Summary Points
- Europol and partners disrupted the command-and-control infrastructure of Amadey loader/botnet and StealC info stealer, both of which operate as modular Malware-as-a-Service targeting Windows machines globally.
- Amadey uses plain HTTP communication with hardcoded C2 servers and obfuscated configs, while StealC employs a sophisticated, encrypted JSON-over-HTTP protocol, both stealing credentials, wallets, and sensitive data across numerous browsers and applications.
- The operations’ disruption leveraged detailed threat intelligence—including C2 mapping, IoCs, and infection telemetry—highlighting the importance of public-private collaboration in dismantling cross-border cybercrime networks.
Threat, Techniques, and Targets
On June 24, 2026, Europol and the Microsoft Digital Crimes Unit led a coordinated effort to disrupt two major malware families on Windows: Amadey and StealC. Bitsight TRACE supported this operation by providing key threat intelligence, including C2 infrastructure mapping, IoCs, and infection telemetry. Amadey is a modular loader and botnet sold since 2018 on Russian forums. It acts as a remote access Trojan (RAT) and can distribute various payloads. StealC, sold since early 2023, is an information stealer that harvests credentials, cookies, wallets, and other data. Both malware families use command and control (C2) servers and infrastructure that often overlap. They are delivered via various methods such as trojanized software, malvertising, phishing, and abuse of trusted platforms. Amadey often drops StealC onto infected hosts. The malware targets include browsers, crypto wallets, messaging apps, and desktop tools, with infections spanning worldwide, especially India and other regions.
Impact, Security Implications, and Guidance
The operation successfully seized 47 domains and 182 IPs linked to Amadey and StealC C2 infrastructure. This action disrupted their command and control channels, hindering their ability to control infected devices and distribute payloads. As a result, the malware families’ activity was temporarily stopped, reducing potential data theft, credential harvesting, and follow-up intrusions. However, because these malware operations are commodity-based, operators are likely to rebuild or retool their infrastructure soon. This highlights the ongoing need for defenders to monitor for new campaigns and infrastructures. For remediation, organizations should obtain updated detection rules and IoCs directly from vendors or authorities. Continuous monitoring and sharing of threat intelligence are essential to defend against re-emergence of these threats.
Discover More Technology Insights
Dive deeper into the world of Cryptocurrency and its impact on global finance.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
