Europol, Microsoft, Proofpoint, IBM and other law enforcement and industry partners announced a collaborative takedown of StealC and Amadey infrastructure on Wednesday, as part of Operation Endgame. Microsoft revealed that it used AI-assisted techniques leveraging Copilot to establish a connection between the StealC and Amadey operations, allowing the company to take legal action against shared infrastructure under the Racketeer Influenced and Corrupt Organizations Act (RICO).Additionally, Proofpoint and IBM X-Force, in a joint announcement, described how the companies discovered a vulnerability in StealC command-and-control (C2) panels and emulated StealC clients to track attacker payloads and threat clusters, assisting law enforcement efforts.StealC is a malware-as-a-service (MaaS) infostealer capable of stealing credentials from Chromium-based browsers, Gecko-based browsers and desktop applications, including credentials for mail servers, the WinSCP File Transfer Protocol (FTP) and SSH FTP client (SFTP), and gaming applications like Steam, Microsoft said in a report also published Wednesday.The infostealer also collects a wide variety of system information and is capable of stealing files based on configurations received from its C2 server. Additionally, it has an optional loader functionality that can be used to retrieve additional payloads such as infostealers, remote access trojans (RATs) and ransomware, according to IBM X-Force and Proofpoint.Amadey is another MaaS offering and loader that is frequently used to deliver StealC. Microsoft said that, while Amadey and StealC were developed by separate threat actors, the company’s investigations showed they rely on the same infrastructure. Microsoft credited the use of AI tools, including Copilot, with helping investigators analyze malware samples more efficiently and draw connections between the two operations.“That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster,” Microsoft stated.Microsoft said it identified more than 18,000 compromised systems in its investigation, with legal action disrupting more than 200 C2 servers to cut off threat actors’ access to those systems. Europol announced it seized more than €41 million (about $47 million USD) in crypto assets and identified about 27 million stolen credentials in total throughout its investigations of StealC, Amadey and SocGholish, the latter of which subject to takedowns last week.“This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services,” Microsoft stated.Proofpoint and IBM X-Force contributed additional investigations into StealC malware samples and infrastructure, including by infiltrating the C2 panel using a path traversal vulnerability discovered earlier this year. The researchers found that the PHP-based backend stored files with their original file name and used a sanitization function that failed to sanitize file names containing forward slashes.A panel plugin used to decrypt MetaMask crypto wallet seed phrases for certain files would extract these files from the ZIP archives they were stored in and place them in a new temporary directory without changing the file name. Researchers exploited the flaw by crafting files names with path traversal constructs to the escape intended temp directory and write a web shell to the C2 server.In addition to exploiting this flaw, Proofpoint and IBM X-Force also investigated StealC C2 servers by emulating StealC clients and retrieving stored payloads. The researchers were able to extract hardcoded C2 addresses and communicate with these domains using tools designed to mimic activity from a real StealC infection.These emulation operations allowed them to investigate the other types of payloads being leveraged by StealC affiliates, including Amadey, AsyncRAT, Redline Stealer, Vidar, XTinyLoader, XMRig and more. In one case, XTinyLoader was installed, which subsequently downloaded LockBit Black ransomware. This allows allowed the researchers to draw connections between affiliates and identify threat clusters by tracking where multiple C2 panels retrieved their payloads from the same IP.The latest disruptions of StealC and Amadey were assisted by a several other private and law enforcement partners including ESET, BitSight, Lumen, Mitsui Bussan Secure Directions (MBSD), the German Federal Criminal Police Office, and Dutch and Danish National Police. The action is expected to hamper StealC and Amadey operations, which Microsoft says were linked to more than 140,000 infections globally in the first week of May alone.
