HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Europol Disrupts StealC and Amadey Malware Infrastructure in Operation Endgame

Europol and international partners seized hundreds of servers and domains used by StealC, Amadey and SocGholish, recovering 27 million stolen credentials and taking down nearly 15 k compromised WordPress sites. The takedown highlights why SOC 2‑aligned access‑control and security‑awareness programs are essential for audit readiness.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

Europol Disrupts StealC and Amadey Malware Infrastructure in Operation Endgame

What Happened — Europol, together with law‑enforcement agencies from six countries and dozens of private security firms, dismantled the hosting infrastructure behind the StealC, Amadey and SocGholish malware families. In a two‑week effort the operation seized 326 servers, 142 domains, recovered 27 million stolen login credentials and shut down 14,971 compromised WordPress sites that were being used to deliver fake‑update prompts and phishing‑driven payloads.

Why It Matters for Compliance & Audit Readiness

  • The incident illustrates how weak web‑application controls and untrained users become the “assembly line” for ransomware, fraud and credential theft – exactly the scenario SOC 2 CC 6.1 (Logical Access) and CC 7.1 (Security Awareness) are designed to prevent and evidence.
  • Continuous monitoring of third‑party hosting environments and proof of remediation (e.g., patched WordPress installations) provide audit‑ready evidence that the organization is actively managing its attack surface.
  • Recovering 27 M stolen credentials underscores the need for robust credential‑management policies, MFA enforcement and regular security‑awareness testing to satisfy SOC 2 CC 6.2 (Authentication) and related controls.

Who Is Affected — Small‑to‑medium businesses that run WordPress sites (restaurants, auto‑repair shops, local retailers), critical‑infrastructure operators that were targeted downstream, and any organization whose employees fell for phishing‑based dropper campaigns.

Recommended Actions

  • Map the incident to SOC 2 access‑control and security‑awareness criteria; update your control inventory to include web‑application hardening and phishing‑simulation programs.
  • Deploy continuous vulnerability scanning for all public‑facing CMS platforms and enforce timely patching.
  • Institute mandatory security‑awareness training that covers fake‑update scams and credential‑theft techniques; validate completion with audit‑ready evidence.

Technical Notes — The malware chain began with compromised WordPress sites (misconfiguration/vulnerable plugins) that displayed bogus browser‑update dialogs (SocGholish). Amadey operated as a paid dropper delivered via phishing emails, while StealC acted as a credential‑harvesting layer, exfiltrating passwords, stored credentials and clipboard data. No new CVEs were disclosed, but the operation highlighted the abuse of existing WordPress vulnerabilities and social‑engineering tactics.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/194173/cyber-crime/europol-disrupts-stealc-and-amadey-malware-infrastructure-in-operation-endgame.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →