Press play to start listening
An international law enforcement operation has disrupted infrastructure used by StealC malware, a widely used infostealer sold to cybercriminals as a service.
The latest action was announced on 24 June 2026 as part of Operation Endgame, a long-running effort aimed at malware families and services that help cybercriminals steal credentials, gain access to systems, and prepare follow-up attacks.
StealC has been active as a malware-as-a-service (MaaS) tool since January 2023. For context, this means criminal customers can buy access to a control panel, build malware samples, infect victims, and collect stolen data through servers they manage.
The malware is designed to steal browser passwords, cookies, autofill data, credit card details, tokens, crypto wallet data, and credentials from tools such as Telegram, Discord, Outlook, FileZilla, WinSCP, OpenVPN, ProtonVPN, and gaming platforms.
According to Proofpoint and IBM X-Force who supported the operation by providing technical intelligence on StealC activity, infrastructure, and payload delivery, the June operation affected 66 domains and 296 servers linked to Amadey and StealC.
Researchers also identified more than 25.6 million unique stolen credentials taken from over 385,000 compromised systems. Europol said the wider action against SocGholish (also known as FakeUpdates), Amadey, and StealC involved 326 servers and 142 domains, with about 27 million stolen login credentials recovered.
The operation also hit criminal crypto assets. In its press release, Europol said assets worth more than EUR 41 million, about USD 47 million, were identified, flagged, and restricted from use.
It is worth noting that StealC is not limited to simple password theft. The malware can also act as a loader, allowing operators to deliver other malicious files to infected machines. Proofpoint and IBM X-Force researchers observed StealC-linked activity delivering malware families, including the following:
In one case, a LockBit Black ransomware (aka LockBit 3.0) payload.
To track the malware, Proofpoint and IBM X-Force collected StealC samples from internal sources, VirusTotal, and sharing partners. They extracted malware configurations containing command-and-control addresses, build IDs, encryption keys, and communication settings. That data helped researchers map active operations and create detections.
The researchers also built a StealC emulator that copied the way an infected machine communicates with a StealC control server. This allowed them to collect payload URLs served by criminal operators and study what malware was being delivered after the first infection.
A technical flaw in StealC’s own command-and-control panel also played a role. Proofpoint and IBM X-Force said they found a vulnerability in early 2026 while working with law enforcement. An exploit was later created, tested, and used during investigative and disruption activity against StealC servers.
The flaw involved how the StealC backend handled filenames from infected machines. Researchers said the panel failed to properly remove forward slashes from submitted filenames, creating a directory traversal issue that could be abused to upload a web shell to the StealC server. The StealC developers patched the flaw in February, but researchers said the panel code had other security issues as well.
The operation included law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States, with Europol and Eurojust coordinating international cooperation. Private partners included Microsoft, Proofpoint, IBM X-Force, Infoblox, Bitdefender, The Shadowserver Foundation, Have I Been Pwned, Spamhaus, and others.
“We are extremely pleased to have supported Europol in the successful disruption of the SocGholish, StealC, and Amadey operations, and congratulate all those involved in this effort,” said Alex Cosoi, Chief Security Strategist at Bitdefender in a comment to Hackread.com.
“This takedown is a powerful demonstration of what public and private sector collaboration can achieve in dismantling the infrastructure that enables cybercrime at scale. It also sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them,” Cosoi emphasised.
Operation Endgame has now become one of the most visible international efforts against malware services used in cybercrime. The action against StealC shows how collaboration between law enforcement agencies and cybersecurity firms can turn tables against cybercriminals.
