Microsoft-Europol Operation Endgame Seizes Amadey-StealC Shared C2 After Panel Exploit

Microsoft, Europol, ESET, Proofpoint, and IBM X-Force coordinated legal and technical actions against overlapping Amadey and StealC command-and-control domains. AI-driven infrastructure mapping revealed identical hosting patterns and domain registration clusters used by multiple affiliate groups since 2023. The shared setup functioned as a cybercrime assembly line, with Amadey providing initial access and StealC harvesting credentials and wallets.

Procurement records and prior Endgame actions show law enforcement increasingly targets reusable loader-infostealer pairings rather than single campaigns. Court documents from related infrastructure seizures confirm that operators rent the same bulletproof hosting and domain fronting services, lowering barriers for smaller groups. This takedown exploited an unpatched StealC panel vulnerability that at least one affiliate had already used against rivals.

Public-private coordination succeeded because shared infrastructure creates single points of failure that individual takedowns cannot reach. However, historical patterns after similar operations indicate rapid migration to new panels within 60-90 days and increased use of domain generation algorithms. Independent technical telemetry will be required to verify whether credential volumes actually decline.

Next indicators include fresh Amadey variants reusing the same loader code base and spikes in alternative infostealer rentals advertised on Russian-language forums.