Operation Endgame – Microsoft, Europol, and international partners disrupted infrastructure used by the Amadey and StealC malware operations, taking down, seizing, blocking, and sinkholing servers and domains used to steal credentials and support ransomware and fraud.
A quiet piece of the internet—servers, domains, and control systems—has been hammered at the same time across multiple countries.
Microsoft. Europol. and international partners moved under Operation Endgame to disrupt infrastructure used by the Amadey and StealC malware operations. which target cybercriminal services and ransomware gangs. The action involved authorities and private partners from multiple countries. working together to identify and take down. seize. block. or sinkhole infrastructure tied to these malware families.
Europol says the operation disrupted 326 servers and 142 domains. Investigators also identified more than €41 million ($47 million) in cryptocurrency linked to criminal activity and recovered approximately 27 million credentials stolen from over 385k compromised systems.
“By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover,” Europol announced.
The coordinated effort didn’t stop at Amadey and StealC. Operation Endgame also targeted SocGholish (FakeUpdates), a malware loader that infects visitors via compromised websites that serve fake browser update prompts.
Agencies from Canada. Denmark. Germany. the Netherlands. the United Kingdom. and the United States took part. with Europol and Eurojust coordinating the effort. Private-sector support came from Microsoft. ESET. Proofpoint. IBM X-Force. Bitsight. Infoblox. Orange Cyberdefense. Shadowserver. Have I Been Pwned. Spamhaus. and others.
Europol frames the focus as more than takedowns for their own sake: the operation targeted cybercrime infrastructure threat actors use for initial access to systems, credential theft, and ultimately ransomware deployment or financial fraud.
Amadey and StealC are sold through malware-as-a-service operations, where affiliates pay for malware builders, management panels, support, and infrastructure. Amadey is used to gain an initial foothold on victim devices to deploy additional malware. StealC is used to steal credentials. cryptocurrency wallets. and other sensitive information that can later be sold or leveraged in ransomware attacks.
Amadey is also described as a malware botnet used by both ransomware gangs and state-sponsored hacking groups to breach networks. More recently, StealC has been widely used in a variety of ClickFix attacks, including fake instructional videos on TikTok and FileFix attacks.
In the US, Microsoft’s case adds another layer. In a civil action filed in the US. Microsoft’s Digital Crimes Unit said it identified more than 200 malicious command-and-control domains and IP addresses associated with Amadey and StealC. Microsoft said it worked with partners to shut down the infrastructure through court orders, domain seizures, registrations, and provider notifications.
Microsoft’s complaint says stolen credentials harvested through StealC are commonly sold on underground marketplaces and through initial-access brokers (IABs). Those credentials are then used by other threat actors to breach networks, steal data, and deploy ransomware.
Microsoft also said the two malware families were linked to more than 140,000 infected devices during the first two weeks of May 2026 alone.
The private partners involved also released details of their contributions. ESET said it assisted the operation by identifying and disrupting the infrastructure used by both malware families. reporting that the action affected roughly 50 domains used by the operations and nearly 200 active command-and-control servers. Proofpoint and IBM X-Force contributed intelligence and malware analysis supporting the disruption.
Bitsight said it helped investigators by identifying and analyzing infrastructure associated with both malware families, mapping servers and related command-and-control infrastructure used by the threat actors.
Operation Endgame is already an ongoing campaign. Europol says this latest phase follows previous disruptions of other malware families, including DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader.
There’s a hard reality that comes with every cleanup like this: unless arrests follow, threat actors often rebuild infrastructure and return with new attacks. The disruption can buy time—but it doesn’t erase the playbook.
Amadey StealC Operation Endgame Europol Microsoft ransomware gangs malware-as-a-service credential theft command-and-control servers SocGholish FakeUpdates
So they “sinkholed” domains like that just makes it stop? Seems like it’ll come right back next week.
I saw the headline and thought this was about a video game or something lol. But taking down 326 servers and 142 domains… how do you even measure that, like did they delete the internet?
Wait it says 27 million credentials recovered, but that’s like… what, passwords that got stolen? If they have them why don’t they just contact everybody instantly instead of waiting. Feels messy.
Operation Endgame sounds like a movie promo, not law enforcement. Also fake update prompts? I always click stuff by accident so now I’m paranoid. They said multiple countries, but does this mean my state got hacked or something? 41 million euros in crypto doesn’t mean anything to me, just sounds like a drop in the ocean.