Microsoft Disrupts StealC, Amadey Malware Infrastructure in Joint Operation

Microsoft has disrupted critical infrastructure supporting the StealC and Amadey malware networks, two threats widely used by cybercriminals to steal sensitive data and facilitate ransomware attacks. The operation targets a key part of the cybercrime ecosystem that enables credential theft, malware distribution, and large-scale compromises.

In June, Microsoft teamed up with Europol and other industry partners to target over 200 command-and-control domains and IP addresses connected with both malware families. AI tools (including Microsoft Copilot) were used to analyze malware and support the investigation.

The infostealer attacks usually use social engineering techniques to target victims, including fake or “cracked” software downloads, malicious ads and search results, phishing emails, and techniques such as prompting users to run harmful commands. Attack chains often start on unmanaged devices and later impact enterprise environments. Once data is stolen, it’s quickly sold or used for further attacks, such as ransomware or account takeover.

How StealC steals credentials and sensitive enterprise data?

StealC is offered as a service that allows attackers to generate customized versions of the malware and manage stolen information through an online control panel. Once it infects a device, StealC quietly collects various types of data, including browser credentials, session cookies, financial information, and even data from messaging or gaming applications. It can also perform additional actions, such as taking screenshots or downloading other malicious programs.

On the other hand, Amadey acts as a delivery system for malware like StealC. It is designed to gain initial access to a system and then install additional malicious tools as instructed by its operators. It allows attackers to adapt their campaigns, which involve deploying anything from credential stealers to ransomware. Amadey has been active for years and remains a reliable component of the malware ecosystem that helps other threats spread more efficiently.

According to Microsoft, stolen credentials are rapidly sold online, and prices vary depending on value (e.g., financial or corporate access). These credentials are then used for fraud, ransomware attacks, or unauthorized network access.

Security recommendations for protecting identities and credentials

Organizations need to shift their security focus to strengthening identity and credential security. Companies should enforce strong authentication practices (such as phishing-resistant multi-factor authentication), monitor for unusual sign-in behavior, and regularly rotate or revoke exposed credentials. It’s also important to educate employees about common infection methods so they can recognize and avoid risky actions that lead to compromise.

Additionally, organizations should adopt a layered defense strategy that includes endpoint detection, network monitoring, and rapid incident response capabilities. Moreover, detecting suspicious activity early can limit damage before attackers escalate further. Enterprise admins must maintain up-to-date systems, restrict unnecessary privileges, and use threat intelligence to block known malicious infrastructure.