Operation Endgame Dismantles SocGholish, Amadey, and StealC Malware Networks

The Three Malware Families Targeted

Each malware strain played a distinct role in the cybercrime ecosystem:

SocGholish is a widely used malware loader that injects malicious JavaScript into compromised websites, primarily WordPress sites. It operates as an initial-access broker for ransomware operations, including affiliates of the Evil Corp cybercriminal group . Dutch police announced the SocGholish takedown days before the broader operation targeting Amadey and StealC was revealed .

Amadey is a botnet and malware loader that functions as a delivery mechanism for second-stage payloads, including StealC. Developed by separate criminal groups, Amadey and StealC work in tandem to compromise devices and harvest sensitive data .

StealC is an infostealer sold as a service (Stealer-as-a-Service) to other cybercriminals. It specializes in stealing credentials, browser data, and other sensitive information from infected machines . According to Proofpoint and IBM X-Force, who provided technical intelligence, the June operation specifically affected 66 StealC domains .

Coalition of Law Enforcement and Private-Sector Partners

The operation involved an unprecedented level of international cooperation:

Law enforcement agencies: Canada (RCMP), Denmark, Germany (BKA and the Frankfurt Cybercrime Center ZIT), the Netherlands (National Police), the United Kingdom (National Crime Agency), the United States (FBI), Europol, and Eurojust .

Private-sector partners: Microsoft (Digital Crimes Unit), Bitdefender, IBM X-Force, Proofpoint, Infoblox, the Shadowserver Foundation, Orange Cyberdefense, Bitsight, and ESET .

Strategic Significance: Breaking the Cybercrime Supply Chain

Operation Endgame represents a clear strategic shift in how law enforcement combats cybercrime. Rather than pursuing individual ransomware groups after attacks occur, this operation targeted the cybercrime supply chain at its foundation — the loaders, infostealers, and initial-access brokers that enable mass compromise .

Europol describes this as a "landmark blow to cybercriminal networks" that weakens the entire criminal value chain . By simultaneously targeting SocGholish, Amadey, and StealC, authorities severed the delivery mechanisms that multiple ransomware affiliates depend on, breaking what the BKA called the "virtual infection chain" and preventing further victim infections before ransomware is ever deployed . The official Operation Endgame website described the common goal as disrupting the "assembly lines" cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure .

Minor Discrepancy Note

The BKA press release reports figures rounded to "over 320 servers and more than 140 domains" , while Europol and other sources report exact counts of 326 servers and 142 domains . These figures are consistent within standard rounding conventions and do not materially change the assessed scale of the takedown.

This is the latest action in Operation Endgame, which launched in May 2024 as a sustained campaign against botnets and dropper malware. Previous phases targeted malware including Qakbot, Bumblebee, DanaBot, Trickbot, and others , and a November 2025 phase took down the Rhadamanthys infostealer, VenomRAT, and Elysium botnet .