safety
Over 200 C2 servers linked to StealC and Amadey shut down
Microsoft, its friends, and international law enforcement agencies used AI assistance to take down two widely used malware and their infrastructure. Redmond describes this as a new approach to cybercrime disruption that targets the cyberattack supply chain rather than a single tool or service.
“What’s new is how we combine AI analytics with the expanded use of that law,” Stephen Masada, assistant attorney general for Microsoft’s digital crimes division, said in a blog post Wednesday, referring to the Racketeer Influenced and Corrupt Organizations Act (RICO). Microsoft typically uses RICO and other U.S. laws to bring legal action against a single cybercriminal service or infrastructure.
The disruption included the removal, suspension, and blocking of over 200 domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. Several security companies were also involved in dismantling the alleged operation, including ESET, BitSight, Mitsui & Co. Secure Directions (MBSD), IBM X-Force, and Proofpoint.
Combined with the previous SocGholish disruption announced last week, the Europol-led law enforcement coalition flagged and restricted more than $47 million worth of cryptocurrency assets and recovered approximately 27 million stolen credentials.
StealC and Amadey are two separate pieces of malware developed by different criminal groups, but they used the same infrastructure and worked together.
StealC collects multiple browser credentials and cookies, cryptocurrency wallets, chats from messaging apps, and other sensitive data and exfiltrates stolen goods to C2 servers. It also acts as a secondary loader, allowing criminals who rent the stealer to download additional malware onto a compromised device.
Amadey is a malware-as-a-service used to deliver StealC and other stealers, as well as other types of malware such as remote access Trojans, cryptominers, and ransomware.
According to Microsoft, in the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers worldwide.
“It’s no longer enough to hunt down threats one by one,” Shoda said. “We need to disrupt the way we build our attacks.”
In this case, Redmond investigators used Copilot and other AI tools to analyze both the malware and its infrastructure, and “asked questions in plain English rather than manually sifting through complex code,” Masada wrote. “This allows us to uncover critical details, reveal hidden data, and test results in a fraction of the time, reducing hours or days to minutes and helping our teams identify connections faster.”
One important detail is that both Amadey and StealC used the same infrastructure. This allowed Redmond’s legal team to treat both pieces of malware as part of a single conspiracy under RICO and file civil lawsuits against the five defendants allegedly involved in both operations.
“Defendants are comprised of a group of cybercriminals operating a Malware as a Service enterprise utilizing malicious software commonly known as the Amadey Malware Suite and the StealC Malware Suite (the “MaaS Enterprise”),” court documents state. “Through Maas Enterprise, defendants and their accomplices victimized hundreds of thousands of innocent computer users, including many users of Microsoft software and services.” ®
