Last week we wrote about new activity by our international Law Enforcement and private sector partners in Operation Endgame – the largest international operation ever undertaken to combat cyber crime enablers globally. The first part of that action to go public was the successful disruption of the SocGholish malware framework, which resulted in Shadowserver running a one-off SocGholish Compromised WordPress Sites Special Report on 2026-06-18 that shared remediation data about ~1.4 million compromised legitimate WordPress sites with National CSIRTs (nCSIRTs) and network owners worldwide.
Yesterday (2026-06-24), the next episode of “Season 3.0” of Operation Endgame was publicly announced, covering additional joint action taken by law enforcement from Canada (Royal Canadian Mounted Police – RCMP), Denmark (Danish Police – Politi), Germany (Federal Criminal Police Office – BKA), the Netherlands (National High Tech Crime Unit – NHCTU), the United Kingdom (National Crime Agency – NCA), and the United States (Federal Bureau of Investigation – FBI), plus private partners including Microsoft, The Shadowserver Foundation, the Registrar of Last Resort (RoLR), Bitsight, ESET, IBM X-Force, Proofpoint, Infoblox, NorthWave, Bitdefender, Have I Been Pwned (HIBP) and Spamhaus. International activity was coordinated by Europol and Eurojust.
The goal of this combined action was to disrupt the “assembly lines” cyber criminals use to launch ransomware, financial fraud, and make attacks on critical infrastructure. In a coordinated operation during the week of 15-19th June 2026, key elements of multiple criminal infrastructures behind ransomware and malware operations such as SocGholish, Amadey, and StealC were dismantled as part of this major public-private effort.
Outcomes included:
- 326 servers and 142 domains were simultaneously actioned by law enforcement and private sector partners
- Cyber criminal crypto assets valued at over 41 million EUR (47 million USD) were identified, flagged, and thereby restricted from use
- 27 million stolen login credentials were recovered as part of the operation.
Cybercrime-as-a-Service Disruption
The malware families targeted in this “season” of Operation Endgame were offered as Cybercrime-as-a-Service, enabling other cyber criminals to target victims – such as for use in deploying ransomware or exfiltrating data. They included:
- SocGholish – a malware dropper/loader that allowed unauthorised parties to gain access to computer systems by distributing fake browser updates via compromised websites. Instead of the update, internet users inadvertently installed the malware. This approach was primarily executed by compromising legitimate WordPress sites and infecting them with malware. The unauthorised access was then exploited for further crimes, such as installing ransomware for the purpose of digital extortion. Details and data analysis was already provided last week, so won’t be repeated here again.
- StealC – information stealing malware, one of the most pervasive and impactful threats across the cyber crime ecosystem. Spread through multiple attack vectors, this was primarily designed to extract sensitive information such as passwords, stored access data and digital identities from compromised computers, and to make them available for subsequent illicit use, especially data trading and fraudulent use. This can lead to theft of corporate virtual private network (VPN) credentials, single sign-on (SSO) tokens, and session cookies that could allow an attacker to bypass multi-factor authentication (MFA).
- Amadey – a malware dropper/loader that was mainly disseminated through phishing campaigns. It thus served as the first link in a larger attack chain and was capable of introducing additional malware into compromised systems. The malware also had information stealer capabilities and could therefore retrieve sensitive data.
A new Season 3.0 Episode 5 StealC “Grand Theft Info” video covering this latest disruption activity was added to the Operation Endgame website:
For StealC, clients of this criminal service (also called affiliates) purchase a Linux-based installer for the C2 panel, which is used to build malware samples and distribute them to steal sensitive data from victims. Microsoft and partners used a mix of civil court orders, domain seizures, registrations, and provider notifications to primarily tackle StealC’s US Command and Control (C2) domains. In parallel, Shadowserver and the Registrar of Last Resort (RoLR) worked with our international Law Enforcement partners to seize and sinkhole other non-US StealC C2 domains.
For more technical details about how these infostealers operated, and how to defend against them, see Microsoft’s comprehensive write up and their Digital Crimes Unit Assistant General Counsel Steven Masada’s post about how Microsoft scaled their disruption approach using AI. Microsoft’s “John Doe” civil court orders are available here. For details of other private industry partners supporting technical activities, see the supporting StealC blog posts by IBM XForce and ProofPoint.
New StealC Historical Bot Infections Special Report
As part of this disruption operation, overnight (2026-06-24) we ran a new one-off StealC Historical Bot Infection Special Report. The purpose is to notify system owners and nCSIRTs if a computer has been infected with the StealC information stealer malware, so they can change their stolen credentials and reduce their risk of data loss. Technical details about the content of that report and sample data can be found here.
