{
  "name": "Operation Endgame disrupts Amadey and Stealc",
  "slug": "operation-endgame-disrupts-amadey-and-stealc",
  "description": "ESET Research contributed to a global disruption operation targeting the Amadey botnet and Stealc infostealer, both malware-as-a-service offerings. The operation, coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, and MBSD, impacted approximately 50 domains and nearly 200 active IP-based command and control servers. ESET provided technical analyses, statistical information, C&C server lists, encryption keys, campaign identifiers, and affiliate-level insights gathered from three years of tracking. Both malware families operate through affiliate networks where operators deploy their own infrastructure, making disruption efforts particularly challenging. Amadey primarily functions as a modular loader distributing additional payloads, while Stealc focuses on credential theft from browsers, crypto wallets, and applications. The largest Amadey botnet cluster accounted for 34% of all samples and distributed an average of 14 payloads per victim, operating a pay-per-install model that monetized compromi...",
  "published": "2026-06-24T18:53:00.767000+00:00",
  "created_at": "2026-06-25T15:33:41.550000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-25T15:33:41.550000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "amadey",
    "botnet disruption",
    "danabot",
    "infostealer",
    "lumma stealer",
    "operation endgame",
    "stealc"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "8c6f3003-c203-442e-9a09-4eb701cb9953",
        "name": "62.60.226.159"
      },
      {
        "id": "e530f3b1-4a82-40c0-b479-c16edb00ebba",
        "name": "176.124.199.207"
      },
      {
        "id": "e0e5337a-c7c7-44ea-ac84-55ebbc4be60a",
        "name": "mi.overlapsnowbound.com"
      },
      {
        "id": "bcea6889-6ca4-4ea9-9ca9-3a226ef82740",
        "name": "95.85.238.4"
      },
      {
        "id": "d5a0a0a6-8a9a-4a22-ab3b-72aaeb2491c3",
        "name": "94.154.35.25"
      },
      {
        "id": "8ddbab38-4f5c-40da-9513-ae90057e1725",
        "name": "64.188.91.237"
      },
      {
        "id": "b685bc9f-5b5b-4ae6-9019-f959f14f3b74",
        "name": "193.143.1.16"
      },
      {
        "id": "7559916a-7ef1-4083-8f3a-a36f19533559",
        "name": "176.111.174.140"
      },
      {
        "id": "37ddfd32-459e-4111-82dc-b5d3fb252d6d",
        "name": "196.251.107.130"
      }
    ],
    "attack_patterns": [
      {
        "id": "7e3e3784-9547-42ca-b888-482972d14be3",
        "name": "T1528"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "b7ba0db0-7d4f-436f-8d5f-c431d690b048",
        "name": "T1555.003"
      },
      {
        "id": "4f0fd880-1731-42a7-88ed-97bb3c1c1571",
        "name": "T1136.001"
      },
      {
        "id": "840f859f-575f-487e-8083-6ffd01a13a84",
        "name": "T1218.007"
      },
      {
        "id": "a72b6e11-a5d5-4f5a-8f0d-8861e90c34f7",
        "name": "T1555"
      },
      {
        "id": "ef72da1d-2eaa-4d94-8913-06978609cfb4",
        "name": "T1608.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "8142c537-ccb7-486e-a320-a51d2eac58db",
        "name": "T1552.002"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "effdd452-1540-48f5-9fff-347c7526f6ba",
        "name": "T1583.004"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "3e7e47ba-d8ad-4aa8-a4fc-1167cec2e125",
        "name": "T1587.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "3bcbd7d0-6c9a-4d9b-8c71-ae338737bea1",
        "name": "T1480"
      },
      {
        "id": "0192fd78-09e3-4fe4-a9d3-38a7137e15fa",
        "name": "T1055.002"
      },
      {
        "id": "b7c6c1ad-f183-4128-8427-3891029c73dc",
        "name": "T1539"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a",
        "name": "T1195"
      },
      {
        "id": "2c3d4267-2bae-41ae-8486-5876953a1748",
        "name": "T1129"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "2ccc4626-0e86-4148-a5a8-2aa270e22dbd",
        "name": "T1588.001"
      }
    ],
    "malware": [
      {
        "id": "3b14bdfd-fdea-4534-96f8-2a0bd99b3833",
        "name": "Amadey - S1025",
        "slug": "amadey-s1025"
      },
      {
        "id": "54a0b340-b33e-4644-8a5a-68eea8cca00d",
        "name": "Stealc",
        "slug": "stealc"
      },
      {
        "id": "0051da15-675b-4665-a6d1-872f64cf47ea",
        "name": "Lumma Stealer",
        "slug": "lumma-stealer"
      },
      {
        "id": "4963ee98-a131-4e18-b64b-e10b62974283",
        "name": "Danabot",
        "slug": "danabot"
      }
    ],
    "observables": [
      {
        "id": "d9fe84b2-1f31-410d-bfc5-3b997671da5c",
        "name": "mi.overlapsnowbound.com"
      },
      {
        "id": "3d0573eb-c6c5-4b0e-8e1d-0350b198b9c0",
        "name": "176.124.199.207"
      },
      {
        "id": "dd8834b9-b858-49e7-a075-2fd8472f31d1",
        "name": "62.60.226.159"
      },
      {
        "id": "002b4e52-a0bc-4a55-bf11-fc93034237e0",
        "name": "196.251.107.130"
      },
      {
        "id": "1b4e9ca3-b359-46bf-9d0b-9abb44f1051b",
        "name": "193.143.1.16"
      },
      {
        "id": "5c70af58-2ab9-4d44-b1b3-b1f01f12914f",
        "name": "64.188.91.237"
      },
      {
        "id": "b46eae1e-bf53-4012-990d-1e97b2e85873",
        "name": "176.111.174.140"
      },
      {
        "id": "48b81056-8c61-43ee-a809-ae16fb11387e",
        "name": "94.154.35.25"
      },
      {
        "id": "af7b984d-2417-463c-bf1a-0c811ad7a8bc",
        "name": "95.85.238.4"
      }
    ]
  },
  "external_refs": [
    {
      "id": "ecb6c4a6-61b9-4902-ac21-cdb5ae27c4d2",
      "standard_id": "external-reference--61b556df-29d4-596d-b38e-d33180949d4e",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3c278cadbc5a0ba0a18ce3",
      "hash": null,
      "external_id": "6a3c278cadbc5a0ba0a18ce3",
      "created": "2026-06-25T15:33:35.667Z",
      "modified": "2026-06-25T15:33:35.667Z",
      "createdById": null
    },
    {
      "id": "e2e0bf76-d671-479d-8d37-1c9f0d17e086",
      "standard_id": "external-reference--6719e344-5841-5088-833b-9b89d375daf9",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/",
      "hash": null,
      "external_id": null,
      "created": "2026-06-25T15:33:35.693Z",
      "modified": "2026-06-25T15:33:35.693Z",
      "createdById": null
    }
  ]
}