Operation Endgame disrupts Amadey and Stealc
Essential information
- Published
- 24/06/2026 20:53
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- amadey botnet disruption danabot infostealer lumma stealer operation endgame stealc
- Related entities
- 9 indicators, 9 observables, 24 techniques (mitre), 4 malware
Description
ESET Research contributed to a global disruption operation targeting the Amadey botnet and Stealc infostealer, both malware-as-a-service offerings. The operation, coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, and MBSD, impacted approximately 50 domains and nearly 200 active IP-based command and control servers. ESET provided technical analyses, statistical information, C&C server lists, encryption keys, campaign identifiers, and affiliate-level insights gathered from three years of tracking. Both malware families operate through affiliate networks where operators deploy their own infrastructure, making disruption efforts particularly challenging. Amadey primarily functions as a modular loader distributing additional payloads, while Stealc focuses on credential theft from browsers, crypto wallets, and applications. The largest Amadey botnet cluster accounted for 34% of all samples and distributed an average of 14 payloads per victim, operating a pay-per-install model that monetized compromi...