Amadey and StealC: Malware-as-a-Service Unavailable

On June 24, 2026, demonstrating the power of public-private collaboration, Europol and the Microsoft Digital Crimes Unit, alongside our team and other global partners, executed a coordinated disruption as part of Operation Endgame, impacting two of the most prolific commodity malware families on Windows: the Amadey loader/botnet and the StealC information stealer. Amadey and StealC are prominent examples of the modern cybercrime "assembly line", where Amadey functions as the loader – the initial access point – while StealC operates as the stealer, the monetization engine that harvests credentials and data. Bitsight TRACE supported the action, contributing with actionable threat intelligence, including command and control (C2) infrastructure mapping, comprehensive sets of indicators of compromise (IoC), and real-time infection telemetry, drawn from a pipeline we run against both families: hunting samples, extracting their configurations, emulating the malware against live C2 servers, and sinkholing C2 domains.

Key takeaways

• Bitsight TRACE supported a coordinated action led by Europol and the Microsoft Digital Crimes Unit, along with other public and private sector partners, contributing with actionable threat intelligence to aid on the disruption efforts of Amadey and Stealc C2 infrastructure.
• Amadey is a modular Malware-as-a-Service loader/botnet, sold on Russian-language forums since 2018. The main bot has a wide built-in capability set, effectively working as a remote access trojan (RAT), including the distribution of follow-up payloads, dynamically tasked by the C2.
• StealC is a Malware-as-a-Service information stealer, sold since early 2023, that steals credentials, cookies, autofill data, crypto wallets and desktop-app data, and can also download and run follow-up payloads of its own.
• By sinkholing the families' C2 domains and emulating their bots, we get first hand visibility into both botnets: which countries they appear to impact most, what follow-up payloads they deliver, and, for StealC, exactly what it's set to steal (dozens of browsers, 100+ crypto-wallet, password-manager and authenticator browser extensions, desktop wallets and apps). We also saw the two families reusing the same C2 infrastructure in some campaigns.
• The action seized domains and IP addresses associated with the malware operations, disrupting both families' command-and-control infrastructure.

Why we were tracking Amadey and StealC

Loaders and stealers are the two halves of the commodity malware pipeline. A loader gets the first foothold and rents it out; a stealer leverages that foothold to collect credentials, cookies and wallets, to then be sold on underground forums (including Telegram). The stolen data then fuels follow-on intrusions, account and payment fraud, and plenty else. We've followed both halves of that pipeline for years: PrivateLoader and the pay-per-install service it was powering, the Tofsee and Phorpiex botnets which are dropping follow-up payloads, and the Telegram-based infostealers that exfiltrate stolen data directly to Telegram. So Amadey and StealC were a natural focus: Amadey is one of the most common loaders still pulling all kinds of secondary payloads (Figure 1), and StealC is one of the most common stealers which loaders drop, in a market that has only consolidated as peers like Lumma have been disrupted.

Loaders are only one part of the delivery chain. Upstream, these threats rely on the same commodity-malware playbook used across many campaigns: trojanized cracked-software installers promoted through SEO-poisoned download sites, compromised YouTube and social-media accounts advertising “free” tools, malvertising, fake browser-update lures, fake-CAPTCHA and ClickFix-style lures, phishing emails that drop archives or script-based downloaders, and the abuse of trusted platforms such as GitHub or cloud-storage services to host payloads and evade filtering.

Loaders and stealers are usually linked in the same chain. Figure 1 displays our partial view of who is distributing who. We routinely see Amadey drop StealC onto the same host, though stealers aren't all it delivers. We've also documented Amadey pushing proxy malware like Socks5Systemz and many other malware families. Amadey is in turn also delivered by other loaders, with SmokeLoader among them.

That long-running tracking is what let us contribute to the disruption. By the time the operation came together we had current config extractors, working bot emulators for both C2 protocols, detection rules, and sinkholed C2 domains, giving us first hand infection telemetry, partially for Amadey and, more recently and with far less visibility, for StealC.

