How AI Helped Microsoft Link Two Major Malware Operations
Microsoft used AI to link two malware operations in a racketeering suit, disrupting the StealC and Amadey infrastructure. This innovative move marks a significant step in the fight against cybercrime. The operation, involving international law enforcement and security firms, targeted the backbone of these malware campaigns and aimed to disrupt how cyberattacks are organised and executed.
What Happened: AI-Driven Disruption of StealC and Amadey
In June 2026, Microsoft, together with global law enforcement and cybersecurity partners, launched a coordinated operation against two prominent malware strains: StealC and Amadey. These two malware families, though developed by different criminal groups, were found to be sharing the same command-and-control (C2) infrastructure. By leveraging artificial intelligence to analyse malware code and network data, Microsoft was able to uncover this critical link.
The operation led to the takedown, suspension and blocking of over 200 domains and servers used by the criminals. This infrastructure supported both StealC and Amadey, which had infected hundreds of thousands of computers worldwide. The disruption also helped recover millions of stolen credentials and was part of a broader law enforcement effort that included freezing cryptocurrency assets.
Key Features of StealC and Amadey
- StealC: A credential-stealing malware that collects browser credentials, cookies, cryptocurrency wallets and sensitive data. It also acts as a loader for additional malware.
- Amadey: A malware-as-a-service platform used to distribute StealC and other threats, including remote access trojans, cryptominers and ransomware.
Why This Matters: Shifting the Battle Against Cybercrime
This action is significant because it changes how organisations and law enforcement disrupt cybercrime. Traditionally, enforcement focused on a single tool or domain. Here, Microsoft used AI to identify links between different malware families and treat them as one criminal enterprise. This allowed the use of the US Racketeer Influenced and Corrupt Organizations Act (RICO) to bring a civil suit against those behind both operations.
The Role of AI in Cybercrime Investigations
Microsoft’s use of AI, including tools like Copilot, accelerated the investigation. Analysts could ask questions in plain English, surface hidden connections and spot patterns much faster than manual analysis would allow. This efficiency was crucial in identifying the shared infrastructure between StealC and Amadey, enabling a coordinated takedown.
- Accelerated threat analysis through natural language queries
- Identification of cross-mapping between different malware campaigns
- Rapid response and disruption of active criminal infrastructure
AI not only speeds up investigations but also makes it possible to connect disparate threats. This approach could become more common as cybercriminals increasingly use shared infrastructure and tools.
Impact on Organisations: Risks and Lessons Learned
The takedown of StealC and Amadey infrastructure is likely to have a positive effect on businesses, especially small and medium-sized enterprises (SMEs), which are often targeted by such malware. However, it also highlights ongoing risks, as cybercriminals adapt quickly and new threats emerge.
Potential Risks to Your Organisation
- Credential theft leading to account compromise
- Deployment of secondary malware including ransomware
- Loss of sensitive business or customer data
- Financial losses from fraud or extortion
Even with law enforcement successes, organisations remain vulnerable if they do not maintain strong cybersecurity defences. The disruption of one infrastructure does not eliminate the underlying threat, as criminal groups can rebuild or move to new platforms.
What Organisations Should Do Next
Given the ongoing risk from malware like StealC and Amadey, organisations should take proactive steps to defend themselves. Here are key recommendations:
1. Strengthen Credential Security
- Enforce strong, unique passwords for all accounts
- Implement multi-factor authentication (MFA) wherever possible
- Regularly review and update access permissions
2. Monitor for Signs of Compromise
- Deploy endpoint protection and threat detection tools
- Monitor network traffic for unusual activity
- Scan regularly for malware and vulnerabilities
3. Educate Employees
- Run regular cybersecurity awareness training
- Teach staff how to identify phishing and malicious links
- Encourage prompt reporting of suspicious activity
4. Prepare for Incident Response
- Have a clear incident response plan in place
- Conduct regular drills to test your response
- Engage with external cybersecurity experts when needed
Looking Ahead: The Growing Role of AI in Cybersecurity
Microsoft’s use of AI in linking malware operations sets a precedent for future investigations. As criminals become more advanced, defenders must also evolve. AI can help uncover hidden connections, automate analysis and accelerate disruption. However, technology alone is not a silver bullet. Human expertise, strong policies and a proactive security culture remain essential.
This case demonstrates the value of collaboration between technology firms, law enforcement and security companies. By sharing intelligence and acting swiftly, the impact of cybercriminals can be reduced, protecting millions of devices and credentials worldwide.
Originally reported by www.theregister.com.
