DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:12:51ZSOURCES: 14CRITICAL: 31
⚠ ACTIVE ALERTS
@GossiTheDog CRITICAL — Sampled credentials from the FortiBleed dataset and confirmed they are authentic. Many of… /// @MsftSecIntel CRITICAL — Tracking FortiBleed downstream activity. Buyers of the FortiGate credential sets are… /// @TalosSecurity CRITICAL — FortiBleed is just one piece of a broader IAB operation. The same Russian-speaking actor… /// @MalwareHunterTeam CRITICAL — The Gentlemen RaaS internal data leak (May 2026, ~16GB) confirmed operators actively… /// @CrowdStrike CRITICAL — Gentlemen RaaS affiliates are deploying GentleKiller variants that specifically target…
31Critical Threats
18Active CVEs
19IOCs Tracked
11New Advisories
INTEL FEED/THREAT ACTORS/Amadey / StealC MaaS Operators
TLP:WHITETHREAT ACTOR DOSSIER // AMADEY-STEALC-MALWARE-NETWORKFIRST SEEN: 2018 (Amadey) / 2023 (StealC)

Amadey / StealC MaaS Operators

ALSO KNOWN AS: Amadey botnet operators, StealC MaaS operators
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Russia (assessed — Evil Corp infrastructure overlap; SocGholish/FakeUpdates linkages to Russian cybercriminal organization)
ATTRIBUTION:ORGANIZED CRIME
STATUS:DORMANT
FIRST OBSERVED:2018 (Amadey) / 2023 (StealC)
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL69/100
RESOURCES69/100
PERSISTENCE72/100
STEALTH64/100
IMPACT78/100

SUBJECT PROFILE

As part of the ongoing Operation Endgame Phase 4 (June 2026), Europol and partners from six countries disrupted the Amadey and StealC malware-as-a-service networks, seizing 326 servers, freezing $47M in criminal cryptocurrency, and recovering 27 million stolen login credentials from 385,000 compromised systems. Microsoft's Digital Crimes Unit filed a RICO civil lawsuit after AI-assisted analysis (using Microsoft Copilot) revealed Amadey and StealC shared the same C2 infrastructure despite being developed by separate criminal groups, enabling a unified takedown of 200+ C2 servers. In May 2026 alone, the two infostealers were linked to 140,000 infected computers.

Financially motivated infostealer-as-a-service operations providing credential theft infrastructure to downstream cybercriminal actors including ransomware affiliates

OPERATIONAL HISTORY

Infostealer-as-a-service distribution (T1566), malvertising delivery, SocGholish fake browser update dropper (T1189), credential harvesting (T1555), C2 communication via shared infrastructure (T1571), botnet-as-a-service, ransomware pre-positioning

ENTERPRISE
CONSUMER
GOVERNMENT
FINANCIAL SERVICES
TECHNOLOGY

KNOWN INFRASTRUCTURE

200+ C2 servers (seized/disrupted June 2026 via Microsoft civil action + Europol), SocGholish distribution network (1.44M compromised WordPress sites as of May 2026), shared Amadey/StealC command-and-control backend infrastructure; Evil Corp organizational links

ATTRIBUTED CAMPAIGNS

FILE DATE: MAY 2026
Peak Infostealer Activity
Amadey and StealC linked to 140,000 infected computers in May 2026 alone; SocGholish network reaches 1.44 million compromised WordPress sites across 187 countries.
FILE DATE: JUN 2026
Operation Endgame Phase 4 Takedown
June 18 SocGholish takedown by Dutch police and June 24 combined ██████████████████████ Europol; 326 servers seized, $47M frozen, 27M credentials recovered; Microsoft RICO lawsuit enables simultaneous 200+ C2 server disruption.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn