In a coordinated multi-national action against a ‘cybercrime-as-a-service’ network, 326 servers and 142 domains were distrupted by law enforcement and private sector partners, severely crippling the malware’s distribution network. By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.
Cyber criminals used the now-neutralized malware variants called droppers and loaders, which are forms of initial-stage malware utilities which are designed to smuggle and install more dangerous payloads (like ransomware or infostealers) while evading antivirus detection.
They subsequently served as a starting point for further criminal activities, such as installing ransomware for digital extortion or fraudulent use of data.
They were:
- SocGholish malware, a so-called dropper/loader, allowed unauthorised parties to gain access to computer systems by distributing fake browser updates via compromised websites. Instead of the update, internet users inadvertently installed the malware. This approach, which has caused countless victims, is primarily done by hacking websites built with WordPress and infecting them with malware. The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion.
- StealC, a so-called stealer malware with a dropper function, was spread through multiple attack vectors. It was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers and to make them available for subsequent illicit use, especially data trading and fraudulent use.
- Amadey, also a dropper/loader, was mainly disseminated through phishing campaigns. It thus served as the first link in a larger attack chain and was capable of introducing additional malware into compromised systems. The malware also had stealer capabilities and could therefore retrieve sensitive data.
Amadey gains initial access to devices, while StealC extracts passwords and sensitive data. Together, they form a critical link in the cybercrime supply chain. According to insight collected by Microsoft, in just the first two weeks of May 2026, Amadey and StealC were linked to over 140 000 infected computers worldwide.
During the action against SocGholish, 14,971 infected websites – including those of restaurants, auto repair shops, and other everyday services – were remediated. SocGholish is linked to the Russian cyber‑criminal group Evil Corp. This group has previously been responsible for Zeus and Dridex malware and is also associated with several large‑scale ransomware and money‑laundering operations.
Key actions included:
- Cleaning infected WordPress sites and notifying victims, urging them to update their platforms and strengthen login credentials.
- Disabling the SocGholish botnet by taking over domain names and taking servers offline.
- Victim notifications via platforms like HaveIBeenPwned, DIVD, Spamhaus, CheckjeHack, NoMoreLeaks, Shadowserver and NL-NCSC, alerting website owners whose credentials were leaked.
New approach
This operation marked a shift in strategy: instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners disrupted the entire chain that allows cyberattacks to scale. Amadey and StealC, two widely used malware tools, were targeted by Microsoft in tandem due to their interconnected roles.
Coordinated action
Europol played a central role in this international operation by providing operational coordination and facilitating seamless collaboration among law enforcement agencies from the participating countries. It ensured real-time information sharing via SIENA, enabling synchronised efforts across borders.
Participating countries and agencies in the action week against the three botnets:
- Canada: Royal Canadian Mounted Police (RCMP)
- Denmark: Danish Police (Politi)
- Germany: Federal Criminal Police Office (BKA)
- Netherlands: National High Tech Crime Unit (NHCTU)
- United Kingdom: National Crime Agency (NCA)
- United States
- Europol
- Eurojust
- Private Partners: Microsoft, the Shadowserver Foundation, Registrar of Last Resort (RoLR), Proofpoint, IBM X-Force, Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned (HIBP), Spamhaus
Europol’s European Cybercrime Centre (EC3) delivered critical analytical and technical support, conducting cross-checks on attribution, infrastructure, and financial investigations. The EC3 also provided cyber intelligence for victim notifications and shared actionable insights with public and private partners. Europol’s crypto tracing experts contributed by tracking illicit financial flows and identifying assets. Additionally, Europol coordinated prevention strategies to ensure a unified response and provided strategic oversight through the Joint Cybercrime Action Taskforce (J-CAT), aligning national investigations under a cohesive framework.
Why it matters
Many piracy operations are designed to deposit malware on user devices, which steal personal data that can lead to financial fraud, identity theft and extortion.
Europol, together with partners from across the globe, struck a landmark blow to cybercriminal networks. In coordinated actions over a two week period, key components of malicious toolkits were dismantled as part of a public-private effort.
These actions were part of Operation Endgame, the largest international operation ever undertaken to tackle the criminal infrastructure behind ransomware and malware worldwide.
Coordinated with the support of Europol and Eurojust, it is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States. More than 30 international public and private parties regularly support the actions.
Further reading
Global cyber strike disrupts SocGholish, Amadey and StealC malware networks. Press release. June 24, 2026. Europol
