Executive Summary
In June 2026, an international coalition led by Europol, in partnership with Microsoft and other private entities, executed Operation Endgame to dismantle the infrastructure supporting the Amadey and StealC malware operations. This coordinated effort resulted in the disruption of 326 servers and 142 domains, the identification of over €41 million in illicit cryptocurrency, and the recovery of approximately 27 million stolen credentials from more than 385,000 compromised systems. The operation targeted the cybercrime assembly line, aiming to increase friction for cybercriminals and hinder their ability to conduct attacks.
The significance of this operation lies in its comprehensive approach to disrupting malware-as-a-service platforms that facilitate initial access, credential theft, and subsequent deployment of ransomware or financial fraud. By targeting the foundational infrastructure of these malware families, law enforcement and private partners have set a precedent for future collaborative efforts to combat cybercrime at its roots.
Why This Matters Now
The disruption of Amadey and StealC operations underscores the evolving threat landscape where malware-as-a-service platforms enable widespread cyberattacks. This incident highlights the critical need for organizations to enhance their cybersecurity measures and for continued international collaboration to dismantle cybercriminal infrastructures effectively.
Attack Path Analysis
Attackers utilized Amadey malware to gain initial access to victim systems, followed by deploying StealC to escalate privileges and harvest sensitive credentials. They then moved laterally within the network to access additional systems, established command and control channels to exfiltrate data, and ultimately impacted the organization by deploying ransomware or conducting financial fraud.
Kill Chain Progression
Initial Compromise
Description
Attackers used Amadey malware to gain initial access to victim systems.
MITRE ATT&CK® Techniques
Application Layer Protocol: Web Protocols
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Data from Local System
Ingress Tool Transfer
System Information Discovery
Modify Registry
Obfuscated Files or Information
System Owner/User Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malware Protection
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Amadey and StealC malware-as-a-service operations target financial credentials and cryptocurrency wallets, enabling ransomware deployment and financial fraud against banking institutions.
Health Care / Life Sciences
Healthcare organizations face credential theft and ransomware risks from disrupted malware operations, with HIPAA compliance requirements emphasizing encrypted traffic and access controls.
Information Technology/IT
IT sector infrastructure directly targeted by command-and-control operations, requiring zero trust segmentation and multicloud visibility to prevent lateral movement and data exfiltration.
Government Administration
Government systems vulnerable to state-sponsored groups using Amadey botnets for initial access, necessitating enhanced threat detection and secure hybrid connectivity for critical infrastructure.
Sources
- Amadey, StealC malware operations disrupted in Operation Endgame actionhttps://www.bleepingcomputer.com/news/security/amadey-stealc-malware-operations-disrupted-in-operation-endgame-action/Verified
- Operation Endgame: two infostealers taken down againhttps://www.politie.nl/en/news/2026/june/24/11-operation-endgame-two-infostealers-taken-down-again.htmlVerified
- Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malwarehttps://www.securityweek.com/microsoft-and-allies-smash-shared-infrastructure-of-amadey-and-stealc-malware/Verified
- Operation Endgame: Coordinated Worldwide Law Enforcement Action Against Network of Cybercriminalshttps://www.fbi.gov/news/press-releases/operation-endgame-coordinated-worldwide-law-enforcement-action-against-network-of-cybercriminalsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The initial compromise may have been constrained to the targeted system, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and access sensitive credentials could have been limited, reducing the risk of further system compromise.
Control: East-West Traffic Security
Mitigation: Lateral movement within the network may have been restricted, limiting the attacker's ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels could have been detected and disrupted, reducing the risk of data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts may have been identified and blocked, limiting the loss of sensitive information.
The overall impact of the attack could have been mitigated, reducing the potential for ransomware deployment or financial fraud.
Impact at a Glance
Affected Business Functions
- User Credential Management
- Financial Transactions
- Corporate Network Security
Estimated downtime: 7 days
Estimated loss: $47,000,000
27 million stolen login credentials from over 384,000 compromised systems
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic.
- • Utilize Threat Detection & Anomaly Response to identify and respond to malicious activities.
- • Ensure East-West Traffic Security to prevent unauthorized internal communications.
- • Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
