News
Microsoft Disrupts StealC, Amadey Malware Infrastructure in AI-Assisted Cybercrime Action
Microsoft on Wednesday said it has disrupted infrastructure tied to StealC and Amadey, two widely used cybercrime tools that the company says have become part of a broader malware supply chain used to steal credentials, support fraud and enable ransomware attacks.
The action, announced by Microsoft's Digital Crimes Unit, targeted more than 200 command-and-control domains and IP addresses associated with the two malware families. Microsoft said the disruption was carried out with Europol and several industry partners and relied in part on AI-assisted malware analysis to identify shared infrastructure between the two operations.
The company framed the action as a shift from targeting single malware services to going after the cybercrime "assembly line" that allows separate tools and actors to work together. In this case, Amadey is used as a loader to gain access to infected devices and deliver additional malware, while StealC is used to steal passwords, cookies, session tokens and other sensitive data.
"The goal: break the chain," Microsoft said.
Microsoft said Amadey and StealC were linked to more than 140,000 infected computers globally in the first two weeks of May. Since the beginning of the operation, the company said it has identified more than 18,000 victim computers, severed criminal control of those devices and begun working with telecommunications providers to help protect affected customers.
The company said the case also represents an expanded use of civil legal tools, including the Racketeer Influenced and Corrupt Organizations Act, to treat multiple cybercrime services as part of a single coordinated operation. Microsoft said investigators used AI tools, including Copilot, to analyze malware code, surface hidden details and identify infrastructure connections more quickly than traditional manual analysis.
"What's new is how we're combining AI analysis with an expanded use of that law," Microsoft said.
In a separate technical analysis, Microsoft Threat Intelligence, Microsoft Defender researchers and the Digital Crimes Unit described StealC as an "infostealer for rent" that threat actors can use to generate customized payloads and manage stolen data through a web panel.
StealC targets data from browsers, cryptocurrency wallets, messaging apps, email clients and gaming platforms. Microsoft said it can collect saved passwords, session cookies, autofill data, browsing history, desktop screenshots and other information before exfiltrating it to attacker-controlled infrastructure. The malware also can act as a secondary loader, allowing operators to download and execute additional payloads.
Amadey, which Microsoft said has been active since at least 2018, is a "malware-as-a-service" loader used to deliver StealC, Lumma Stealer, remote access trojans, cryptocurrency miners and, in some cases, ransomware. The malware communicates with command-and-control servers over HTTP and supports commands for file downloads, command execution, modular updates, credential theft, clipboard theft and other activity.
Microsoft warned that infostealer infections can become enterprise incidents even when the initial compromise occurs on a personal or unmanaged device. A stolen session cookie or VPN credential from an employee's home computer could allow attackers to access corporate systems using valid credentials and potentially bypass multifactor authentication.
The company said defenders should focus on identity protection, credential hygiene and rapid response, along with cloud-delivered antivirus protection, Microsoft Defender SmartScreen, tamper protection and attack surface reduction rules.
Microsoft said the operation is not intended as a one-time action, but as part of a broader effort to apply legal action, AI analysis and partner coordination against the infrastructure that allows cybercrime services to scale.
The company said the goal is to disrupt "not just individual tools but also the systems" that make cybercrime possible.