Amadey malware overview

Amadey is a modular Malware-as-a-Service loader/botnet, active since 2018 and sold on Russian-language underground forums. The main bot is a capable loader in its own right but it can also be classified as a remote access trojan (RAT) since it carries a broad built-in command set. The follow-up payloads it fetches can be malware of essentially any kind.

Amadey has been sold since 2018 by an actor who goes by “InCrease” on the Russian-language forum exploit[.]in (with a mirror on xss[.]is). The listing has stayed remarkably stable over the years, a one time licence around $600 plus a small rebuild fee. The current v5 ad markets it as a modular loader – hVNC, stealer, clipper and reverse proxy (Figure 2).

Amadey communicates in plain HTTP (Figure 3), each build calling home to a hardcoded server on its own per-build URL. The bot does nothing until its C2 answers a liveness check the way it expects, and it only writes persistence once the server acknowledges its registration. Both are anti-sandbox gates: a sandbox that can't reach a live, cooperative C2 sees the sample register nothing and persist nothing. Past that gate, the bot fingerprints the host (OS, architecture, installed AV, username, computer name, domain, and a hardware-derived bot ID) and registers with the panel, which can then task it: download and run a follow-up payload, inject code, capture a screenshot, open a VNC or reverse-proxy session, or update and remove itself. Data theft and clipboard hijacking capabilities sit outside that core command set; they're handled by separate modules the bot downloads from the C2 on demand.

To hinder static analysis and config extraction, Amadey strings and configuration are obfuscated with a Vigenère-style cipher layered over Base64, decoded only in memory at runtime. The configuration itself (C2 server, campaign ID and the keys) is keyed per build, and that works in our favour: because every build's keys and campaign ID are distinct, recovering them lets us cluster samples into campaigns and track each one over time.

StealC malware overview

StealC is a C++ Windows information stealer sold as Malware-as-a-Service on underground forums since early 2023, generated by a builder and paired with a PHP-based C2 panel that issues per-victim configuration. It harvests credentials, cookies, autofill data and history from Chromium and Firefox based browsers, steals cryptocurrency wallets and desktop-application data (Telegram, Discord, Steam, Outlook), grabs operator-specified files, and can download and execute additional payloads, making it a stealer with a built-in loader. It's a descendant of Vidar that runs its own evolving protocol, and it split into two lineages in March 2025: the original v1 (x86, WinINet, multipart form bodies) and a v2 rewrite (x64, WinHTTP, JSON over HTTP).

StealC has been sold since early 2023 by the actor “plymouth”, on russian forums xss[.]is and exploit[.]in, as a subscription, currently around $280–$880 for one to six months. The v2 rewrite “plymouth” shipped in March 2025 has a new C2 panel rebuilt from scratch, with the malware pushing sensitive work server-side, advertising full server-side decryption of Chromium and Firefox data (cookies, passwords, even credit-card CVV2 on recent Chrome) and an automatic server-side MetaMask brute-forcer that messages the operator a wallet's seed phrase the moment it cracks one. The same ad enumerates the default targets we later confirmed in the extracted config: 23+ browsers, 100+ web extensions, 15+ desktop wallets, messengers and game-launcher sessions. Separately, “plymouth” put the older v1.12.2 source code up for sale in April 2025 ($3,000, capped at five buyers) and it sold out within two weeks; selling off the source like that is the usual precursor to forks and copycats turning up downstream (Figure 4).

