Amadey and StealC Malware Networks Dismantled, 27M Credentials Recovered

A coordinated international law enforcement operation, backed by private-sector partners Bitdefender, Bitsight, ESET, and Microsoft, has disrupted the infrastructure behind the Amadey and StealC malware families. Europol described the two-week action as a strike against the "assembly lines" cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure. Authorities identified and restricted more than $47 million in cryptocurrency tied to criminal activity, dismantled 326 servers and 142 domains, and recovered approximately 27 million stolen login credentials, marking one of the largest credential seizures of the year. Users concerned about exposure can verify their accounts using an email breach checker and rotate any passwords that may have appeared in the recovered dumps, testing their replacements with a password checker.

Amadey, a C++-based modular backdoor active since October 2018, operates as a malware-as-a-service (MaaS) offering priced at $600 per license, with an extra $50 charged per rebuild. Advertised by a threat actor known as InCrease, the loader supports commands for fingerprinting machines, downloading DLLs and PowerShell scripts, executing payloads via cmd.exe, taking screenshots, spawning SOCKS proxies, opening VNC or reverse proxy sessions, capturing clipboard contents and credentials, and enabling RDP. According to Japanese cybersecurity firm Mitsui Bussan Secure Directions, daily active Amadey command-and-control servers ranged between 2 and 18 until late 2022, climbed to between 5 and 30 through 2023, and gradually declined through 2024 after a brief dormant period. The current version of the malware is 5.87, and it has historically been distributed through phishing campaigns, compromised WordPress sites, and secondary loaders including Emmenhtal and SmokeLoader.

The takedown follows closely on the heels of a separate operation in which authorities from the Netherlands, Canada, Germany, and the United States disrupted SocGholish infrastructure and cleaned nearly 15,000 infected WordPress websites. All three families, SocGholish, Amadey, and StealC, are sold under the MaaS model, enabling customers to deliver additional payloads or exfiltrate sensitive data from compromised hosts. "This takedown is a powerful demonstration of what public and private sector collaboration can achieve in dismantling the infrastructure that enables cybercrime at scale," said Alex Cosoi, chief security strategist at Bitdefender. He added that the operation "sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them." Security teams investigating related exposure can review associated domain ownership through a WHOIS lookup to identify potentially malicious infrastructure.