Operation Endgame successfully disrupts Amadey botnet and Stealc infostealer through coordinated takedown
ESET participated in a coordinated international operation that successfully disrupted the Amadey botnet and Stealc infostealer malware families. The operation demonstrates the effectiveness of multi-agency collaboration in dismantling active malware infrastructure at scale.
Affected
Operation Endgame represents a significant success in disrupting two prolific malware families that have posed sustained threats to organisations and individuals worldwide. Amadey has operated as a modular botnet-as-a-service platform for several years, primarily distributed through watering hole attacks and malicious advertisements, while Stealc emerged as a successor to popular credential-stealing frameworks and has been heavily commercialised in underground markets.
ESET's contribution to this operation centred on technical infrastructure analysis, affiliate network mapping, and malware behaviour characterisation. This type of collaboration is valuable because it consolidates threat intelligence across multiple security vendors and law enforcement agencies, creating a more comprehensive picture of attacker operations than any single organisation could achieve independently. The targeting of affiliate distribution networks alongside the core command-and-control infrastructure represents a sophisticated understanding of how these criminal operations monetise their malware.
The practical impact of such takedowns is often limited in duration: operators typically migrate to new infrastructure or release updated variants that circumvent the specific disruptions. However, the operational friction imposed on cybercriminal groups, the public attribution of their activities, and the seizure or deactivation of infrastructure create temporary disruption that can degrade attack capabilities and raise operational costs for threat actors.
Defenders should treat this as a narrow window of opportunity to identify compromised systems and clean infected hosts. Organisations using endpoint detection and response tools should hunt for historical indicators of Amadey and Stealc compromise, particularly focussing on credential dumping and outbound communications to known command-and-control servers. Individuals should assume that credentials harvested by these malware families prior to the disruption have been compromised and take steps to rotate sensitive passwords.
The operation continued importance of international law enforcement and private sector coordination against malware infrastructure. Whilst criminal actors have demonstrably relocated to new platforms and maintained operations post-takedown in other notable cases, these coordinated actions establish precedent and operational muscle for future disruption campaigns targeting emerging threats.
Sources