Europol Disrupts StealC and Amadey Malware Infrastructure in Operation Endgame

Pierluigi Paganini
June 24, 2026

Operation Endgame disrupted malware services like StealC and Amadey that enable ransomware, fraud, and attacks on critical infrastructure.

Between June 15 and 19, 2026, Europol coordinated a two-week law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private firms like Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, Orange Cyberdefense, and a dozen other private partners.

The operation targeted the infrastructure behind three malware families, SocGholish, Amadey, and StealC, that together form the opening stages of the cybercrime attack chain.

“The main common goal was to disrupt the “assembly lines” cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.” reads the report published by EUROPOL. “Crypto assets of criminal origin currently valued at over EUR 41 million (USD 47 million) were identified, flagged, and thereby restricted from use. “

The numbers from the action are substantial. Law enforcement and private partners actioned 326 servers and 142 domains, recovered 27 million stolen login credentials, and identified, flagged, and restricted over €41 million in criminal cryptocurrency assets.

During the SocGholish portion of the operation, 14,971 infected websites were remediated, including restaurants, auto repair shops, and other everyday businesses whose WordPress installations had been quietly compromised and turned into malware distribution points. The Dutch Police removed vulnerabilities from infected sites and notified owners directly.

SocGholish works by injecting fake browser update prompts into legitimate websites. A visitor clicks what looks like a routine update, and the malware installs.

“This approach, which has caused countless victims, is primarily done by hacking websites built with WordPress and infecting them with malware.” continues the report.” The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion.”

SocGholish is linked to Evil Corp, the Russian cybercriminal group previously responsible for Zeus and Dridex, and associated with multiple large-scale ransomware and money-laundering operations.

Amadey has been running since October 2018 as a paid dropper service, spreading primarily through phishing campaigns. It gains initial access, delivers additional malware, and also has credential and clipboard stealing capabilities. StealC, which surfaced in January 2023, is the harvesting layer: it pulls passwords, stored credentials, digital identities, and sensitive data from compromised machines and makes them available for resale and fraud.

“Amadey gains initial access to devices, while StealC extracts passwords and sensitive data.” states the report. “Together, they form a critical link in the cybercrime supply chain.”

Microsoft linked both families to over 140,000 infected computers worldwide in just the first two weeks of May 2026.

The operational logic behind targeting these three families simultaneously is what makes this phase of Operation Endgame strategically significant. Rather than focusing on the ransomware payload at the end of the chain, the operation hit the tools that make every subsequent stage possible.

“Operation Endgame targets the initial access malware used to infect devices. Cybercriminals use this malware as a gateway to silently infiltrate victims’ systems and steal sensitive data.” reads the press release published by EuroJust. “By fighting the initial stage of the attack chain, the operation strikes at the heart of the entire ‘cybercrime-as-a-service’ ecosystem.”

Take out the loader, and the ransomware operator has no foothold to monetize.

Victim notifications went out through HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver, and the Dutch National Cyber Security Centre. WordPress site owners whose credentials were leaked have been urged to change login credentials, enable multi-factor authentication, delete any unknown admin accounts, and keep their installations updated. For ordinary users, the advice on SocGholish is the same it’s always been and apparently still needs repeating: genuine software updates come from official sources through system settings or app stores, not from browser pop-ups that scream for immediate action.

Operation Endgame is described by Europol as the largest international operation ever undertaken to tackle ransomware enablers worldwide. More than 30 public and private parties support its actions on an ongoing basis.

The operation has an active suspect portal. The message from every law enforcement statement is consistent: each takedown raises costs, degrades operations, and generates intelligence for the next one.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon