Full Report
200+ C2 servers linked to StealC and Amadey shut down
Analysis Summary
# Incident Report: Disrupting the Amadey and StealC MaaS Enterprise
## Executive Summary
In June 2026, Microsoft’s Digital Crimes Unit, in coordination with international law enforcement and global security partners, executed a massive disruption of the **Amadey** and **StealC** Malware-as-a-Service (MaaS) operations. By utilizing AI-assisted analysis and a novel application of the RICO Act, the coalition seized over 200 C2 servers and domains, recovered 27 million credentials, and flagged $47 million in illicit cryptocurrency. The operation successfully targeted the "cyberattack supply chain" rather than isolated malware variants.
## Incident Details
- **Discovery Date:** Analysis surged in early May 2026
- **Incident Date:** Takedown announced Wednesday, June 24, 2026
- **Affected Organization:** Global impact (hundreds of thousands of individual users)
- **Sector:** Cross-sector (General consumers, Microsoft software users)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing/Continuous (Prior to June 2026)
- **Vector:** Phishing, malicious downloads, and secondary payloads.
- **Details:** Amadey acted as a primary loader/delivery mechanism for StealC and other payloads.
### Lateral Movement
- **Details:** While primarily information stealers, Amadey provides capability for Remote Access Trojans (RATs), which facilitate movement within compromised local networks.
### Data Exfiltration/Impact
- **Details:** Exfiltration of browser credentials, cookies, cryptocurrency wallets, messaging app chats (from apps like Telegram/Discord), and sensitive files to various C2 servers.
### Detection & Response
- **May 2026:** AI analysis (Microsoft Copilot) identifies that StealC and Amadey share a unified infrastructure backbone.
- **June 10, 2026:** Legal complaint filed under the RICO Act targeting five defendants.
- **June 18-24, 2026:** Coordination with Europol (Operation Endgame) and private firms (ESET, BitSight, MBSD) to execute infrastructure takedowns.
- **June 24, 2026:** Public announcement of the shutdown of 200+ C2 servers.
## Attack Methodology
- **Initial Access:** Distributed via botnets and malicious loaders.
- **Persistence:** Amadey malware suite maintained persistence to allow for secondary payload delivery.
- **Defense Evasion:** Use of distributed Command & Control (C2) servers to bypass IP-based blacklisting.
- **Credential Access:** Highly specialized "stealer" modules targeting browser-saved passwords and session cookies.
- **Collection:** Automated scanning for cryptocurrency wallet files and chat history data.
- **Exfiltration:** Data sent via HTTP/HTTPS to a network of over 200 localized C2 nodes.
- **Impact:** Financial theft via crypto-wallets; credential harvesting for subsequent account takeover (ATO) attacks.
## Impact Assessment
- **Financial:** $47 million in cryptocurrency assets flagged/restricted.
- **Data Breach:** 27 million stolen credentials recovered.
- **Operational:** Over 140,000 computers confirmed infected in the first half of May 2026 alone.
- **Reputational:** High public impact as the operation dismantled a significant "Supply Chain" for cybercrime.
## Indicators of Compromise
- **Network Indicators:** 200+ C2 domains (e.g., [defanged] `example-c2[.]com`, `steal-data-node[.]net`).
- **File Indicators:** Amadey loader binaries and StealC exfiltration scripts.
- **Behavioral Indicators:** Unrecognized outbound traffic to known C2 infrastructure; unexpected creation of files in `%AppData%` or `%Temp%` folders.
## Response Actions
- **Containment:** Suspension and blocking of 200+ malicious domains by Microsoft and partners.
- **Eradication:** Physical and virtual seizure of C2 server instances.
- **Recovery:** Recovery of 27 million credentials to be returned to owners or used for credential reset notifications.
## Lessons Learned
- **AI as a Force Multiplier:** AI analysis allowed investigators to process complex code and infrastructure patterns in minutes rather than days.
- **Legal Innovation:** Applying the RICO Act (typically used for organized crime) allows for a wider "conspiracy" approach that can dismantle entire infrastructures shared by different malware strains.
- **Collaborative Defense:** Success was dependent on the "Security Ecosystem" (Private firms + Microsoft + Law Enforcement).
## Recommendations
- **Zero Trust:** Implement strict identity verification to mitigate the impact of stolen session cookies and credentials.
- **Phishing Protection:** Enhance email filtering to block the primary delivery mechanism for loaders like Amadey.
- **Endpoint Detection:** Deploy EDR solutions capable of spotting the behavioral signatures of "infostealers" (e.g., unauthorized access to browser profile folders).
- **Credential Hygiene:** Encourage the use of hardware-based MFA (FIDO2) which is resistant to the credential/session theft used by StealC.