Risky Bulletin: Law enforcement agencies and security firms take down Amadey and StealerC

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Trail of Bits. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed. You can also add the Risky Business newsletter as a Preferred Source to your Google search results by going here.

An Europol operation aimed at taking down cybercrime operations has added two new victims to its trophy wall in the Amadey malware loader and the StealC infostealer operation. (Technically three, but we already covered the SocGolish botnet takedown last week, so we're gonna pretend it's two.)

The takedown included seven law enforcement agencies (from Europol, Canada, Denmark, Germany, the Netherlands, the UK, and the US) and six security firms (Microsoft, Bitsight, ESET, IBM, Proofpoint, MBSD, and Pillsbury).

Takedown figures include 326 servers, 142 domains, and more than $47 million in illegal cryptocurrency profits.

According to Europol, the two malware operations had allegedly infected more than 140,000 computers and stolen more than 27 million credentials over their lifetime.

The two malware strains were often used together in the same campaigns. Threat actors would first deploy Amadey as an initial entry point on a PC or network, and then deploy StealC as a way to pilfer data from infected computers.

StealC was one of the many payloads Amadey's botnet deployed across its lifetime, but it's clear Amadey had a pivotal role in the underground cybercrime economy, where multiple threat actors would buy access to infected Amadey bots to deploy their own infostealers, steal credentials, and then put them up for sale online.

Both Amadey and StealC have been available to rent online via underground forums and Telegram channels in what security researchers call a Malware-as-a-Service offering.

Most of the people who buy access to these tools are low-level crooks interested in financial profits. Most of Amadey's customers include people interested in stealing and selling credentials, while most of StealC's customers are threat actors who can't code so they buy an already-made infostealer they can configure using a user interface.

But in some rare cases, Amadey also had high-end customers, such as ransomware affiliates, people who bought access to an Amadey-infected system and deployed ransomware to lock or steal files and later extort the company.

In even rarer incidents, some of Amadey's customers included APT groups. A 2024 Microsoft report spotted a Russian espionage group like Turla using Amadey to breach targets in Ukraine.

But while Amadey was used for espionage operations, most of its targeting and infections were indiscriminate. A map of known victims basically covers the whole world, with the Amadey and StealC groups not particularly caring who they infect as long as they can sell that access or the stolen credentials—which is the typical mindset of most cybercrime operators these days anyway.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat, James, and special guest co-host Rob Joyce at the helm! Rob served as an advisor to Donald Trump during his first term as president and also served at NSA for 34 years. While at the agency, Joyce led Tailored Access Operations (TAO), and later became NSA’s Director of Cybersecurity.

Breaches, hacks, and security incidents

Polymarket says it was hacked: Prediction market Polymarket will reimburse users who lost their funds in a security breach on Thursday. The company says hackers breached one of its third-party vendors and loaded malicious code on its website. According to reports, the hackers made off with roughly $3 million before the hack was detected. [Polymarket tweet // TechCrunch]

Bajaj Auto hit by ransomware: A ransomware attack has disrupted the activity of Bajaj Auto, one of India's largest automakers. The incident impacted a subsidiary working engineering and research. The company has disclosed the incident to market authorities this week. Bajaj is known for its two- and three-wheel vehicles, such as motorcycles, scooters, and auto-rickshaws. [Business Today India]

KDDI breach: Hackers have breached the public email service of Japanese telecommunications provider KDDI. The incident took place earlier this month and hackers made off with the data of more than 14 million users. The email service is used by KDDI but also five other Japanese internet service providers. [ KDDI, PDF // The Japan Times]

Japan's army used infected USB drives: Japan's army forces used USB drives infected with Chinese malware. The devices were allegedly connected to classified networks but it's unclear what data was stolen. The security breach went undisclosed for nearly a year until it was discovered by local reporters. Japanese officials are now notifying NATO partners about the possible leak. [Nikkei]

Ukrposhta hit by cyberattack: Ukraine's state postal operator Ukrposhta has been hit by a cyberattack. The incident took out Ukrposhta's mobile app and some of its web services. Ukrposhta says it's working to restore service. [Ukrposhta // New Voice of Ukraine]

Ransomware documentary: The BBC has published a segment on a 2024 ransomware attack on the Hipocrate hospital management system that spread to more than 100 Romanian hospitals. [BBC]

General tech and privacy

Cloudflare launches self-managed OAuth: Cloudflare has opened up its new self-managed OAuth service to all customers this week after launching the new tech for testing earlier this month. [Cloudflare]

Tor sunsets old versions: The Tor Project has upgraded minimum requirements and is urging relay operators to move to v0.4.9 or higher to be able to connect to the Tor network going forward. [The Tor Project]

