StealC, a widely used malware-as-a-service (MaaS) platform in the growing information-stealer ecosystem, has been targeted in a coordinated international disruption effort led by law enforcement agencies and private-sector cybersecurity partners. The operation forms part of Operation Endgame, an ongoing initiative focused on dismantling cybercrime infrastructure and the services that enable large-scale credential theft.
The action, carried out in June 2026, was publicly announced on 24 June, with authorities confirming the takedown of 66 domains and 296 servers linked to StealC and the related malware family Amadey. In parallel, Microsoft’s Digital Crimes Unit (DCU) initiated legal proceedings against individuals and entities alleged to be supporting the infrastructure behind the malware, while also disabling associated systems.
Cybersecurity firms IBM X-Force and Proofpoint played a supporting role in the operation, contributing intelligence, infrastructure analysis, and technical research that helped map the malware’s ecosystem and operational footprint.
A Growing Malware-as-a-Service Threat
StealC has been active as a commercial malware offering since January 2023, operating under a subscription-based model commonly referred to as malware-as-a-service. The platform enables its users—often described as affiliates—to generate customised malware builds through a control panel, deploy them at scale, and extract stolen data through centralised infrastructure.
Once deployed, StealC is designed to harvest a wide range of sensitive information, including browser credentials, cookies, payment card data, messaging platform accounts such as Outlook, Telegram, and Discord, as well as gaming credentials, VPN and file transfer tool logins, and cryptocurrency wallet information.
The stolen data is typically aggregated within the operator-controlled panel, where it can be accessed, sold, or reused. In many cases, it is also leveraged to facilitate secondary attacks, including ransomware deployment and access brokerage within underground cybercrime markets.
Evolving Malware Infrastructure and Delivery Chains
Researchers note that StealC has evolved rapidly since its emergence, with version 2 released in March 2025 and the latest build, v2.22.0, observed in May 2026. The malware has increasingly been used as part of layered infection chains, where initial access is followed by additional payload delivery.
In several observed cases, StealC infections delivered a single secondary payload, such as another infostealer or a remote access trojan (RAT). In more complex campaigns, however, StealC acted as a first-stage loader, deploying additional malware that subsequently retrieved final-stage payloads. One documented example involved StealC delivering XTinyLoader, which then installed LockBit Black ransomware—highlighting the increasingly modular nature of modern cybercrime operations.
Technical Disruption and Intelligence Gathering
As part of the joint effort, Proofpoint and IBM X-Force developed emulation capabilities to simulate StealC infections and better understand its operational behaviour. Using malware samples sourced from internal telemetry, public repositories such as VirusTotal, and intelligence-sharing partners, researchers executed the samples in sandbox environments to extract configuration data and analyse infrastructure patterns.
This approach enabled analysts to track command-and-control behaviour, identify delivery mechanisms, and observe how affiliates manage infections in real-world scenarios. The findings helped support broader law enforcement attribution and disruption efforts.
Coordinated Industry Response
The disruption of StealC marks another milestone in the wider Operation Endgame campaign, which continues to target the infrastructure underpinning cybercrime-as-a-service ecosystems. By combining intelligence from private cybersecurity firms, law enforcement agencies, and technology companies, the operation aims to degrade the scalability and profitability of modern cybercriminal networks.
Proofpoint stated that its participation aligns with its broader mission of protecting organisations against human-centric cyber threats. The company emphasised that, when appropriate, it contributes threat intelligence and technical expertise to collective defence initiatives designed to reduce the global impact of malware campaigns.
As cybercriminal ecosystems become more industrialised and interconnected, coordinated efforts such as Operation Endgame highlight a growing trend in cybersecurity: disruption at scale requires collaboration at scale.
