StealC and Amadey Threats: Microsoft Disrupts C2

Introduction

Microsoft has published new research on StealC and Amadey, two malware services that play a major role in today’s infostealer economy. This matters to security teams because these threats often begin on unmanaged or personal devices, then lead to enterprise compromise through stolen credentials, session cookies, and tokens.

What’s new

Microsoft breaks down the StealC and Amadey ecosystem

• StealC is an infostealer sold as a malware-as-a-service offering.
• It targets browser credentials, cookies, session tokens, crypto wallets, messaging apps, and email clients.
• Amadey acts as a malware loader that delivers StealC and other payloads on demand.
• Microsoft warns that this modular, pay-as-you-go model helps attackers move quickly from initial infection to broader compromise.

Coordinated disruption of attacker infrastructure

On June 24, 2026, Microsoft’s Digital Crimes Unit, working with Europol and industry partners, announced disruption activity against the infrastructure behind StealC and Amadey.

Key results include:

• Identification of more than 200 malicious domains and IPs
• Takedowns, suspensions, and blocking of command-and-control servers
• Use of court orders, domain seizures, registrations, and provider notifications

Microsoft also said it used Copilot-assisted analysis to speed malware investigation, including string decryption, config extraction, and C2 identification.

Why this matters for defenders

Infostealers are especially dangerous because they can turn a consumer-device infection into an enterprise incident. Attackers may steal:

• VPN credentials
• SSO tokens
• Session cookies
• Cloud and email account access

That can allow threat actors to authenticate with what appears to be valid user activity, sometimes even bypassing MFA through stolen session data. Microsoft notes that organizations often detect the breach only after ransomware deployment, fraud, or large-scale data exfiltration begins.

Common delivery methods to watch

Microsoft highlighted several common delivery paths:

• SEO poisoning and malvertising for fake software downloads
• ClickFix social engineering that tricks users into running commands themselves
• Phishing emails
• Other malware loaders, including Amadey

Recommended next steps

Security teams should review protections around identity and unmanaged-device risk:

• Strengthen credential hygiene and monitor for token theft
• Enforce conditional access and sign-in risk policies where possible
• Investigate suspicious use of valid credentials from unusual devices or locations
• Educate users about fake software downloads, ClickFix lures, and phishing
• Review Microsoft Defender detections and indicators of compromise from the source guidance

The key takeaway is clear: infostealers are no longer just an endpoint problem. They are an identity and enterprise access problem that requires fast detection and layered defenses.