Europol and law enforcement partners across multiple countries have dealt a significant blow to the cybercriminal ecosystems powering StealC, Amadey, and SocGholish malware, three widely deployed tools in the modern “cybercrime-as-a-service” supply chain.
Announced as part of Operation Endgame, the coordinated action dismantled key infrastructure enabling ransomware deployment, credential theft, and large-scale financial fraud.
Spanning two weeks of coordinated action, the operation involved law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside Europol, Eurojust, and private sector partners including Microsoft, Proofpoint, IBM X-Force, Bitdefender, and Shadowserver.
The combined effort targeted the criminal “assembly lines” that allow cyberattacks to scale globally.
Key outcomes of the operation include:
- 326 servers and 142 domains were taken down, crippling malware distribution networks.
- EUR 41 million (≈ USD 47 million) in crypto assets of criminal origin identified and frozen.
- 27 million stolen login credentials recovered.
- 14,971 infected websites remediated, including small businesses, restaurants, and auto repair shops.
Password-Stealing Malware StealC
StealC, classified as an infostealer with dropper functionality, was a primary target of this operation. Distributed through multiple attack vectors, StealC was engineered to silently extract passwords, stored access credentials, session tokens, and digital identities from compromised systems, feeding stolen data directly into underground marketplaces for fraud and resale.
Working in tandem with Amadey, a dropper/loader primarily spread through phishing campaigns, the two malware families formed a critical link in the cybercrime supply chain.
Amadey establishes initial access on a victim’s device, while StealC executes credential harvesting in the background. According to Microsoft’s threat intelligence, in just the first two weeks of May 2026, Amadey and StealC were collectively linked to over 140,000 infected computers worldwide.
SocGholish and the Evil Corp Connection
SocGholish, a dropper/loader distributed through fake browser update pop-ups on compromised WordPress sites, rounded out the trio of neutralized malware.
The malware is attributed to Evil Corp, the Russian cybercriminal group previously responsible for Zeus and Dridex, and associated with numerous ransomware and money-laundering operations.
Dutch Police have already patched vulnerabilities on infected sites and notified affected owners. WordPress administrators are urged to immediately change login credentials, enable multi-factor authentication, remove unknown admin accounts, and keep their platforms updated.
To avoid SocGholish infection, users should never act on browser pop-up update prompts and should only apply updates through official system settings or verified app stores.
Operation Endgame represents a strategic evolution in law enforcement’s approach to cybercrime, moving beyond individual threat actors to dismantle the broader infrastructure enabling attacks at scale.
Europol’s European Cybercrime Center (EC3) provided analytical support, crypto tracing, and victim notifications via platforms like HaveIBeenPwned, Spamhaus, and Shadowserver. The Joint Cybercrime Action Taskforce (J-CAT) aligned national investigations under a unified framework.
Victim notifications are being distributed through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and NL-NCSC.
Operation Endgame remains the largest international operation ever undertaken against ransomware enablers, with more than 30 public and private partners actively supporting ongoing actions.
