Earlier this January, CyberArk disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel of StealC operators that made it possible to obtain information about the work of MaS, including one of its clients called YouTubeTA, which relies on Google’s video sharing platform to distribute the stealer with Adobe Afterbe Photoshop advertising.
IBM X-Force and Proofpoint also noted that several security flaws were identified in the C2 panel, one of which was a directory traversal bug that made it possible to load a web shell on the StealC C2 server. The issue was caught by StealC developers in February 2026, but not before it was exploited by an affiliate to steal other affiliates’ data.
“In both ecosystems, the communicators get a self-hosted management panel to be implemented in their server infrastructure,” said ESET researchers Jakub Tomanek and Tomáš Procházka. “Amadey used a pay-per-build model. Affiliates bought a license and paid an additional fee each time they needed to build a new build, for example, when they moved to a new C&C server.”
“StealC has taken an ambassador-friendly approach, offering unlimited build generation as part of its subscription. This lowers the operating costs of rotating the C&C infrastructure and makes it easier for affiliates to generate new samples as needed.”
A total of 53 different clusters have been within the Amadey ecosystem, with the largest cluster of botnets distributing payloads such as Lumma Stealer, Vidar Stealer, StealC, Rugmi, PureCrypter, Agent Tesla, Rhadmanthys Stealer, RedLine Stealer, SmokeLoader, XRAT, and XRAT,
Microsoft revealed that Amadey and StealC not only use the same infrastructure, but the malware families are linked to more than 140,000 infected computers worldwide in the first two weeks of May 2026. The technology giant said it has identified more than 18,000 victim computers and terminated the criminal control of those devices.
In total, the tech giant said it flagged 200 Amadey and StealC C2 domains and IP addresses, all of which were blocked using a combination of court orders, domain seizures, registrations, and provider notifications.
 |
|
| Daily trends in the number of active Amadey C2 servers |
“Uploaders and hijackers are two parts of the asset malware pipeline,” Bitsight said. “The uploader finds the first site and rents it out; the hacker takes steps to collect information, cookies, and wallets, and then sell them on underground platforms (including Telegram).”
The latest attempt, taking place between June 15 and 19, 2026, marks the latest chapter of Operation Endgame. It involved law enforcement and law enforcement officials from Belgium, Canada, Denmark, France, Germany, the Netherlands, the UK, and the US.
“Operation Endgame targets the first malware used to infect devices,” Eurojust said. “Cybercriminals use this malware as a gateway to silently enter victims’ systems and steal sensitive data. By countering the first stage of the attack chain, this project strikes at the heart of the entire ‘cybercrime-as-a-service’ system.”