StealC's v2 rewrite moved it to a JSON-over-HTTP protocol (plain HTTP only; the older v1 line still used HTTPS), with the message bodies encrypted under a per-build key. The flow is the one you'd expect of a panel-driven stealer: the bot checks in, identifying itself with a hardware-derived ID and its campaign tag, and the panel answers with a per-victim configuration (Figure 5). That configuration is what makes StealC flexible: per victim, it decides whether the bot grabs a screenshot and exactly what it pulls: credentials, cookies and autofill from dozens of browsers (including the path for Chrome's App-Bound Encryption, to reach cookies on Chrome 127+), 100+ crypto-wallet, password-manager and authenticator browser extensions, desktop wallets, and applications like Telegram, Discord, Steam, Outlook, FileZilla and VPN clients. With a valid session the bot can also be tasked as a loader, downloading and running further payloads.

To hinder static analysis and config extraction, StealC strings, C2 addresses and keys are stored in Base64-over-RC4 and decrypted only at runtime. Also, the malware resolves almost all of its Windows API calls dynamically, so its import table is nearly bare. Builds are tagged with short campaign names (some dated, some arbitrary), and at least one campaign we tracked fronted its C2 behind a domain rather than a bare IP. Figure 6 shows the amount of new StealC campaigns (builds) we’ve observed in a recent period of ~30 days – around 60 – and how long they last.

How Bitsight TRACE tracks these threats

Our visibility into Amadey and StealC comes from a pipeline where each stage feeds the next: we live hunt for samples, extract their configurations, and then use those configurations both to emulate the malware against live C2 servers (implement their comms protocol) and to register C2 domains their operators left unclaimed.

• Sample hunting. We hunt continuously for new builds of both families with YARA rules, across as many sources as we can reach: public sandboxes and malware repositories (tria.ge, VirusTotal, MalwareBazaar) and our own collection. Some of those samples we pull straight off C2 servers by emulating downloader malware: the C2 server of a loader like Amadey hands us the very payloads it is distributing, which feed back into this stage.
• Config extraction. Our own config extractors then pull each sample's configuration: the encryption keys, campaign ID and C2 servers it keeps obfuscated inside the binary. This is the hinge of the pipeline: everything downstream runs on these extracted configs.
• C2 emulation. Feeding those configs into purpose-built emulators that speak each family's C2 protocol, we register as though we were an infected machine and watch what the panel actually does. This sees past the anti-sandbox checks that leave ordinary sandboxes empty-handed, and it lets us pull each victim's StealC configuration live and capture the follow-up payloads Amadey and StealC are tasked to drop.
• Domain registration. The same configs sometimes list C2 domains the operators never registered, or registered once and let lapse. We register those ourselves and let the infected machines beacon to us instead, the same sinkholing approach we've run on other botnets.
• Detection. We maintain and publish detection for both families (YARA rules to fingerprint the samples and Suricata rules to flag their C2 traffic) so we can find new samples, detect compromised systems reaching our systems, and help defenders hunt them as well.
   

Infection telemetry and C2 infrastructure

Sinkholing the families' C2 domains gives us something static analysis can't: a direct view of where some of the victims actually are. Over a recent period of 90 days, we observed around 200 000 IPs infected with Amadey reaching our sinkhole. Their geodistribution spanned the globe, with India having the highest concentration of victims (Figure 7). It bears stressing how partial this view is: we are observing a small fraction of Amadey’s botnets. Treat these numbers as a floor, not a census: the real footprint is much larger, and the geographic split is suggestive rather than exact.

For StealC, visibility over victims comes not from our sinkhole infrastructure, but from the stealer logs StealC produces, which are traded through underground sales channels. We have conducted similar stealer-log analyses in the past, with AgentTesla and OriginLogger and on infostealer logs exfiltrated over Telegram serving as excellent examples of the type of visibility we can get by doing this kind of analysis. Figure 8 displays the geo distribution of close to 5 000 machines from where StealC stole data, identified from a sample of logs we collected in January 2025.

Our bot emulators fill in the other half of the picture. Because they speak each family's C2 protocol, they don't just confirm a server is alive; they pull what the panel hands a fresh bot: the follow-up payloads it's tasked to deliver and the URLs serving them. We’ve followed the families' concurrent campaigns and captured those live delivery chains (Figure 1).

