Law enforcement just disrupted infrastructure behind Amadey and StealC malware operations — 326 servers, 142 domains, and evidence of 140,000 infected devices in just the first two weeks of May 2026. Investigators recovered 27 million stolen credentials from over 385,000 compromised systems.
Operation Endgame represents significant international coordination. It matters. It creates friction for the threat actors. But it doesn’t solve the underlying problem: organizations are still getting infected at scale.
Why These Malware Families Keep Working
Amadey is a loader. Threat actors use it to establish an initial foothold on victim devices, then deploy additional malware — often ransomware. StealC is an infostealer that harvests credentials, cryptocurrency wallets, and sensitive data. Stolen credentials get sold on underground marketplaces and used by initial-access brokers to enable ransomware attacks.
Both are sold as malware-as-a-service. Affiliates pay for access to malware builders, management panels, support, and infrastructure. When law enforcement takes down the infrastructure, the operators rebuild it. The article acknowledges this directly: “Unless arrests are made in the operations, the threat actors commonly rebuild infrastructure to launch new attacks.”
The reason these malware families keep working is that they exploit the same fundamental vulnerability every time: they need to write an executable payload to disk on a Windows system before they can run.
That write operation is where you stop them.
How FileSure Blocks Malware at the Delivery Stage
FileSure operates at the Windows kernel level via a filter driver that intercepts file system operations before they complete. When a browser, email client, or remote access tool attempts to write an executable file to disk, FileSure evaluates the operation against your policy rules.
Here’s a specific rule configuration that would have blocked both Amadey and StealC at delivery:
File name filter: *.exe, *.dll, *.vbs, *.wsh, *.scr
Operations: Create, Write
Drive type: Hard drives, Network drives, Removable drives
Program name filter: Exclude authorized software deployment tools (SCCM, PDQ Deploy, etc.)
Result: Block all other programs from writing executable files
When a user clicks a malicious link or opens a weaponized attachment, the malware payload attempts to write itself to disk. FileSure intercepts that write operation. The file never lands. The malware never executes. No persistence, no credential theft, no lateral movement, no ransomware deployment.
This works on malware variants nobody has seen before, because it doesn’t rely on recognizing the threat. It controls what’s allowed to happen to your files.
The article mentions that StealC has been widely used in ClickFix attacks — fake instructional videos on TikTok and similar social engineering tactics. These attacks rely on tricking users into running malicious code. FileSure doesn’t care if the user was tricked. If the program trying to write an executable isn’t on the authorized list, the write is blocked.
The Durable Defense
Law enforcement disruptions matter. They create friction for threat actors and buy organizations time. But waiting for law enforcement to protect you is a losing strategy.
The 140,000 devices infected by Amadey and StealC in two weeks weren’t unprotected. Most of them almost certainly had antivirus or endpoint detection tools installed. Those tools failed to stop the infection because they rely on recognizing threats they’ve already seen. Zero-day variants and malware-as-a-service operations move faster than signature updates.
FileSure stops threats by controlling what’s allowed to happen at the file system level. Amadey from this morning is blocked the same way as Amadey from five years ago. No signature update required. No waiting for your vendor to catch up.
The scumbags will rebuild the infrastructure. They always do. The question is whether your defenses depend on recognizing the next variant, or preventing the file operation that every variant requires.
Start your free 21-day trial at bystorm.com and test FileSure against your own environment. See what your existing tools are missing.
Source: Amadey, StealC malware operations disrupted in Operation Endgame action
Category: Ransomware
Tags: amadey, stealc, malware-as-a-service, infostealer, credential theft, initial access broker, kernel filter driver, file system security
