Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Microsoft, Europol lead global takedown of infostealer malware

Cybercriminals used Amadey and StealC to infect thousands of computers worldwide, leading to ransomware and other digital crimes.

Published June 24, 2026
David Jones's headshot
Reporter
Microsoft building with logo
Microsoft led an international effort in June 2026 to disrupt a global cybercrime operation using infostealer malware. Getty Images

Microsoft on Wednesday announced a coordinated operation with Europol and other international partners to disrupt Amadey and StealC — tools used as infostealers to conduct ransomware, financial fraud and other digital crimes. 

Amadey is a specialized tool used by cybercriminals to infect computers, while StealC is used to steal passwords and other sensitive data after the computers are infected. The tools are used widely around the globe, with Microsoft finding more than 140,000 computers worldwide infected with the tools during the first two weeks of May. 

Microsoft identified more than 200 malicious Amadey and StealC command-and-control domains and IPs and shut them down using a combination of court-ordered actions, domain seizures and related actions. 

In a filing with the U.S. District Court in Miami, Microsoft accused a series of unnamed defendants of operating a malware-as-a-service enterprise. Microsoft asked the court to disable and transfer control of related internet domains to the company. 

Microsoft, in a blog post Wednesday, said investigators used AI to help analyze how Amadey and StealC were being used in the infostealing operation. The analysis helped speed up an understanding of how the operation worked, cutting significant time out of the probe and allowing investigators to target the operators as a single conspiracy. 

The seizure was part of Operation Endgame, a coordinated effort to disrupt infrastructure used in global cybercrimes. The operations led to the recovery of 25.6 million stolen credentials and 385,000 compromised systems, according to researchers at Proofpoint and IBM, who participated in the investigation. 

Experts called infostealers one of the most important gateways to ransomware. 

“Many ransomware attacks begin with stolen credentials and session cookies that infostealers harvest and sell to affiliates through access brokers,” said Roye Bass, a ransomware threat intelligence analyst at Halcyon. “Taking down the command-and-control infrastructure behind these tools severs that supply, and forces operators to rebuild.”

Editors' picks

Company Announcements

View all | Post a press release
Optery Releases 2026 Enterprise Social Engineering Survey Report
From Optery
June 23, 2026
Optery logo
SafeLogic Launches CryptoComply™ Core and Mobile v4, Bringing FIPS 140-3 Validated Cryptograph…
From SafeLogic
June 18, 2026
Blackpoint Cyber Appoints Former CIA Operations Officer to Lead Adversary Pursuit Group
From Blackpoint Cyber
June 16, 2026
Blackpoint Cyber logo
AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era
From AppViewX
June 16, 2026
AppViewX logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell