ESET helps disrupt Amadey botnet and Stealc infostealer in global operation

ESET Research contributed technical analysis and threat intelligence to a multinational effort that targeted the Amadey botnet and Stealc infostealer. The disruption aimed to cripple the malware-as-a-service networks used by affiliates to spread payloads, steal data, and rotate infrastructure.

Why it matters: - The takedown targeted two malware-as-a-service operations that helped criminals steal data and distribute additional malware at scale. - Disrupting affiliate infrastructure makes it harder for operators to rebuild quickly and raises the cost of running these campaigns. - Law enforcement and security teams used shared technical evidence to act against known command-and-control infrastructure with higher confidence.

What happened: - ESET Research assisted in a global Operation Endgame effort against the Amadey botnet and the Stealc infostealer. - The operation was coordinated by Microsoft Digital Crimes Unit, BitSight, Lumen, and Mitsui Bussan Secure Directions. - Europol’s European Cybercrime Centre worked with European law enforcement partners, including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police, on the Stealc investigation. - IBM and Proofpoint also took part in the broader Operation Endgame effort. - ESET provided technical analysis, infrastructure tracking, affiliate-level insights, statistical information, known command-and-control servers, encryption keys, campaign and build identifiers, and other threat intelligence.

The details: - ESET said it has tracked Amadey and Stealc for the past three years. - ESET shared statistics covering Q4 2025 to H1 2026, along with technical indicators and configuration data extracted from malware samples. - ESET’s automated systems analyzed samples to identify fields useful for large-scale tracking, including command-and-control servers, build identifiers, encryption keys, URL paths, campaign identifiers, and other embedded values. - Amadey was observed globally without a regional focus, with the highest detection rates in India, Turkey, Egypt, Mexico, and Spain. - Stealc was also distributed globally without a regional focus, with the highest detection rates in the United States, Poland, and Italy. - Amadey is a modular malware loader that distributes additional malware and also offers data-exfiltration and remote-access modules. - Stealc is an infostealer that targets credentials, cookies, cryptocurrency wallets, browser extensions, and files matching affiliate-defined patterns. - Both malware families are sold as services and advertised on darknet forums. - Affiliates in both ecosystems receive a self-hosted administration panel that they must deploy on their own server infrastructure. - The setup gives affiliates direct control over victim data and payload distribution, but it also requires technical skill. - ESET telemetry showed both families being delivered through fake software updates, cracked software installers, and third-party malware loaders. - Amadey used a pay-per-rebuild model, with affiliates paying for a license and an extra fee for each new build. - Amadey operators did not provide a builder tool; samples were compiled on request for each affiliate. - Amadey includes a clipboard monitoring module, a credential theft module, and a VNC-based remote access module. - Amadey is priced at $600 in Bitcoin for a single license, plus $50 per rebuild. - Stealc offers unlimited build generation as part of the subscription, which lowers the cost of rotating infrastructure. - Stealc is sold as a monthly subscription, with the cheapest option listed at 1,000 USD for six months. - Stealc targets credentials stored by web browsers, email clients, FTP clients, gaming platforms, cryptocurrency wallet files, and browser extensions. - Both operators told prospective affiliates on darknet forums to contact them only through official channels to avoid impersonation scams. - Amadey directed buyers to private messages on the forum where it is advertised. - Stealc directed buyers to private messages on darknet forums or Telegram. - ESET said it will continue to monitor both families and watch for attempts to rebuild infrastructure after the disruption. - More information is available in ESET Research’s blog post on WeLiveSecurity.com.

Between the lines: - The disruption focused on the support systems that make malware services scalable, not just on the malware binaries themselves. - Affiliate-driven operations can survive takedowns if infrastructure and distribution channels are rebuilt, so long-term monitoring remains important. - The pricing and rebuild structures show two different business models: Amadey charges for each rebuild, while Stealc lowers friction with unlimited builds.

What's next: - ESET will keep tracking rebuild attempts and any new operational infrastructure tied to Amadey and Stealc. - Security teams are likely to use the shared indicators to hunt for related campaigns, servers, and affiliate activity. - Law enforcement partners may expand follow-on actions if new infrastructure appears.