Global Coalition Dismantles Amadey and StealC Malware Networks
Executive Summary
In June 2026, an international law enforcement operation, in collaboration with private sector partners including Microsoft, Bitdefender, Bitsight, and ESET, successfully dismantled the infrastructure supporting the Amadey and StealC malware networks. This coordinated effort led to the seizure of 326 servers and 142 domains, the identification and restriction of over $47 million in illicit cryptocurrency assets, and the recovery of approximately 27 million stolen login credentials. The operation targeted the 'assembly lines' used by cybercriminals to launch ransomware, financial fraud, and attacks on critical infrastructure.
This takedown underscores the growing effectiveness of public-private partnerships in combating cybercrime. By disrupting the infrastructure of malware-as-a-service operations like Amadey and StealC, authorities have significantly hindered the ability of cybercriminals to execute large-scale attacks, highlighting the importance of collaborative efforts in enhancing global cybersecurity.
Why This Matters Now
The disruption of the Amadey and StealC malware networks is critical as it directly impacts the operational capabilities of cybercriminals who rely on these services to conduct ransomware attacks and data theft. This action demonstrates the effectiveness of international cooperation in addressing the evolving threat landscape and emphasizes the need for continued vigilance and collaboration to protect sensitive information and critical infrastructure.
Attack Path Analysis
The Amadey and StealC malware campaign began with the distribution of malicious payloads via phishing emails and compromised websites, leading to initial system infections. Once inside, Amadey established persistence by modifying registry keys and startup folders, allowing it to maintain control over the compromised systems. The malware then facilitated lateral movement by deploying additional payloads like StealC, enabling attackers to access and exfiltrate sensitive data across the network. Command and control were maintained through HTTP communications, allowing attackers to manage the malware remotely. Exfiltration of stolen credentials and other sensitive information was conducted via these established channels. The impact of the attack included the theft of over 25 million unique credentials and the compromise of more than 385,000 systems.
Kill Chain Progression
Initial Compromise
Description
Attackers distributed malicious payloads through phishing emails and compromised websites, leading to the initial infection of systems.
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Data from Local System
Ingress Tool Transfer
File and Directory Discovery
Modify Registry
Obfuscated Files or Information
System Information Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malware Protection
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Amadey and StealC infostealers pose severe credential theft risks, enabling ransomware and financial fraud against banking systems requiring enhanced egress security and encrypted traffic protection.
Health Care / Life Sciences
Critical infrastructure targeting by credential-stealing malware threatens patient data security and HIPAA compliance, necessitating zero trust segmentation and multicloud visibility controls.
Government Administration
Law enforcement disruption reveals ongoing threats to critical government infrastructure from credential harvesting operations enabling subsequent ransomware and sophisticated attack campaigns.
Information Technology/IT
IT sector faces direct exposure to infostealer malware targeting credentials for lateral movement, requiring enhanced threat detection, anomaly response, and kubernetes security implementations.
Sources
- Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recoveredhttps://thehackernews.com/2026/06/amadey-and-stealc-malware-network.htmlVerified
- Operation Endgame: two infostealers taken down againhttps://www.politie.nl/en/news/2026/june/24/11-operation-endgame-two-infostealers-taken-down-again.htmlVerified
- Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malwarehttps://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/Verified
- Europol announces global cyber strike against malware networks used for ransomware and data thefthttps://2eu.brussels/en/news/europol-announces-global-cyber-strike-against-malware-networks-used-for-ransomware-and-data-theftVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the malware's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial infection may have been contained to the compromised workload, reducing the potential for further system infiltration.
Control: Zero Trust Segmentation
Mitigation: The malware's ability to escalate privileges may have been constrained, limiting its control over the compromised system.
Control: East-West Traffic Security
Mitigation: The malware's ability to move laterally across the network would likely have been restricted, reducing the risk of widespread data exfiltration.
Control: Multicloud Visibility & Control
Mitigation: The malware's command and control communications may have been detected and disrupted, limiting remote management capabilities.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of sensitive data would likely have been restricted, reducing the risk of data loss.
The overall impact of the attack may have been significantly reduced, limiting the number of compromised systems and stolen credentials.
Impact at a Glance
Affected Business Functions
- User Account Management
- Financial Transactions
- Email Communications
- Access to Sensitive Data
Estimated downtime: N/A
Estimated loss: N/A
27 million stolen login credentials from over 385,000 systems, including usernames, passwords, and potentially sensitive personal information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads in real-time.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Establish Multicloud Visibility & Control to maintain comprehensive oversight and management of security policies across all cloud environments.
