Back to Intelligence

Operation Endgame: Amadey & StealC Disruption — Detection and Eradication Guide

SA
Security Arsenal Team
June 24, 2026
7 min read

In a significant coordinated effort under Operation Endgame, Microsoft, Europol, and international law enforcement partners have successfully disrupted the core command-and-control (C2) infrastructure supporting the Amadey botnet and the StealC infostealer operations. This action strikes a blow to the "cybercrime-as-a-service" ecosystem, specifically targeting those gangs leveraging encryption to obfuscate malicious traffic.

For defenders, this is a tactical victory but not the end of the engagement. While the C2 servers may be seized or sinkholed, the malware binaries residing on infected endpoints do not simply vanish. In fact, disrupted botnets often trigger "kill switches" or shift to backup infrastructure, leading to erratic behavior that defenders must detect. Furthermore, the initial access vectors—typically malspam or exploit kits—remain active. We must act now to identify and eradicate the footholds left behind by these operations.

Technical Analysis

Amadey Botnet

Amadey is a persistent, x86/x64 Windows botnet designed for information theft and loading second-stage payloads. It is often distributed via massive malspam campaigns utilizing malicious attachments or via exploit kits.

  • Persistence: Amadey typically establishes persistence by creating a Registry Run key or a Scheduled Task. The malware often copies itself to the %APPDATA% or %LOCALAPPDATA% directories using random filenames to blend in.
  • C2 Communication: It communicates with C2 servers using HTTP/HTTPS, often employing custom encryption to evade network inspection. With the Operation Endgame disruption, these beacons are likely failing or timing out, which can be detected as anomalous outbound connection failures.
  • Capabilities: Keylogging, data theft (browser cookies, autofill), and the ability to download and execute arbitrary plugins (such as StealC).

StealC Info-Stealer

StealC is a modern, C++ based infostealer frequently deployed as a payload by loaders like Amadey. It is designed to harvest sensitive data rapidly.

  • Targeted Data: StealC specifically targets browser credential files (e.g., Chrome's Login Data, Cookies), cryptocurrency wallets, and 2FA extension data.
  • Attack Chain: Once executed, StealC attempts to terminate browser processes to unlock locked database files. It then exfiltrates the data to the attacker's server.
  • Obfuscation: Like Amadey, StealC uses encryption for its C2 traffic. With the recent infrastructure takedown, exfiltration attempts are likely failing, but the theft mechanism on the local disk remains active until the process is killed.

Exploitation Status

  • Active Campaigns: Yes. While the C2 is disrupted, the initial distribution campaigns (malspam) are likely still circulating or will quickly pivot to new infrastructure.
  • CISA KEV: While this specific infrastructure takedown is a news event, the malware families themselves have been active threats for years.

Detection & Response

Despite the C2 disruption, you must hunt for the presence of these binaries on your endpoints. The following detection rules focus on the persistence mechanisms of Amadey and the specific file-access behavior of StealC.

SIGMA Rules

YAML
---
title: Amadey Botnet Persistence via Registry Run Key
id: 550d9a23-0f72-4e3a-a8c5-1d2f3b4c5d6e
status: experimental
description: Detects persistence mechanism often used by Amadey botnet creating a Run Key pointing to a suspicious path in AppData or LocalAppData.
references:
  - https://attack.mitre.org/techniques/T1547/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_set
  product: windows
detection:
  selection:
    TargetObject|contains:
      - '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'
      - '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'
    Details|contains:
      - '\\AppData\\Roaming\'
      - '\\AppData\\Local\'
  filter_legit:
    Image|endswith:
      - '\\chrome.exe'
      - '\	eams.exe'
      - '\\zoom.exe'
      - '\\slack.exe'
      - '\\OneDrive.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate software setting auto-start parameters
level: high
---
title: StealC Info-Stealer Browser Credential Access
id: 7a3f1c82-9e4b-4d67-bc12-3e5a8f901234
status: experimental
description: Detects non-browser processes accessing Chrome 'Login Data' or 'Cookies' files, indicative of StealC or similar info-stealers.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\\Google\\Chrome\\User Data\\Default\\Login Data'
      - '\\Google\\Chrome\\User Data\\Default\\Cookies'
      - '\\Google\\Chrome\\User Data\\Default\\Network\\Cookies'
  filter_browsers:
    Image|endswith:
      - '\\chrome.exe'
      - '\\msedge.exe'
      - '\brave.exe'
  condition: selection and not filter_browsers
falsepositives:
  - Backup software accessing user profiles
  - Security scanners
level: high
---
title: Amadey Suspicious Process Execution Path
id: 9b2e3d44-5f6a-4b78-9c12-4f6a0g110123
status: experimental
description: Detects execution of binaries from AppData with random filenames, a common TTP for Amadey.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - '\\AppData\\Roaming\'
      - '\\AppData\\Local\'
    Image|endswith: '.exe'
    Image|re: '^[A-Za-z]{8,}\\.exe$' # Matches random 8+ char filenames typical of malware
  filter:
    Image|contains:
      - '\\Microsoft\'
      - '\\Google\'
      - '\\Local\\Programs\'
  condition: selection and not filter
falsepositives:
  - Legitimate installers updating in AppData
level: medium

KQL (Microsoft Sentinel / Defender)

This query hunts for Amadey persistence and the characteristic file access patterns of StealC.