Beyond the distribution relationship between Amadey and StealC covered earlier, further connections between the two families are worth flagging. Figure 9 shows four examples of shared IPs between the C2 infrastructure of many botnets of both families: two in ELITETEAM/AS56873, one in Chang Way/AS59425, and one in Femo IT Solutions/AS214351, all known bulletproof-hosting providers.

The disruption

The operation, led by the Microsoft's DCU and Europol's EC3 as part of Operation Endgame, involved a coordinated legal and technical action against the C2 infrastructure of both malware families. This disruption was anchored by a lawsuit filed in the U.S. District Court for the Southern District of Florida (Case No: 26-cv-24064-JB). By utilizing the Racketeer Influenced and Corrupt Organizations Act (RICO), the action targeted the criminal 'assembly line' as a coordinated conspiracy, rather than treating these as isolated malware tools. Seized domains now display an official notification splash page (Figure 10).

The operation acted on 47 total domains. The breakdown of servers and IPs addressed is as follows: 34 Amadey active core C2 IPs, 69 Amadey active task C2 IPs, and 79 active StealC IPs, totaling 182 C2 IPs.

Bitsight TRACE contributed actionable threat intelligence—including C2 infrastructure mapping, comprehensive indicators of compromise (IoC), and real-time infection telemetry—which proved critical in identifying the targets for this action. Disruptions like this demonstrate that public and private partners are most effective when pooling unique visibility to break the links in the cybercrime chain.

Outlook

Amadey and StealC are commodity Malware-as-a-Service operations, and commodity operators tend to retool rather than retire. We expect the emergence of new C2 infrastructure and rebuilt panels within the coming weeks, potentially under new build tags. The shared hosting we observed suggests some of that infrastructure may resurface together. Ultimately, this operation underscores a fundamental reality: no single organization has full visibility into how cyber threats operate across borders. Actions like this are most effective when we work from the same picture, sharing telemetry to break the links in the cybercrime chain. Bitsight TRACE will continue to track both families, hunting new builds, extracting their configs, and watching the C2s, and will share updates as the picture develops.

Acknowledgments & partner resources

Bitsight TRACE thanks the Microsoft Digital Crimes Unit, Europol’s European Cybercrime Centre (EC3), Germany's Federal Criminal Police Office, the Dutch and Danish National Police, ESET, IBM, Lumen, Mitsui Bussan Secure Directions, and Proofpoint for their efforts and cooperation.

We encourage readers to review the following technical write-ups and press releases from our partners regarding Operation Endgame and their analysis of these threats:

• Microsoft: https://blogs.microsoft.com/on-the-issues/2026/06/24/scaling-cybercrime-disruption-through-innovation-and-ai/
• Europol: https://www.europol.europa.eu/media-press/newsroom/news/global-cyber-strike-disrupts-socgholish-amadey-and-stealc-malware-networks
• ESET: https://www.welivesecurity.com/en/eset-research/eset-takes-part-operation-endgame-disrupt-amadey-stealc/
• MBSD: https://www.mbsd.jp/research/20260624/amadey-c2-en/
   

Indicators of compromise & detection

To help researchers and network defenders, the full indicator sets for both families, together with YARA and Suricata rules to detect them, are published on our GitHub repo:

Amadey: https://github.com/bitsight-research/threat_research/tree/main/amadey
Stealc: https://github.com/bitsight-research/threat_research/tree/main/stealc

We also feed what we collect back to the wider community through abuse.ch: Bitsight is a trusted reporter that has shared 14,000+ malware samples to MalwareBazaar, 4,000+ payload URLs to URLhaus, and 1,800+ indicators to ThreatFox, an ongoing action that we’ve started in 2024. We've also published YARA rules to detect Amadey and StealC at YARAify. If you track these families too, we'd encourage you to do the same: the more telemetry is shared openly, the harder these operations are to run.

Happy hunting. Over and out.