If you have received a StealC Historical Bot Infections Special Report from Shadowserver, and you need more information, please contact us, and we can provide more details or put you in touch with the Law Enforcement investigating officers if required.
StealC Historical Bot Infections – Data Analysis
Our new one-off StealC Historical Bot Infections Special Report contained information provided by the Dutch National High Tech Crime Unit (NHTCU) covering the period between 4th July 2025 and 16th June 2026. The Special Report covered 29,475,727 individual StealC information stealer events corresponding to 9,886,903 unique logins and 9,624,328 unique password hashes associated with 5,787,992 unique URLs, stolen from 352,906 Windows computer names belonging to 384,781 different hardware device IDs with 364,057 unique victim IP addresses, which were spread across 16,477 different Autonomous System Numbers (ASNs) in 231 countries or territories globally.
For each of the images inline, you can click it to view a higher resolution version.
The world maps below show the total number of IP-geolocated StealC Historical Bot Infections per county. Note that a relatively small number of IP addresses (6,967 of 364,425) do not IP-geolocate to a country, so the displayed number is slightly lower than the actual total:
(StealC Historical Bot Infections per country – linear scale)
(StealC Historical Bot Infections per country – logarithmic scale)
Looking at the data in a different way, the tree map below shows the relative ratio of StealC Historical Bot Infections:
(IP-geolocated StealC Historical Bot Infections)
Data for credentials stolen by StealC usually contain a URL field (the website a set of credentials is associated with), a login field for that website (which could be a user name such as “johndoe”, an email address such as “john.doe@gmail.com”, or some other identifier such as a telephone number or numeric ID number) and a password field. Focusing only on logins with the format somestring@some.domain, which are therefore more likely to be an email address, it is clear that major email service providers are the top sources of domains for those email addresses (potentially suggesting compromised personal rather than business email addresses). There is then a very long tail with a lower number of compromised accounts per domain for a large number of different domains, including many individual business, education and government entities.
We can visualize the relative ratios of stolen credentials across users of different email services. Looking at the top 100 associated domains for those compromised email addresses (ensuring that any domains for individual non-email service provider victim organisations are labelled as REDACTED) as a treemap it is clear that the major service providers dominate:
(Top 100 StealC Historical Bot Infections domains from email-like logins)
The graph below shows more detail, with counts per top 100 domain (note – there are multiple probable variations of typos of gmail included in the data, highlighting that infostealer data can often be relatively noisy and error prone – for both cyber criminal actors and data analysts):
(Top 100 StealC Historical Bot Infections domains from email-like logins – logarithmic scale)
The IP-geolocated locations of each StealC Historical Bot Infection can be displayed on heat maps (note that since there can be multiple malware infections installations active on/behind a single IP address, these visualizations show unique geolocated IP addresses and may, therefore, under-represent the actual distribution globally). For the entire world during the period between 4th July 2025 and 16th June 2026 and then by multiple regions:
(IP-geolocated StealC Historical Bot Infections – Worldwide)
(IP-geolocated StealC Historical Bot Infections – Europe)
(IP-geolocated StealC Historical Bot Infections – North America)
(IP-geolocated StealC Historical Bot Infections – South America)
(IP-geolocated StealC Historical Bot Infections – East Asia)
(IP-geolocated StealC Historical Bot Infections – Africa)
(IP-geolocated StealC Historical Bot Infections – UK/Europe)
(IP-geolocated StealC Historical Bot Infections – Scandinavia)
(IP-geolocated StealC Historical Bot Infections – USA)
(IP-geolocated StealC Historical Bot Infections – Canada)
(IP-geolocated StealC Historical Bot Infections – Central America)
(IP-geolocated StealC Historical Bot Infections – Middle East)
(IP-geolocated StealC Historical Bot Infections – North Africa)
(IP-geolocated StealC Historical Bot Infections – India)
(IP-geolocated StealC Historical Bot Infections – China)
(IP-geolocated StealC Historical Bot Infections – Japan/Korea)
(IP-geolocated StealC Historical Bot Infections – Australia/New Zealand)
If you have any questions, please contact us, although there may be limitations on what information can be shared at this time due to the ongoing LE investigations.
This activity is a another great example of the success that can be achieved in public/private partnerships when sustainable non-profit funding is available. Thank you to the UK Foreign, Commonwealth and Development Office (FCDO) and UK Integrated Security Fund (ISF) for supporting The Shadowserver Foundation’s public benefit mission in UK FY25-26, thereby enabling us to provide free support to our international Law Enforcement partners on another successful cyber crime disruption operation.