Anthropic accuses Alibaba of distillation attacks: US AI company Anthropic has accused Chinese tech giant Alibaba of distillation attacks against its Claude model. The campaign took place between April 22 and June 5, and involved more than 25,000 fraudulent Claude accounts. Anthropic said it was the biggest distillation attack it ever faced. In April, the White House accused Chinese AI firms of mass-scale distillation attacks against US models. [Reuters]

OpenAI releases first chip: OpenAI and Broadcom have released Jalapeño, OpenAI's first-ever LLM inference chip, to be deployed at gigawatt scale data centers. [OpenAI]

Thundermail webmail coming in July: Mozilla's new webmail service Thundermail is expected to enter public testing next month. [Mozilla Thunderbird]

Better admin alerts for G-Suite users: Google will alert organizations when the passwords of its admins are getting reset. This type of alert was previously only available for super admin accounts but it's being made more broadly available to ensure all admin accounts are protected. [Google Workspace]

Microsoft extends Windows 10 ESU one more year: Microsoft will provide an additional year of free security updates for Windows 10 users. The Windows 10 ESU program has now been extended until October 12, 2027. The program was set to expire in October this year. [Windows blog]

Windows 11 hibernation wears out SSDs: The Windows 11 OS hibernation feature is apparently wearing out SSDs, a lovely discovery right when SSD prices have exploded. [XDA Developers]

Windows gets Point-in-Time restore: Microsoft has released a new Windows 11 feature that will allow users to restore the OS to a particular point in time. The feature will keep point-in-time restores for up to three days. Restore operations will cover the OS and app states, settings, and local user files. The new Point-in-Time restore feature is available for Windows 11 Enterprise, Pro, and Home editions. [Microsoft]

Government, politics, and policy

States left in the dark on new US cyber pilot program: Almost half of US states say they haven't been asked to participate in the Trump administration's new cybersecurity program. The pilot program was announced in March and provides funding to secure critical infrastructure against cyberattacks. Many of the states who responded to press inquiries said they didn't even know the program existed and that the Trump administration never notified them. [CybersecurityDive]

My story has a handy interactive map where you can see every state's response. I'm going to keep checking in with states about this program. (I'll build a separate map that I'll keep updated.)

[image or embed]

— Eric Geller (@ericjgeller.com) June 24, 2026 at 5:07 PM

CISA plans to hire 600: DHS Secretary Markwayne Mullin says CISA plans to hire 600 new employees once a new Director is approved by Congress. Mullin says the White House has met with the candidate but did not reveal their name. The agency has been without a Director since January 2025. [The Record]

FCC passes loads of new rules: The FCC on Thursday has passed new cybersecurity rules for the US emergency alert system to prevent hackers from hijacking its infrastructure. [FCC]

Russia uses Cellebrite: Russian authorities used a Cellebrite hacking tool two months after the company canceled the government's contracts. The contracts were canceled in March 2021 but Russian law enforcement was able to use at least one Cellebrite tool two months later on a device belonging to Andrey Pivovarov, the director of the Open Russia NGO. Pivovarov was later imprisoned for three years. CitizenLab says Cellebrite's offline mode and the design of its tools makes it hard for the company to immediately enforce customer bans. [CitizenLab]

More App Store removals in Russia: After removing MAX earlier this month, Apple has now removed more VK-developed apps from its iOS App store. Apple has yet to respond to why it did so, but it's likely related to US sanctions. [The Moscow Times]

EU labels US cloud providers as gatekeepers: The European Commission has labeled Amazon and Microsoft as industry gatekeepers in the cloud sector under the bloc's Digital Markets Act. The two companies are the first and second-largest cloud providers in the EU. The designation, currently in a preliminary state, will require the two companies to ensure they don't engage in unfair market tactics to sabotage their competition. [EU]

UK warns of museum cyber-heists: British museums are vulnerable to cyberattacks that may lead to the theft of precious artifacts. The UK Parliament warns cyber is now a threat to museum security due to the wide use of technology to secure exhibitions. Lawmakers have asked the Department for Culture, Media, and Sport to come up with a concrete plan to address this issue. [UK Parliament]

Australia finds "digital dynamite" on critical networks: Foreign state-sponsored hackers have breached Australian critical networks and planted "digital dynamite" for future cyber sabotage operations. Australia's Security and Intelligence Organization said the "scale of this activity" was "difficult to overstate." The agency said "one nation state in particular" was behind the intrusions, likely referring to China. ASIO has also established dedicated teams to counter the activity. [ASIO]

Sponsor section

In this Risky Business sponsor interview, James Wilson chats with Trail of Bits founder and CEO Dan Guido about its newly announced partnership with OpenAI. Together, they’ve started a new initiative called "Patch the Planet" to support open source maintainers.