KQL — Microsoft Sentinel / Defender
// Hunt for Amadey persistence mechanisms
DeviceRegistryEvents
| where ActionType == \"RegistryValueSet\"
| where RegistryKey has @\"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"
| extend FilePath = RegistryValueData
| where FilePath has @\"AppData\" 
| where not (FilePath has @\"Microsoft\" or FilePath has @\"Google\" or FilePath has @\"Office\")
| project Timestamp, DeviceName, RegistryKey, RegistryValueData, InitiatingProcessAccountName, InitiatingProcessFileName
| union (
    // Hunt for StealC accessing browser credential files
    DeviceFileEvents
    | where ActionType == \"FileAccessed\"
    | where FileName in (\"Login Data\", \"Cookies\", \"Cookies-journal\")
    | whereFolderPath contains @\"Google\\Chrome\\User Data\\Default\"
    | where not (InitiatingProcessFileName in ~(\"chrome.exe\", \"msedge.exe\", \"explorer.exe\", \"brave.exe\"))
    | project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
)
| order by Timestamp desc

Velociraptor VQL

Hunt for Amadey artifacts in user AppData directories and active StealC processes.

VQL — Velociraptor
-- Hunt for Amadey persistence via Run Keys
SELECT 
    Sys.Hive, 
    Sys.Path, 
    Sys.Key, 
    Sys.Name, 
    Sys.Data as PathValue, 
    Mtime
FROM read_reg_key(globs=[\"HKU\\\*\\\Software\\\Microsoft\\\Windows\\\CurrentVersion\\\Run\\\*\"])
WHERE PathValue =~ \"AppData\"
   AND NOT PathValue =~ \"Microsoft\"
   AND NOT PathValue =~ \"Google\"

UNION ALL

-- Hunt for suspicious executables in AppData Roaming
SELECT FullPath, Name, Size, Mtime, Atime
FROM glob(globs=\"C:/Users/*/AppData/Roaming/*.exe\")
WHERE Name =~ \"^[a-zA-Z]{8,}\\.exe$\"  -- Random filenames
   AND Mtime < now() - ago(24h)   -- Created recently or modified

Remediation Script (PowerShell)

Use this script to scan for and remove Amadey persistence mechanisms and kill associated processes.

PowerShell
# Amadey and StealC Remediation Script
# Requires Administrator Privileges

Write-Host \"Starting scan for Amadey and StealC artifacts...\" -ForegroundColor Cyan

# 1. Identify suspicious Run Keys pointing to AppData
$suspiciousKeys = Get-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*\", \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*\" -ErrorAction SilentlyContinue | 
    Get-Member -MemberType NoteProperty | 
    Where-Object { 
        $propName = $_.Name
        $propValue = (Get-ItemProperty $_.Definition.PSPath).$propName
        $propValue -match \"AppData\" -and 
        $propValue -notmatch \"Microsoft\" -and 
        $propValue -notmatch \"Google\" -and 
        $propValue -notmatch \"Windows\"
    }

if ($suspiciousKeys) {
    Write-Host \"Found suspicious Registry Run Keys:\" -ForegroundColor Yellow
    foreach ($key in $suspiciousKeys) {
        Write-Host \"Removing key: $($key.Name) from $($key.Definition.PSPath)\"
        Remove-ItemProperty -Path $key.Definition.PSPath -Name $key.Name -Force
    }
} else {
    Write-Host \"No suspicious Run Keys found.\" -ForegroundColor Green
}

# 2. Terminate suspicious processes in AppData
Write-Host \"Checking for active processes in AppData...\"
$processes = Get-WmiObject Win32_Process | Where-Object { 
    $_.ExecutablePath -match \"AppData\" -and 
    $_.ExecutablePath -notmatch \"Microsoft\" -and 
    $_.ExecutablePath -notmatch \"Google\" -and 
    $_.ExecutablePath -notmatch \"Programs\"
}

foreach ($proc in $processes) {
    Write-Host \"Terminating process: $($proc.Name) (PID: $($proc.ProcessId)) - Path: $($proc.ExecutablePath)\" -ForegroundColor Yellow
    Stop-Process -Id $proc.ProcessId -Force
    # Optional: Remove the file
    # Remove-Item -Path $proc.ExecutablePath -Force
}

Write-Host \"Remediation complete. Please run a full AV scan.\" -ForegroundColor Green

Remediation

  1. Isolate Infected Hosts: Identify endpoints that have generated alerts for Amadey or StealC and immediately isolate them from the network to prevent any data exfiltration or lateral movement attempts.

  2. Remove Persistence: Use the provided PowerShell script or manually inspect HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKLM\\... for values pointing to executables in %APPDATA% or %LOCALAPPDATA%. Delete these registry entries.

  3. Delete Artifacts: Navigate to the file paths identified in the registry keys or KQL queries. Delete the malicious executables. Common locations include C:\Users\<username>\AppData\Roaming\ and C:\Users\<username>\AppData\Local\.

  4. Credential Reset: Since StealC harvests credentials, force a password reset for all accounts accessed from the infected machine, specifically targeting email, banking, and VPN credentials. Revoke any session tokens.

  5. Hunt for Root Cause: Investigate how the initial infection occurred. Check email logs for phishing (Amadey common vector) or web proxy logs for exploit kit activity.

  6. Block IOCs: While the C2 infrastructure is disrupted, update firewall rules to block historical Amadey and StealC indicators to prevent reconnection if actors spin up new servers.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitvulnerability-researchoperation-endgameamadeystealc

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action