ESET Joins Operation Endgame to Disrupt Amadey and Stealc 2026

Malware-as-a-service (MaaS) ecosystems have lowered the technical barrier for cybercrime, enabling affiliates to deploy loaders and infostealers at scale. The disruption of two major MaaS platforms, Amadey and Stealc, marks a significant operational blow to credential theft, payload distribution, and remote access campaigns affecting organizations worldwide.

What was announced

ESET Research took part in a coordinated global operation to disrupt the Amadey botnet and the Stealc infostealer. The operation, led by Microsoft Digital Crimes Unit (DCU), BitSight, Lumen, and Mitsui Bussan Secure Directions (MBSD), targeted all known network infrastructure used by Amadey and Stealc affiliates. In parallel, Europol's European Cybercrime Centre (EC3), Germany's Federal Criminal Police Office, the Dutch and Danish National Police, IBM, and Proofpoint investigated Stealc as part of Operation Endgame.

ESET contributed technical analysis, statistical information, lists of known C&C servers, encryption keys, campaign and build identifiers, and other threat intelligence collected during three years of tracking both malware families. The shared dataset covered Q4 2025 through H1 2026.

ESET has been tracking both Amadey botnet and Stealc infostealer for the past three years. For the disruption operation, we shared statistics covering Q4 2025 to H1 2026, along with technical indicators and configuration data extracted from processed malware samples

Why this matters

For CIOs, CISOs, and IT directors, Amadey and Stealc represent two of the most common entry points for broader intrusions. Amadey functions as a modular loader that delivers additional payloads, while Stealc harvests credentials, cookies, cryptocurrency wallets, and browser extension data. ESET telemetry observed both families distributed globally without a specific regional focus, with the highest Amadey detections in India, Turkey, Egypt, Mexico, and Spain, and the highest Stealc detections in the United States, Poland, and Italy.

Sharing C&C server lists, affiliate identifiers, and encryption keys enables law enforcement to prioritize and act against infrastructure with high confidence. For enterprises, the disruption reduces near-term exposure to credential theft and follow-on ransomware, but security teams should continue to monitor for rebuild attempts.

Technical details

• Amadey: modular malware loader with clipboard monitoring, credential theft, and VNC-based remote access modules.
• Amadey pricing: USD 600 per license in Bitcoin, plus USD 50 per rebuild (pay-per-rebuild model).
• Stealc: infostealer targeting browser credentials, email and FTP clients, gaming platforms, cryptocurrency wallets, and browser extensions.
• Stealc pricing: monthly subscription starting at USD 1,000 for six months, with unlimited build generation.
• Delivery vectors: fake software updates, cracked software installers, and third-party malware loaders.
• Affiliate model: self-hosted administration panels deployed on affiliate-owned infrastructure.
• ESET contribution: C&C servers, encryption keys, build and campaign identifiers, URL paths, and configuration data.

Softprom and ESET

Softprom is the official distributor of ESET. Our team helps enterprises deploy ESET endpoint, cloud, and threat intelligence solutions to defend against MaaS-driven threats such as Amadey and Stealc.

This content was prepared as part of the Softprom DistriFlow project — an automated system for monitoring and adapting vendor news. Original source: original article.