Arrests, cybercrime, and threat intel

Snoopy sentenced to 18 months: A 21-year-old from Minnesota was sentenced to 18 months in prison for hacking sports betting website DraftKings. Nathan Austad was one of three individuals who launched a credential-stuffing attack against DraftKings in November 2022.  The group hacked more than 60,000 accounts, which they later put up for sale online. [DOJ]

New Treasury sanctions target famous scam group: The US Treasury Department has imposed new sanctions on the Prince Group, a well-known cyber scam operator across Southeast Asia. Sanctions were levied on nine individuals and 26 legal entities. The individuals are part of the group's upper management, including Hu Xiaowei, considered the operation's second-in-command. [US Treasury]

New supply chain attacks: Aikido Security, Microsoft, SafeDep, Socket Security, Step Security, Step Security.

Malicious OpenClaw skills: Manifold Security, Palo Alto Security.

Cisco zero-day activity: Google's Mandiant team takes a look at the active exploitation of a Cisco zero-day patched earlier this month and tracked as CVE-2026-20245. The report doesn't link these attacks to any particular group since there's not enough evidence for that. [Google Cloud]

Langflow cryptominer campaign: Trend Micro looks at a massive exploitation campaign targeting those GPU-heavy Langflow AI servers but deploying the cybercriminal's best friend—the cryptominer. [Trend Micro]

AWS phishing campaign: A phishing campaign is targeting AWS customers and the company's AWS console login pages. The phishing kit used in these attacks is capable of intercepting some forms of 2FA. [Datadog]

New Ghost CMS hacking spree: Threat actors began hacking Ghost CMS sites in May using a bug tracked as CVE-2026-26980, but a new campaign spotted this month is now deploying ClickFix lures on the hacked sites. [Sicuranext // Initial QiAnXin report]

Operation Navy Ghost: PyPI has removed eight malicious packages that deployed backdoors on servers running Telegram bots. The campaign has been live since November. [Checkmarx]

Edge extension used for ransomware attacks: Hackers are using malicious Edge browser extensions as initial entry points in corporate environments to deploy ransomware. At least one affiliate of the Payouts King ransomware group has been seen using this technique in recent attacks. According to security firm Zscaler, the Edge extension abuses the Chrome native messaging protocol to bypass the browser sandbox and interact with the underlying operating system and deploy a Python backdoor. [Zscaler]

Coinbase Cartel profile: Security firm Intrinsec has published a profile of Coinbase Cartel, a data extortion group that's been quietly active since last year. [Intrinsec]

Friendhosting is not so friendly: A Bulgarian company is hosting more than half of all malicious command-and-control servers in Eastern Europe. Friendhosting LTD in Bulgaria is home to more than 2,100 C&C servers of the nearly 3,900 detected across the region. Most of the servers are used for traffic distribution platforms that redirect traffic from hacked sites, with the most common being an operation named Keitaro. [Hunt Intelligence]

Water system attacks: The DomainTools security team has a good summary on all the main threat actors known to target water utility and treatment facilities. [DomainTools]

Another BreachForum clone shuts down: Breached[.]hn, one of the several BreachForums clones that launched this year, has abruptly shut down this week claiming that "ShinyHunters will probably kill us even after this." Ahh… hacking forum drama! All so stupid, all the time! [DataBreaches.net]

Malware technical reports

Mistic backdoor: Broadcom's Symantec and Carbon Black security teams have spotted a new backdoor named Mistic, believed to be a version of ModeloRAT, the Python-based remote access trojan (RAT) developed by cybercrime group Woodgnat (aka KongTuke). [Broadcom]

Gaslight macOS backdoor: A new macOS malware strain is embedding 38 fake system-failure messages in its code to trick AI-based security and triage tools into thinking a scan of the payload has failed. The malware is named Gaslight, is coded in Rust, and uses Telegram as a command and control system. It also uses another piece of trickery by redacting its Telegram token at runtime to prevent security researchers from extracting it from logs or crash artifacts. SentinelOne says the malware may be North Korean in origin. [SentinelOne]

Millenium RAT: Version 4 of the Millenium RAT has been rewritten from .NET to C++. It is still being offered through a MaaS for dirt cheap prices. [Group-IB]

INC ransomware: The INC ransomware group has developed versions of its file encryptor that can work on IBM mainframes. The platform is typically used inside large telcos, banking core networks, and other high-volume financial transaction systems. The new encryptor was discovered after the group left a directory open to the internet on its command-and-control infrastructure. [Cyber and Ramen]

Bluekit: Netcraft joins the ranks of security firms looking at Bluekit, a popular PhaaS platform advertised on the dark web. [Netcraft // Varonis // CloudSEK]

DCloud Uni-App: A recent Infoblox report looks at DCloud Uni-App, a Chinese web framework used to develop scam apps and platforms. This includes the ability to put together fake crypto-exchanges, crypto wallet drainers, prediction markets, and WhatsApp phishing operations. [Infoblox]

Sponsor section

Giving employees AI tools doesn't make a company AI native. Trail of Bits founder and CEO Dan Guido explains the difference — and the operating system his 150-person security firm built to actually get there. 

