ESET joins global takedown of Amadey botnet and Stealc infostealer

ESET Research has contributed to a coordinated global operation targeting the Amadey botnet and the Stealc infostealer, both of which operate as malware-as-a-service (MaaS) platforms sold to criminal affiliates via darknet forums. The action, dubbed Operation Endgame by European authorities, aimed to seize or render inoperative all known command-and-control (C&C) servers supporting both platforms, directly disrupting the infrastructure on which affiliates depend.

The operation was coordinated by Microsoft's Digital Crimes Unit, BitSight, Lumen, and Japan-based Mitsui Bussan Secure Directions. Europol's European Cybercrime Centre participated alongside law enforcement agencies from Germany, the Netherlands, and Denmark, with IBM and Proofpoint also named as contributing partners. ESET's role was primarily intelligence: the company shared technical analysis, known C&C server lists, encryption keys, build identifiers, campaign identifiers, and statistical data covering the period from Q4 2025 to H1 2026.

"Our automated systems have been dissecting Amadey and Stealc samples and identifying the fields most relevant for large-scale tracking," said Jakub Tomanek, an ESET researcher involved in the effort. "These include C&C servers, build identifiers, encryption keys, URL paths, campaign identifiers, and other embedded values used by the malware families during communication with attacker-controlled infrastructure."

How the two platforms operated

Amadey is a modular loader whose primary function is dropping additional payloads onto compromised systems, though it also offers modules for clipboard monitoring, credential theft, and VNC-based remote access. It used a pay-per-rebuild pricing model: affiliates paid a flat USD 600 for a single licence and an additional USD 50 each time a new build was required, for example when rotating to a fresh C&C server. The operator compiled samples on demand rather than supplying affiliates with a builder tool directly.

Stealc took a more affiliate-friendly approach, bundling unlimited build generation into a subscription priced at USD 1,000 for six months. It targets credentials stored by web browsers, email and FTP clients, gaming platforms, cryptocurrency wallet files, and browser extensions. ESET telemetry placed Stealc's highest detection rates in the United States, Poland, and Italy; Amadey's largest concentrations were in India, Turkey, Egypt, Mexico, and Spain, with neither family showing a tight regional focus.

Both platforms explicitly instructed prospective customers on darknet forums to contact operators only through official channels, a measure designed to reduce the risk of impersonation scams within their own criminal ecosystems.

Market context and wider significance

Operation Endgame is the second phase of a framework first used in 2024 to dismantle the IcedID, SystemBC, and Bumblebee loader networks. The repeat use of the Endgame banner signals that law enforcement is treating botnet and infostealer takedowns as a sustained programme rather than one-off events, a posture that has drawn comparisons to the multi-year campaign against ransomware infrastructure.

The MaaS model has lowered the technical barrier to cybercrime considerably: an affiliate running Stealc need only deploy an administration panel on rented server infrastructure, with operational rotation made cheap by the unlimited-build subscription. That accessibility is reflected in the breadth of detection geographies ESET observed.

For enterprise security teams, the disruption provides only temporary relief. ESET has said it will continue monitoring both families for infrastructure rebuild attempts, a familiar pattern following high-profile takedowns. Security leaders evaluating endpoint detection tools should note that both families were primarily distributed through fake software updates and cracked installers, vectors that endpoint behaviour-based controls are better positioned to catch than signature-only approaches.

The operation also underlines the intelligence-sharing model that has emerged between specialist cybersecurity vendors and law enforcement: ESET's three years of automated tracking produced the encryption keys and campaign identifiers that allowed authorities to act with confidence against specific server nodes rather than relying on bulk network blocks.