Operation Endgame has disrupted three malware families that form the opening stages of most ransomware attacks, recovering 27 million stolen credentials from systems across the globe.

 

What happened

Europol and law enforcement agencies from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States have disrupted the infrastructure behind three widely used malware families, Amadey, StealC, and SocGholish, as part of the latest phase of Operation Endgame. According to BleepingComputer, the two-week operation conducted between June 15 and 19, 2026, resulted in the takedown of 326 servers and 142 domains, the identification and freezing of more than $46 million in criminal cryptocurrency, and the recovery of approximately 27 million stolen credentials harvested from over 385,000 compromised systems. Microsoft's Digital Crimes Unit identified more than 200 malicious command-and-control servers associated with Amadey and StealC and executed a simultaneous court-authorized takedown, using AI, including Microsoft Copilot, to analyze the malware and identify that both families shared infrastructure, allowing legal teams to treat them as a single conspiracy. Microsoft linked the two families to more than 140,000 infected devices in the first two weeks of May 2026 alone.

 

Going deeper

Amadey and StealC operate as complementary tools in the same attack chain. Amadey functions as a loader delivered primarily through phishing emails and malicious downloads that gain an initial foothold on a victim's device and then pull down secondary payloads. StealC is an infostealer, the payload Amadey most commonly delivers, designed to silently extract browser passwords, cookies, session tokens, cryptocurrency wallet data, and credentials from applications including Outlook, FileZilla, and ProtonVPN. Stolen credentials are then sold on underground marketplaces or to initial-access brokers, who resell network access to ransomware operators. SocGholish, the third family targeted, infects visitors to compromised websites through fake browser update prompts. During the operation, 14,971 infected websites were remediated, including restaurants and auto repair shops whose sites had been quietly hijacked as delivery infrastructure. SocGholish is linked to Evil Corp, a Russia-based cybercriminal group previously responsible for the Zeus and Dridex banking malware and associated with large-scale ransomware campaigns.

 

What was said

Europol stated in its official press release that the main goal was "to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure," adding that "by taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover." Microsoft stated in its civil complaint that "stolen credentials harvested through StealC are commonly sold on underground marketplaces and through initial-access brokers," and that those credentials "are then used by other threat actors to breach networks, steal data, and deploy ransomware."

 

In the know

Operation Endgame is a continuing enforcement campaign rather than a one-time action. According to Infosecurity Magazine, previous phases targeted DanaBot, Bumblebee, Rhadamanthys, VenomRAT, Elysium, and SmokeLoader, a progression that shows a deliberate strategy to dismantle the full cybercrime supply chain rather than individual tools. IBM contributed threat intelligence and malware analysis to the StealC disruption, and researchers from that team, together with another partner, identified a vulnerability in StealC's backend that allowed investigators to probe and disrupt active servers during the operation. The StealC developers patched the flaw in February 2026, but researchers noted the panel code contained additional security issues. Europol described Operation Endgame as the largest international operation ever conducted against ransomware-enabling infrastructure.

 

The big picture

The disruption of Amadey and StealC targets a layer of the ransomware ecosystem that healthcare organizations rarely see directly, but which directly determines their risk. When a healthcare employee's credentials are stolen by StealC after clicking a phishing email, those credentials do not immediately become a ransomware attack. They are sold, resold, and eventually purchased by a ransomware affiliate who uses them for initial access weeks or months later. By the time the ransomware deploys, the original credential theft event may be long forgotten. The 27 million credentials recovered in this operation represent 27 million potential initial-access events that no longer exist in criminal hands. According to the Verizon 2026 Data Breach Investigations Report, stolen credentials remain the second most common breach entry point after vulnerability exploitation, and healthcare organizations whose staff credentials are circulating in underground markets face ongoing intrusion risk regardless of their other security controls.

 

FAQs

What is an infostealer, and how does it end up on a healthcare device?

An infostealer is malware designed to silently copy passwords, browser cookies, and other sensitive data from an infected device and send that data to an attacker. It typically arrives through phishing emails, malicious file downloads, or compromised websites. Once installed, it runs quietly in the background and harvests credentials without the user noticing any change in their device's behavior.

 

What is an initial-access broker, and how do they connect stolen credentials to ransomware attacks?

An initial-access broker buys stolen credentials from infostealer operators and resells verified network access to ransomware affiliates. The broker validates that the credentials provide working access to a target organization's systems, then sells that access as a package. The ransomware operator never needs to conduct the credential theft themselves, they simply purchase a ready-made entry point.

 

Why does disrupting infrastructure matter if the malware developers are not arrested?

Seizing servers and domains forces operators to rebuild infrastructure from scratch, interrupting active campaigns and delaying new ones. Each rebuild costs time and money and may expose additional infrastructure to law enforcement. The disruption does not eliminate the threat permanently but raises the cost and intricacy of operations, reducing the volume of attacks that succeed during the rebuilding period.

 

What is SocGholish, and why does compromising ordinary websites make it particularly dangerous?

SocGholish infects legitimate websites and serves fake browser update prompts to visitors. Healthcare staff browsing a compromised restaurant or local business website during a lunch break can inadvertently install SocGholish on their work device. Because the infection arrives from a trusted-looking website rather than a suspicious email, it bypasses the scrutiny staff applies to unexpected messages.

 

How can healthcare organizations determine if their credentials were in the recovered dataset?

The recovered credentials have been shared with Have I Been Pwned, the breach notification service that participated in Operation Endgame. Healthcare IT teams can check organizational email domains against haveibeenpwned.com to identify whether staff credentials from their domain appear in the recovered dataset, and prompt password resets and multi-factor authentication enrollment for any matches found.