Microsoft and Europol have struck at two of the engines powering the cybercrime economy. On June 24, 2026, Microsoft's Digital Crimes Unit (DCU), working with Europol and industry partners, seized, suspended, or blocked more than 200 domains and command-and-control (C2) servers that ran the StealC infostealer and the Amadey malware loader, the company said in its technical report. The takedown went after the plumbing that two of the most prolific commodity malware families rely on to steal passwords and to deliver follow-on attacks.
Infostealers like StealC quietly harvest saved passwords, browser cookies, and session tokens from infected machines. That matters far beyond the individual victim: a single infection on an employee's home PC can hand attackers corporate VPN logins, single sign-on tokens, and session cookies that let them slip past multifactor authentication. Stolen logs are then sold through access brokers for as little as a few dollars each, feeding fraud and ransomware. We have repeatedly covered how fake software pushes these stealers onto victims, from bogus Spotify and Windows hacks on TikTok to trojanized Mac installers, and how the resulting credentials pile up in massive stolen-credential troves.
What StealC and Amadey do
StealC is a malware-as-a-service stealer: criminals rent a builder to generate custom samples and a web panel to manage what they steal. Once running, it fingerprints the machine, lifts credentials and cookies from Chromium and Firefox browsers, raids cryptocurrency wallets, messaging and email clients, Steam, and saved WinSCP sessions, and can grab files and screenshots. To defeat Chrome's App-Bound Encryption, it injects a small payload into a sacrificial process to decrypt browser secrets, then exfiltrates everything in RC4-encrypted, Base64-encoded chunks. Notably, StealC checks the system language and quits on Russian, Ukrainian, Belarusian, Kazakh, or Uzbek locales, a common tell for Russian-speaking operators.
Amadey, active since at least 2018, is the delivery half. It is a modular loader that establishes a foothold, sets up scheduled-task persistence, then pulls down whatever its operators want next, frequently StealC itself, but also banking trojans, crypto miners, and at times ransomware. Microsoft notes that researchers at Trellix observed operators using Amadey to fetch StealC from a compromised self-hosted GitLab instance, a trick meant to make the delivery infrastructure look legitimate.
How victims get infected
These families spread through ordinary user behavior rather than exotic exploits: SEO-poisoned search results and malicious ads that push cracked software and game cheats, phishing email, and the fast-growing ClickFix technique, where a website tricks the user into pasting a command into the Windows Run dialog and running the malware themselves. We have tracked ClickFix being used to seed footholds for later ransomware.
What you should do
Disruptions slow operators but rarely end them, so treat credential hygiene as the durable defense. Enforce phishing-resistant MFA, rotate any credentials that may have touched an infected device, watch for impossible-travel logins and anomalous session reuse, and discourage staff from running unmanaged software on devices that hold work logins. Defenders can hunt for the C2 patterns Microsoft published.
Selected indicators
Sample StealC and Amadey C2 URLs include hxxp://polse[.]us/62ea47cac2534aa18f74[.]php, hxxp://bluescry[.]com/01f96fd710e905ca2326[.]php, and hxxp://goodpanelforgoodjob[.]com/hg8jjfSr5hy/index[.]php. One associated StealC sample carries SHA-256 8f32456359f209a63adfd24b94235e1727382ac7f7bb7f2bcaf754e721925b64. Microsoft's full indicator set is in the original report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.