Operation Endgame

Global cyber strike disrupts SocGholish, Amadey, and StealC malware networks

Coordinated actions take down criminal infrastructure; over 41 million EUR in criminal crypto assets seized

Europol together with partners from across the globe today announces a landmark blow to cybercriminal networks as part of Operation Endgame, a sweeping international operation targeting the criminal infrastructure behind ransomware and malware like SocGholish, Amadey, and StealC. In coordinated actions over the past two weeks, key components of these malicious toolkits were dismantled as part of a public-private effort.

This included law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States, the US software company Microsoft and other private partners, with the international activity coordinated by Europol and Eurojust. The main common goal was to disrupt the “assembly lines” cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure.

Crypto assets of criminal origin currently valued at over 41 million EUR (47 million USD) were identified, flagged, and thereby restricted from use. Moreover, as many as 27 million stolen login credentials have been recovered as part of this operation.

During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.

“Cybercrime-as-a-service” business model

The neutralised malware variants were offered as a service (“cybercrime-as-a-service”), with other cybercriminals using them as a tool for the initial infection of targeted systems. They subsequently served as a starting point for further criminal activities, such as installing ransomware for digital extortion or fraudulent use of data.

• The malware SocGholish (a so-called dropper/loader) allowed unauthorised parties to gain access to computer systems by distributing fake browser updates via compromised websites. Instead of the update, internet users inadvertently installed the malware. This approach, which has caused countless victims, is primarily done by hacking websites built with WordPress and infecting them with malware. The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion.
• The malware StealC (a so-called stealer with dropper function), which was spread through multiple attack vectors, was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers and to make them available for subsequent illicit use, especially data trading and fraudulent use.
• The malware Amadey (a so-called dropper/loader) was mainly disseminated through phishing campaigns. It thus served as the first link in a larger attack chain and was capable of introducing additional malware into compromised systems. The malware also had stealer capabilities and could therefore retrieve sensitive data.

A blow to cybercriminal infrastructure

During the action against SocGholish, 14 971 infected websites - including those of restaurants, auto repair shops, and other everyday services - were remediated. SocGholish is linked to the Russian cyber‑criminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.

Key actions included:

• Cleaning infected WordPress sites and notifying victims, urging them to update their platforms and strengthen login credentials.
• Disabling the SocGholish botnet by taking over domain names and taking servers offline.
• Victim notifications via platforms like HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver and NL-NCSC, alerting website owners whose credentials were leaked.

Call to WordPress users

The Dutch Police have already removed vulnerabilities from infected sites and notified owners. WordPress users are urged to:

• change their login credentials;
• enable multi‑factor authentication;
• delete any unknown additional WordPress accounts;
• keep their WordPress site up‑to‑date in the future.

Prevent your computer from being infected by SocGholish malware

SocGholish is also known as ‘FakeUpdates’. Its malware is distributed via fake software updates, for example for internet browsers. When someone installs a fake update, the malware opens a connection to the hackers, who subsequently gain access to the computer system. With this so-called initial access, even more dangerous software can then be installed.

Watch out for the following signs to avoid this:

• Never trust pop‑ups that appear in your browser.
• Do not trust updates that are overly flashy and scream for immediate action.
• Do not trust updates just because they look very legitimate.
• A genuine update always comes from the official source, for example via your system settings or the app store.

A new approach: targeting the cybercrime “assembly line”

This operation marked a shift in strategy: instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners disrupted the entire chain that allows cyberattacks to scale. Amadey and StealC, two widely used malware tools, were targeted by Microsoft in tandem due to their interconnected roles.

Amadey gains initial access to devices, while StealC extracts passwords and sensitive data. Together, they form a critical link in the cybercrime supply chain. According to insight collected by Microsoft, in just the first two weeks of 2026 May, Amadey and StealC were linked to over 140 000 infected computers worldwide.

Europol’s support

Europol played a central role in this international operation by providing operational coordination and facilitating seamless collaboration among law enforcement agencies from the participating countries. It ensured real-time information sharing via SIENA, enabling synchronised efforts across borders.

Europol’s European Cybercrime Centre (EC3) delivered critical analytical and technical support, conducting crosschecks on attribution, infrastructure, and financial investigations. The EC3 also provided cyber intelligence for victim notifications and shared actionable insights with public and private partners. Europol’s crypto tracing experts contributed by tracking illicit financial flows and identifying assets. Additionally, Europol coordinated prevention strategies to ensure a unified response and provided strategic oversight through the Joint Cybercrime Action Taskforce (J-CAT), aligning national investigations under a cohesive framework.