Europol and law enforcement agencies across six countries have executed a major coordinated strike against the infrastructure powering three of the most widely deployed malware families in the cybercriminal ecosystem: StealC, Amadey, and SocGholish. The action, announced as the latest phase of Operation Endgame, has resulted in hundreds of server seizures, tens of millions in frozen cryptocurrency, and nearly 30 million recovered stolen credentials.
Scale of the Operation
The two-week coordinated campaign involved law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, alongside Europol, Eurojust, and private sector partners including Microsoft, Proofpoint, IBM X-Force, Bitdefender, and Shadowserver.
- 326 servers and 142 domains taken down, dismantling malware distribution networks across multiple continents
- EUR 41 million (approximately USD 47 million) in criminal cryptocurrency identified and frozen
- 27 million stolen login credentials recovered and being distributed to victims via HaveIBeenPwned, Spamhaus, and partner notification services
- 14,971 infected websites remediated, including small businesses and auto repair shops used as malware distribution vectors
StealC: The Credential Engine
StealC is an infostealer with dropper functionality engineered to silently extract passwords, stored credentials, session tokens, and digital identities from compromised systems, feeding stolen data into underground marketplaces. According to Microsoft threat intelligence, in just the first two weeks of May 2026, StealC and its companion Amadey were collectively linked to over 140,000 infected computers worldwide — illustrating the industrial scale now disrupted.
Amadey: The Infection Loader
Amadey operates as a dropper and loader, distributed primarily through phishing campaigns. It establishes initial access on victim devices and pulls down secondary payloads — most commonly StealC. Together, Amadey and StealC form a tightly coupled criminal supply chain: Amadey gains entry, StealC harvests credentials. Europol describes this partnership as a core component of the “cybercrime-as-a-service assembly line.”
SocGholish and the Evil Corp Link
The third malware targeted — SocGholish (also known as FakeUpdates) — spreads through a different but highly effective mechanism: compromised WordPress sites that display convincing fake browser update prompts. Visitors who comply unknowingly install the malware dropper, which downloads ransomware or other payloads.
SocGholish is attributed to Evil Corp, the Russian cybercriminal organization behind Zeus and Dridex, linked to large-scale ransomware campaigns and international money laundering. Dutch Police have already patched vulnerable WordPress sites and notified affected owners as part of this operation.
Victim Notification Channels
The 27 million recovered credentials are being distributed to affected individuals and organizations through:
- HaveIBeenPwned
- Spamhaus
- DIVD (Dutch Institute for Vulnerability Disclosure)
- CheckjeHack and NoMoreLeaks
- Shadowserver and NL-NCSC
How to Protect Your Organization
- Never act on browser pop-up prompts urging software updates — the primary SocGholish infection vector. Apply updates only through official OS settings or verified app stores.
- WordPress administrators should immediately change login credentials, enable multi-factor authentication, remove unknown admin accounts, and keep all software fully updated.
- Deploy EDR solutions capable of detecting infostealer behavior, including unexpected access to browser credential stores and session cookie databases.
- Monitor for anomalous outbound connections to StealC and Amadey command-and-control infrastructure using threat intelligence feeds.
Operation Endgame: Still Going
Operation Endgame, coordinated by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), continues to evolve as the largest international operation ever conducted against ransomware-enabling infrastructure. Previous phases targeted other major malware ecosystems. Law enforcement officials indicated additional actions are forthcoming as the operation expands its scope. More than 30 public and private partners remain actively engaged.