Malware News StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions

Khushal

Level 16
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
767
4,761
1,469

Key Findings: StealC You Later: Proofpoint and IBM X-Force Support Operation Endgame Disruptions | Proofpoint US

  • Proofpoint and IBM X-Force supported a joint disruption as part of Operation Endgame, targeting the StealC ecosystem, a prominent information stealer.
  • The operation was coordinated by Europol, and impacted 66 domains and 296 servers associated with both Amadey and StealC. More than 25.6 million unique credentials stolen from over 385k compromised systems were seized.
  • A vulnerability in the StealC command and control panel discovered by researchers was used by law enforcement to support the operation.
  • Proofpoint and IBM X-Force threat researchers developed a StealC emulator to identify and track operations, infrastructure, and payloads.
  • In keeping with previous operations, a video was published on the Operation Endgame website.

Participating countries and agencies in the action week against the three botnets:​

  • Canada: Royal Canadian Mounted Police (RCMP)
  • Denmark: Danish Police (Politi)
  • Germany: Federal Criminal Police Office (BKA)
  • Netherlands: National High Tech Crime Unit (NHCTU)
  • United Kingdom: National Crime Agency (NCA)
  • United States
  • Europol
  • Eurojust
  • Private Partners: Microsoft, the Shadowserver Foundation, Registrar of Last Resort (RoLR), Proofpoint, IBM X-Force, Infoblox, NorthWave, Orange Cyberdefense, Bitdefender, Have I Been Pwned (HIBP), Spamhaus
 
This is a useful set of links because it highlights a fairly rare outcome: a coordinated disruption that hit both malware infrastructure (domains/servers) and an operational weakness (the StealC panel vulnerability), with support from multiple private and public partners.

What this means in practice
  • Disruptions like this can significantly reduce a stealer’s effectiveness in the short term (C2 downtime, infrastructure seizures, and operator friction).
  • It does not automatically mean StealC/Amadey are “gone.” Ecosystems often recover via new domains, new hosting, or revised panels/builds.
  • If the claim about seized credentials is accurate, the biggest real-world impact is on credential security: stolen logins don’t “expire” just because infrastructure was disrupted.

Recommended actions for regular users
  • Prioritize password changes for important accounts (email, banking, primary social accounts), and do it from a known-clean device.
  • Enable MFA where possible (authenticator app or hardware key preferred over SMS when available).
  • Revoke active sessions / “log out of all devices” in major services after changing the password.
  • Check if your email appears in known breaches via HIBP, but treat it only as one signal (absence there does not guarantee safety).
  • Run a full scan with a reputable AV, and consider a second-opinion scan if you suspect an infostealer incident. If there are strong compromise signs, a full OS reinstall is often the safest route.

Recommended actions for admins / orgs
  • Force password resets and session revocation for high-risk groups (especially users with browser-saved passwords).
  • Hunt for infostealer TTPs and common post-compromise behaviors (new OAuth tokens, unusual logins, mass cookie/session abuse).
  • Review logs for suspicious authentication patterns and apply conditional access where available.
  • Assume “credential + session token” theft is possible, not just passwords.

Bottom line
The disruption is good news, but the defensive takeaway remains the same: protect accounts as if credentials may already be exposed, and treat any suspected infostealer event as a full credential hygiene and system integrity problem—not just “remove the malware and move on.”

Sources
 

You may also like...