APTs, cyber-espionage, and info-ops

Lazarus campaign: Security firm Cognyte has released IOCs and YARA rules for a Lazarus campaign targeting the financial sector. The campaign used a memory-only malware strain that would be hard to spot. [Cognyte]

StrikeShark campaign drops SharkLoader: A new espionage operation tracked as StrikeShark is deploying Cobalt Strike and a new malware loader named SharkLoader on high-value networks all over the globe. [Kaspersky]

"Beyond the diplomatic entity in Indonesia, we identified related activity targeting government organizations in Taiwan, software development companies across multiple countries, and entities in other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Nepal, Serbia, and more."

Gamaredon in 2025: ESET researchers tracked Gamaredon activity last year and noted that the group focused exclusively on Ukrainian governmental and military institutions for all their campaigns. [ESET]

Russia's IM hacking campaign: Ukraine's intel service SBU and the FBI have issued a joint advisory on Russia's current obsession with IM phishing campaign targeting Western officials. [SBU // FBI]

Turla's STOCKSTAY backdoor: Russian APT group Turla has been updating its old STOCKSTAY .NET backdoor and deploying it in new campaigns. Targets include your typical war-related Ukrainian orgs, Italian foreign policy entities, and others. [Google Cloud]

Vulnerabilities, security research, and bug bounty

Lantronix bug exploited in the wild: Hackers are exploiting a vulnerability in a piece of crucial equipment installed on industrial networks. An active campaign is targeting Lantronix serial-to-ethernet converters. The devices are normally used to relay commands to ICS equipment over a network connection. Past attacks against serial-to-ethernet converters have often been linked to Russian state actors. [CISA // Dataminr]

New Cisco exploitation: Threat actors are exploiting a recently patched vulnerability in Cisco Unified Communications Manager servers. Attackers are using malcrafted HTTP requests to write files on the device that they later exploit to gain root access. Active exploitation was spotted three weeks after a patch and proof-of-concept code were released in early June. The WebDialer service must be enabled to exploit this bug, and the service is disabled by default. [Cisco CVE-2026-20230]

Ubiquiti attacks in the wild: Hackers are exploiting three vulnerabilities in Ubiquiti devices running the company's UniFi operating system. The three bugs can allow attackers to make unauthorized changes and take over devices. The UniFi OS is used to power Ubiquiti routers, switches, WiFi extenders, NAS devices, and other networking devices. Surprisingly, the three bugs are the first UniFi OS vulnerabilities added to CISA's KEV database. [CISA // Ubiquiti security advisory]

Johnson & Johnson vulnerabilities: Security researcher Eaton Zveare has found vulnerabilities in two different Johnson & Johnson web apps that exposed data on employees and interns. [Eaton Zveare]

Security updates: Chrome, curl, Hoppscotch, Jenkins.

Infosec industry

Threat/trend reports: Gartner, Kaspersky, NCC Group, Snyk, and SonicWall have recently published reports and summaries covering various threats and infosec industry trends.

Snyk lays off 30% of staff: Israeli cybersecurity startup Snyk has reportedly laid off around a third of its workforce this week. Staff was let go a day after the company announced a big push to AI agentic security. Several high-ranking execs have also recently announced their departure. Snyk is primarily known for its DevSecOps security products. [Globes // Reddit thread // Snyk blog]

Huntress insider accused of working with ransomware group: A recently fired Huntress employee has accused the security firm of hiding a security incident—namely that another employee has been feeding data to a ransomware group. Huntress cofounder and CEO Kyle Hanslovan has denied the accusations and says there's no evidence for such a claim. [Ben F. LinkedIn post // Kyle Hanslovan Reddit post]

New tool—Scrutineer: Alpha-Omega Security has released Scrutineer, a local tool for scanning open source repositories for security vulnerabilities.

PKC 2026 videos: Talks from the IACR Public Key Cryptography 2026 security conference, which took place in May, are available on YouTube.

Mitnick rewards an old friend: In a Reddit post this week, former law enforcement officer Shawn Nunley surfaced a feel good story on how famed 90s hacker Kevin Mitnick left him enough money after his death to pancreatic cancer in 2023 so that Nunley could buy his dream car, a Porsche 911 Carrera 4 GTS. Nunley was the cop who investigated, tracked down, and eventually arrested Mitnick, and later ended up becoming good friends with. [The Drive // Reddit thread]

Risky Business podcasts

In this edition of Seriously Risky Business, Tom Uren and James Wilson talk about the Five Eyes cyber security agencies warning about the arrival of AI-enabled cyber threats. The call-to-action is driven by the recognition that it is no longer possible to limit AI’s offensive cyber security capabilities to benign actors.