Operation Endgame Disrupts SocGholish, Amadey, and StealC Malware, Recovers 27 Million Stolen Login Credentials
Published
Key Takeaways
- Coordinated Operation: Europol and Eurojust led Operation Endgame, dismantling the infrastructure behind SocGholish, Amadey, and StealC malware.
- Assets Seized: Over €41 million in criminal crypto assets were flagged, and 27 million stolen credentials were recovered.
- Infrastructure Hit: Law enforcement and private partners targeted over 320 servers and 140 domains.
Key components of the SocGholish, Amadey, and StealC malware toolkits were dismantled following a major, Europol- and Eurojust-coordinated strike against cybercriminal infrastructure under Operation Endgame. Conducted over two weeks, the public-private operation targeted the "assembly lines" that criminals use to launch ransomware attacks, commit financial fraud, and target critical infrastructure.
Authorities took action against 326 servers and 142 domains, severely crippling the malware's distribution network. Investigators flagged over €41 million ($47 million) in criminal crypto assets and recovered as many as 27 million stolen login credentials.
Dismantling the Cybercrime-as-a-Service Model
The neutralized variants were offered as a service, giving other criminals tools for initial system infection. SocGholish, a dropper/loader, distributed fake browser updates via compromised WordPress sites and is linked to the Russian cybercriminal group Evil Corp, previously responsible for Zeus and Dridex.
During the action, 14,971 infected websites were remediated. StealC, an infostealer with dropper functionality, extracted passwords and digital identities, while Amadey spread through phishing to deliver additional payloads.
According to Microsoft, Amadey and StealC were linked to over 140,000 infected computers worldwide in just the first two weeks of May 2026.
Coordinated Takedown Across Borders
The action brought together law enforcement from Canada (RCMP), Denmark, Germany (BKA), the Netherlands (NHCTU), the U.K. (NCA), and the U.S. Private partners included Microsoft, the Shadowserver Foundation, Proofpoint, IBM X-Force, Bitdefender, Spamhaus, and Have I Been Pwned (HIBP).
Europol's European Cybercrime Center (EC3) provided analytical support, attribution cross-checks, and crypto tracing throughout the operation.
The Dutch Police have already removed vulnerabilities from infected sites and urged WordPress users to:
- change their login credentials;
- enable multi‑factor authentication;
- delete any unknown additional WordPress accounts;
- keep their WordPress site up to date in the future.
Last month, Vidar and StealC were distributed via AI-generated videos on TikTok, and an enhanced StealC version 2.0 targeted crypto wallets, VPNs, gaming apps, and browsers.
A November report outlined that Russia-aligned RomCom used SocGholish to deploy Mythic Agent on Ukraine supporters in a campaign linked to GRU Unit 29155, and Operation Endgame also targeted Rhadamanthys, VenomRAT, and the Elysium botnet.
In July 2025, Cisco Talos reported that a MaaS operation delivered Amadey via GitHub, where it hosted the same variant of Emmenhtal used in a Ukraine-focused SmokeLoader phishing campaign, while Trellix reported six months later that Amadey was exploiting self-hosted GitLab to distribute StealC.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular