Operation Endgame continues to demonstrate the effectiveness of international cooperation against cybercrime.
In June 2026, law enforcement and private-sector partners disrupted the StealC malware ecosystem by targeting its infrastructure and seizing millions of stolen credentials.
Key Takeaways of the StealC Operation
- Operation Endgame disrupted the StealC malware ecosystem by targeting 66 domains, 296 servers, and millions of stolen credentials through coordinated international action.
- StealC is a leading malware-as-a-service (MaaS) infostealer that steals credentials, cryptocurrency wallet data, browser information, and other sensitive data used in follow-on cyberattacks.
- Proofpoint and IBM X-Force supported the operation by developing a StealC emulator, tracking threat infrastructure, and providing intelligence that aided law enforcement investigations.
- Researchers uncovered a vulnerability in the StealC command-and-control (C2) panel that helped investigators access malicious infrastructure during the coordinated disruption.
- The operation highlights the importance of public-private collaboration in disrupting cybercriminal infrastructure and reducing the impact of malware-as-a-service operations.
StealC Malware Targeted in Operation Endgame
StealC has become one of the more widely used information stealers since its introduction as a malware-as-a-service (MaaS) platform in 2023.
The malware enables affiliates to generate customized payloads that collect browser credentials, cookies, cryptocurrency wallet information, VPN credentials, messaging application data, and other sensitive information from infected systems.
These stolen credentials are frequently sold or reused to facilitate ransomware deployments, account compromise, and other malicious activity.
As part of Operation Endgame in June 2026, Europol coordinated an international disruption targeting both StealC and the Amadey malware ecosystem.
The operation resulted in the seizure of 66 domains and 296 servers while recovering more than 25.6 million unique credentials stolen from over 385,000 compromised systems.
Microsoft also supported the effort through legal action against infrastructure operators connected to the malware ecosystem.
Intelligence Collection Strengthened the Investigation
Proofpoint and IBM X-Force contributed extensive threat intelligence that helped identify StealC infrastructure and operator activity.
Researchers analyzed malware samples obtained from internal telemetry, malware repositories, and intelligence-sharing partners to extract configuration data, including command-and-control (C2) servers, encryption keys, and affiliate identifiers.
To improve visibility into StealC campaigns, researchers developed an emulator capable of mimicking infected clients.
The emulator communicated directly with StealC C2 servers, allowing analysts to observe infrastructure, collect secondary payloads, and identify relationships between threat actors.
This capability also enabled researchers to better understand the malware delivery chains used by affiliates.
Vulnerability Assisted Law Enforcement
During the investigation, researchers discovered a vulnerability within the StealC C2 panel that allowed files to be written outside their intended directories through improper filename validation.
The directory traversal flaw created an opportunity for investigators to access compromised infrastructure during the coordinated disruption.
Although StealC developers patched the vulnerability in early 2026, the discovery proved valuable in supporting investigative efforts before remediation occurred.
Researchers also noted that weaknesses within the StealC codebase suggested the malware had been built upon older infostealer projects and contained several additional security flaws that concerned even its own affiliates.
StealC Delivered Multiple Malware Families
While StealC primarily functions as an information stealer, researchers observed that many operators also used it to distribute additional malware.
Analysis identified payloads including AsyncRAT, SmokeLoader, Vidar, RedLine Stealer, Amadey, XTinyLoader, and, in some cases, ransomware such as LockBit Black delivered through multi-stage infection chains.
These observations highlight how credential theft often serves as an initial access vector that enables more destructive attacks, increasing the operational impact of information-stealing malware beyond simple data theft.
Bottom Line
The disruption of StealC reinforces the importance of collaboration between cybersecurity vendors, other technology companies, and international law enforcement.
By combining technical research, threat intelligence, legal action, and coordinated infrastructure seizures, this phase of Operation Endgame disrupted a major malware ecosystem that supported credential theft and secondary attacks.
Continued public-private partnerships remain essential for reducing the effectiveness of malware-as-a-service operations and protecting organizations from evolving cyber threats.