Amadey and StealC MaaS ecosystem and affiliate model
Threat Actor Meta
Summary
Hide ▲
Show ▼
The Amadey and StealC ecosystems now operate as malware-as-a-service (MaaS) offerings, widening access to loader and stealer capabilities for paying customers and affiliates. The model supports payload delivery and sensitive-information theft from compromised hosts while shifting execution burden onto self-hosted affiliate infrastructure. Named operators such as InCrease and plymouth show how commodity malware can be monetized as a recurring criminal service rather than a one-time tool sale.
Related Happenings
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
How related:
Microsoft has revealed that not only do Amadey and StealC employ the same infrastructure, but the malware families have been linked to more than 140,000 infected computers globally in the first two weeks of May 2026.
About this happening:
The **StealC** and **Amadey** infostealer infrastructure was disrupted, cutting off the **C2 servers** used to control infected systems and weakening a major cybercrime supply cha...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityHow related: Microsoft has revealed that not only do Amadey and StealC employ the same infrastructure, but the malware families have been linked to more than 140,000 infected computers globally in the first two weeks of May 2026.
About this happening: The **StealC** and **Amadey** infostealer infrastructure was disrupted, cutting off the **C2 servers** used to control infected systems and weakening a major cybercrime supply cha...
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
How related:
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC.
About this happening:
An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **StealC** and **Amadey**, with **around 50 domains** and **nearl...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementHow related: A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC.
About this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **StealC** and **Amadey**, with **around 50 domains** and **nearl...
Amadey and StealC shared-infrastructure malware activity
Malware Activity
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Amadey and StealC shared-infrastructure malware activity
Malware ActivityAbout this happening: The **Amadey** loader and **StealC** infostealer are being linked through shared **C&C infrastructure**, making the pair easier to coordinate and disrupt. **Amadey** helps attacke...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Timeline
-
24.06.2026 18:59 1 articles · 3h ago
Amadey and StealC MaaS ecosystem and affiliate model
Initial DisclosureThe **Amadey** and **StealC** ecosystems are marketed as **MaaS** products, giving buyers ready-made access to malware for payload delivery and sensitive-data theft. Their affiliate model lowers the barrier to launching commodity cybercrime and supports repeated infrastructure rotation.
Show sources
- Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered — thehackernews.com — 24.06.2026 18:59
-
24.06.2026 18:59 1 articles · 3h ago
Operation Endgame dismantles Amadey and StealC infrastructure
Legal Policy Action UpdateOn June 19, 2026, Operation Endgame dismantled Amadey and StealC infrastructure in a coordinated law enforcement action with private-sector partners, removing 326 servers and 142 domains, recovering 27 million stolen login credentials, and flagging more than $47 million in criminal crypto assets.
Show sources
- Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered — thehackernews.com — 24.06.2026 18:59