Microsoft and Europol disrupt Amadey and StealC malware infrastructure

AI compressed days of malware analysis into minutes, enabling faster identification of criminal links.
Microsoft disrupted over 200 criminal servers by targeting two malware tools simultaneously using AI.

Microsoft has disrupted more than 200 command-and-control servers linked to Amadey and StealC, two widely used cybercrime tools that support credential theft, fraud and ransomware attacks.

The company’s Digital Crimes Unit said the action targeted the shared infrastructure behind the two tools rather than treating them as separate threats. In the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers worldwide.

Amadey is often used to gain access to devices, while StealC is used to steal passwords and sensitive information. Microsoft said the tools form part of a wider cybercrime supply chain in which specialised malware services help attackers turn initial access into fraud, ransomware, espionage or other operations.

Microsoft said investigators used AI, including Copilot, to analyse malware and identify connections between the two tools more quickly. The company said the analysis helped its legal team treat both malware families as part of a single conspiracy under the US Racketeer Influenced and Corrupt Organizations Act.

The action was carried out with Europol and industry partners, including ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Europol’s European Cybercrime Centre also investigated StealC as part of Operation Endgame, alongside European law enforcement partners and cybersecurity companies, including IBM X-Force and Proofpoint.

Microsoft said it has identified more than 18,000 victim computers since the start of the operation and is working with telecommunications providers to help protect affected users.

The company said findings from the case will feed into its Statutory Automated Disruption programme, which accelerates the removal of malicious domains and infrastructure.

Why does it matter?

The operation reflects a shift in cybercrime disruption strategy. Instead of targeting one malware family or service at a time, Microsoft and its partners focused on the shared infrastructure that allows criminal tools to work together. That matters because modern cybercrime increasingly operates as a modular supply chain: one tool gains access, another steals credentials, and other actors monetise that access through fraud, ransomware or espionage. The use of AI to accelerate malware analysis also points to how defenders are trying to match the speed and scale of cybercriminal operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.