Full Report
ESET researchers assisted in the global disruption of the Amadey botnet and Stealc infostealer, providing technical analysis, infrastructure tracking, and affiliate-level insights
Analysis Summary
# Incident Report: Operation Endgame (Amadey & Stealc Disruption)
## Executive Summary
Operation Endgame was a coordinated global law enforcement and private sector action aimed at neutralizing the infrastructure of the Amadey botnet and Stealc infostealer. The operation successfully disrupted approximately 50 domains and nearly 200 active IP-based Command and Control (C2) servers. By dismantling the Malware-as-a-Service (MaaS) ecosystem used by various affiliates, the intervention significantly hindered the distribution of secondary payloads and the theft of sensitive user data.
## Incident Details
- **Discovery Date:** ESET tracking active for the past 3 years; specific disruption intelligence shared Q4 2025–H1 2026.
- **Incident Date:** Disruption peaked June 24, 2026.
- **Affected Organization:** Global victims (distributed across various sectors).
- **Sector:** Cross-sector (targets individuals and organizations via MaaS).
- **Geography:** Global (infrastructure located worldwide; malware typically avoids CIS countries).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing over several years prior to disruption.
- **Vector:** Distributed through underground forums (MaaS model).
- **Details:** Affiliates deployed Amadey (modular loader) and Stealc (infostealer) via social engineering, drive-by downloads, and distribution-as-a-service.
### Lateral Movement
- **Details:** Primarily used for initial payload delivery; Amadey supports VNC and RDP plugins to facilitate remote access for manual lateral movement if desired by the operator.
### Data Exfiltration/Impact
- **Details:** Stealc automated the theft of browser credentials, cookies, cryptocurrency wallets, and browser extensions. Amadey acted as a gatekeeper, downloading further malware such as Lumma Stealer.
### Detection & Response
- **Detection:** Automated systems by ESET and partners identified C2 patterns, encryption keys, and campaign identifiers.
- **Response Actions:** A coalition including Microsoft DCU, ESET, BitSight, and Lumen collaborated with law enforcement to sinkhole domains and seize IP-based C2 infrastructure.
## Attack Methodology
- **Initial Access:** Pay-per-install (PPI) networks, cracked software, and various affiliate-driven campaigns.
- **Persistence:** Amadey uses Windows Startup folders and registry keys to maintain presence.
- **Privilege Escalation:** Not the primary focus; modular plugins used as needed.
- **Defense Evasion:** Implementation of CIS-country (Commonwealth of Independent States) execution blocks based on keyboard layout/locale.
- **Credential Access:** Automated extraction of passwords and tokens from browsers and applications.
- **Discovery:** System language and locale discovery to verify victim location.
- **Lateral Movement:** Supported via VNC and RDP plugins (Amadey).
- **Collection:** Automated screenshot capture and file harvesting based on affiliate-defined patterns.
- **Exfiltration:** Data sent via HTTP(S) using RC4 encryption and Base64/Hex encoding.
- **Impact:** Financial loss via crypto-theft and credential compromise; deployment of secondary malware.
## Impact Assessment
- **Financial:** High (crypto-wallet theft and resale of access on darknet markets).
- **Data Breach:** Massive volume of personal and corporate credentials stolen globally.
- **Operational:** Disruption of botnet services globally, neutralizing thousands of active infections.
- **Reputational:** High-profile disruption demonstrating cooperation between security firms and law enforcement.
## Indicators of Compromise
- **Network Indicators:** (Defanged examples)
- `hxxp[://]example-c2-server[.]com/`
- `192[.]168[.]1[.]1` (Placeholder for 200+ disrupted IPs)
- **File Indicators:** Processed malware samples with unique Build IDs and RC4 keys utilized for C&C communication.
- **Behavioral Indicators:** Outbound HTTP POST requests to specific URI paths containing system metadata and encrypted archives.
## Response Actions
- **Containment:** Sinkholing of approximately 50 domains to redirect malicious traffic.
- **Eradication:** Takedown of nearly 200 active IP-based C2 servers.
- **Recovery:** Public disclosure of intelligence to help organizations identify and purge resident infections.
## Lessons Learned
- **MaaS Complexity:** The affiliate-based model means disrupting one node does not stop the threat; targeting the administration panels and core infrastructure is essential.
- **Telemetry Value:** Automated extraction of C2 configurations from thousands of samples is vital for large-scale disruption.
- **Global Cooperation:** Success was only possible through a public-private partnership involving multiple tech firms and international law enforcement.
## Recommendations
- **Endpoint Protection:** Implement EDR solutions to detect behavior-based indicators (e.g., unexpected credential access).
- **Geo-Blocking:** Where business needs allow, restrict traffic to/from high-risk hosting regions identified in C2 tracking.
- **Credential Hygiene:** Use multi-factor authentication (MFA) to mitigate the impact of stolen credentials harvested by infostealers.