Operation Endgame dismantles the Amadey and StealC malware-as-a-service backbone

A Europol-coordinated law-enforcement and private-sector action on 24 June 2026 took down the shared infrastructure of Amadey and StealC — two of the dominant commodity malware-as-a-service families that form the pre-ransomware infection chain (Microsoft, 2026-06-24 · Europol, 2026-06-24). 326 servers and 142 domains were seized, ~27 million credentials stolen from 385,000+ systems recovered, and EUR 41M in crypto frozen (BleepingComputer, 2026-06-24). Amadey (active since 2018) is a modular C++ loader with 29+ commands, scheduled-task persistence and payload staging; StealC is a C++ infostealer-MaaS harvesting browser credentials, cookies, wallets and desktop clients over RC4-encrypted HTTP. ESET contributed RC4 keys and clustering that identified 53 Amadey and 73 StealC clusters (ESET, 2026-06-24); Proofpoint and IBM X-Force documented a directory-traversal flaw in StealC's C2 panel (its filename sanitiser failed to strip forward-slashes), and an exploit built on it was used by global law enforcement to map and access affiliate infrastructure (Proofpoint/IBM X-Force, 2026-06-24). This is a distinct action from the SocGholish/TA569 phase covered on 2026-06-19. Why it matters to us: Detecting Amadey delivery (ClickFix fake-CAPTCHA, SEO poisoning) and StealC exfiltration is a real ransomware pre-emption opportunity. Hunt scheduled-task creation (EID 4698) by browser/Office parents from %APPDATA% paths, and browser-process → mshta.exe/wscript.exe chains with temp-path arguments.