Takedown
Endgame Strikes Again: A Global Operation Rips Out the SocGholish, Amadey and StealC Stealer-Loader Backbone
In coordinated action carried out June 15–19 and announced this week, Operation Endgame — led by Europol and Eurojust with law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States — dismantled the infrastructure behind three malware families that sit at the heart of the cybercrime economy. SocGholish pushes fake browser-update lures through compromised websites; Amadey is a downloader-and-stealer hybrid; StealC harvests passwords and authentication tokens while doubling as a loader. The strike disrupted 326 servers and 142 domains, flagged more than €41 million in criminal cryptocurrency, and recovered roughly 27 million credentials stolen from over 385,000 compromised systems.
These loaders and stealers are the initial-access and credential-theft layer that precedes ransomware and fraud, so the seized command panels and loader-to-victim mappings — bolstered by private-sector help from Microsoft, ESET, Proofpoint, IBM X-Force, Shadowserver, Have I Been Pwned, and Spamhaus — are an evidentiary goldmine for scoping who was infected and what was taken. Forensic priority: ingest the released IOCs and recovered-credential sets, hunt SocGholish fake-update injects and Amadey/StealC staging and persistence on suspect hosts, and treat any credential that touched an infected machine as burned. The caveat that always applies: takedowns disrupt, they rarely eradicate — expect rebrands and rebuilt infrastructure.