Full Report
Microsoft, with law enforcement and industry partners, disrupted more than 200 command and control servers for Amadey and StealC, often used in conjunction. The post In a first, a court takedown goes after two cybercrime tools at once appeared first on CyberScoop.
Analysis Summary
# Incident Report: Joint Takedown of Amadey and StealC Infrastructure
## Executive Summary
In June 2026, Microsoft’s Digital Crimes Unit, in coordination with international law enforcement and industry partners, executed a court-authorized disruption of over 200 command-and-control (C2) servers. The operation targeted the Amadey botnet and StealC infostealer, two prominent Russian-linked malware-as-a-service (MaaS) tools frequently used together to scale cyberattacks. This landmark action marked the first time the RICO Act was utilized to treat two distinct malware families as a single criminal conspiracy.
## Incident Details
- **Discovery Date:** Ongoing tracking; significant data analyzed May 2026
- **Incident Date:** Takedown executed June 2026
- **Affected Organizations:** Global (over 140,000 infected computers)
- **Sector:** Cross-sector (including Financial, Crypto, Gaming, and Government)
- **Geography:** Global, with significant activity linked to Russian-based threat actors
## Timeline of Events
### Initial Access
- **Date/Time:** Tracking dates back to 2018 (Amadey) and 2023 (StealC).
- **Vector:** Malware-as-a-Service (MaaS) distribution via loaders and malicious payloads.
- **Details:** Amadey serves as the primary loader to provide initial access, which is then used to deliver secondary payloads like the StealC infostealer.
### Lateral Movement
- **Details:** Amadey functions as a modular botnet, allowing attackers to deploy additional tools and move through infected systems to maintain persistence.
### Data Exfiltration/Impact
- **Details:** StealC exfiltrates sensitive data including browser credentials, cryptocurrency wallets, messaging application data, email client information, and gaming platform credentials.
### Detection & Response
- **May 2026:** AI-driven analysis (via Microsoft Copilot) identifies connections between 140,000 infected hosts and shared infrastructure.
- **June 2026:** Microsoft, ESET, BitSight, Lumen, and Mitsui Bussan partner with Europol, IBM X-Force, and Proofpoint.
- **June 23, 2026:** Legal action taken under the RICO Act leads to the disruption of 200+ C2 servers.
## Attack Methodology
- **Initial Access:** Amadey botnet (Loader/MaaS).
- **Persistence:** Modular pay-as-you-go malware delivery.
- **Defense Evasion:** Use of centralized web panels for stealthy management of stolen data.
- **Credential Access:** StealC infostealer targets browsers and email clients.
- **Collection:** Automated gathering of crypto-wallets and sensitive personal data.
- **Impact:** Financial theft and credential harvesting for subsequent attacks (e.g., Turla targeting Ukraine).
## Impact Assessment
- **Financial:** Extensive, though unquantified, due to crypto-wallet theft and service disruptions.
- **Data Breach:** High volume; data stolen from 140,000+ devices globally.
- **Operational:** Disruption of criminal "assembly lines" and infrastructure.
- **Reputational:** Significant public exposure of Russian-linked cybercriminal tools.
## Indicators of Compromise
- **Network Indicators:** 200+ defanged C2 server IPs (not listed individually in source).
- **File Indicators:** Amadey payloads; StealC infostealer binaries.
- **Behavioral Indicators:** Outbound traffic to known MaaS web panels; unauthorized access to wallet/messaging configuration files.
## Response Actions
- **Containment:** Court-authorized seizure of command-and-control infrastructure.
- **Eradication:** Removal of malicious servers from the global routing table via industry partnerships.
- **Recovery:** Ongoing notifications to affected users via ISPs and security vendors.
## Lessons Learned
- **Key Takeaways:** Modern cybercrime is an "assembly line"; disrupting individual tools is insufficient if the underlying infrastructure is shared.
- **Innovation:** The use of the RICO Act and AI (Copilot) provided the legal and technical "glue" to connect disparate malware families into a single actionable conspiracy.
## Recommendations
- **Prevention:** Implement robust endpoint protection (EDR) to detect loader behavior (Amadey).
- **Hygiene:** Utilize multi-factor authentication (MFA) to mitigate the impact of stolen credentials gathered by StealC.
- **Strategy:** Increase industry-law enforcement cooperation to target shared infrastructure rather than isolated threats.