Summary

Microsoft, working alongside international law enforcement and several security firms, has dismantled the infrastructure behind two prolific information-stealing and loader malware families, StealC and Amadey. The operation took down, suspended, or blocked more than 200 domains and command-and-control (C2) servers, and notably leaned on AI tooling to connect the two separate operations into a single legal case. Microsoft's Digital Crimes Unit (DCU) used the connection to bring civil claims under the Racketeer Influenced and Corrupt Organizations Act (RICO) against five defendants, framing the takedown as an attack on the cybercrime supply chain rather than on any single tool.

What was disrupted

According to Microsoft, the action removed over 200 domains and C2 servers that served as the backbone for both the StealC and Amadey operations. The company's assistant general counsel for the DCU, Steven Masada, described the approach as novel because it goes after the way attacks are assembled rather than a lone service or piece of infrastructure.

"It's no longer enough to go after threats one by one," Masada said. "We need to interrupt how the attacks are put together."

The effort drew on multiple security vendors, including ESET, BitSight, Mitsui Bussan Secure Directions (MBSD), IBM X-Force, and Proofpoint.

Combined with the SocGholish disruption announced the previous week, a Europol-led law enforcement coalition flagged and restricted cryptocurrency assets worth more than $47 million and recovered roughly 27 million stolen credentials.

The two malware families

StealC and Amadey are distinct products built by different criminal crews, but investigators found they shared infrastructure and were operating in tandem.

• StealC is an information stealer. It harvests browser credentials and cookies, cryptocurrency wallets, chat data from messaging apps, and other sensitive material, then exfiltrates it to a C2 server. It also doubles as a secondary loader, letting operators who rent it pull down additional payloads onto compromised machines.
• Amadey is a malware-as-a-service (MaaS) loader used to distribute StealC and other stealers, along with remote access trojans, cryptominers, and ransomware.

The scale was substantial: in just the first two weeks of May, Microsoft links Amadey and StealC to more than 140,000 infected computers worldwide.

How AI tied the operations together

What set this case apart, according to Masada, was combining AI analysis with a broader application of RICO. Microsoft typically uses RICO and other US statutes to pursue a single cybercrime service or piece of infrastructure.

Microsoft's investigators turned to Copilot and other AI tools to analyze both malware families and their infrastructure, "asking questions in plain English instead of manually combing through complex code," Masada wrote. He said the approach "helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster."

One of those key findings was that Amadey and StealC relied on the same infrastructure. That overlap let Microsoft's legal team treat both as part of a single conspiracy under RICO and file civil claims against five defendants allegedly involved across both operations.

The court filing characterizes the defendants as running a unified criminal enterprise: "Defendants comprise a group of cybercriminals operating a Malware as a Service enterprise that leverages malicious software commonly known as the Amadey Malware Suite and StealC Malware Suite (the 'MaaS Enterprise')." It adds that "through the MaaS Enterprise, Defendants and their accomplices have victimized hundreds of thousands of innocent computer users, including many users of Microsoft's software and services."

Technical background

This class of threat — a loader paired with a credential stealer, both sold as rentable services — is a recurring model in the criminal ecosystem. A loader such as Amadey acts as the initial foothold and delivery mechanism: once it lands on a host, it can fetch and execute follow-on payloads on demand, including stealers, RATs, miners, or ransomware. A stealer such as StealC then performs the actual data theft, scraping browser-stored credentials, session cookies, wallet files, and application data before sending it to a C2 endpoint.

Because both stages are offered as MaaS, individual affiliates rent access rather than building tooling themselves, which is why a single shared back-end infrastructure can support tens of thousands of infections at once. Defenders typically counter this model by:

• Monitoring outbound traffic to known C2 domains and IPs, and sinkholing or blocking them at the network edge.
• Rotating and resetting credentials and session tokens after any suspected stealer infection, since exfiltrated cookies can bypass passwords.
• Hunting for loader persistence mechanisms (scheduled tasks, run keys, dropped binaries in user-writable paths).

Targeting the shared infrastructure and back-end servers — as in this takedown — disrupts every affiliate at once, which is the supply-chain-oriented strategy Microsoft is emphasizing here.

Related coverage

• Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI
• Microsoft disrupts alleged malware-signing operation used by ransomware gangs
• Microsoft and Cloudflare shut down RaccoonO365 phishing domains