‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislation
The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
Europol has taken down the criminal networks behind the SocGholish, Amadey, and StealC malware strains as part of an operation involving Microsoft and a host of security firms.
The latest move in Operation Endgame, the action saw 326 servers and 142 domains neutralized, as well as 27 million compromised data sets recovered. More than €41 million in criminal crypto assets were seized, the agency revealed.
"By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cyber criminals, making it harder for attacks to succeed, spread, or recover," said Europol.
"This operation marked a shift in strategy: instead of focusing solely on individual threats, Europol, law enforcement and judicial authorities, as well as private industry partners disrupted the entire chain that allows cyber attacks to scale."
In the first two weeks of May alone, more than 140,000 PCs globally were infected with one of the three cybercrime as a service malware strains, which were used as a tool for the initial infection of targeted systems.
SocGholish, a so-called dropper/loader, helped criminals gain access to computer systems by distributing fake browser updates via compromised websites. This works by hacking websites built with WordPress and infecting them with malware for digital extortion.
The malware strain is linked to the Russian cyber criminal group Evil Corp, the group behind the Zeus and Dridex malware and associated with several large‑scale ransomware and money laundering operations.
StealC, a stealer with dropper function, was spread in a variety of ways, and is designed to extract sensitive information such as passwords, stored access data, and digital identities from compromised computers for data trading and fraudulent use.
Meanwhile, the Amadey dropper/loader is spread mostly through phishing campaigns, introducing extra malware into compromised systems and retrieving sensitive data.
RICO legislation used in Amadey, StealIC takedowns
Amadey and StealC were targeted by Microsoft’s Digital Crimes Unit (DCU) as a pair, thanks to their interconnected roles – although they were developed by separate cyber criminals, they relied on the same infrastructure.
Both were shut down through a mix of court orders, domain seizures, registrations, and provider notifications.
This action involved a broader use of the Racketeer Influenced and Corrupt Organizations Act (RICO), a US law designed to target organized crime.
Steven Masada, assistant general counsel in Microsoft’s Digital Crimes Unit, said investigators relied on AI tools, particularly Copilot, as part of the operation, using the technology to analyze malware strains.
"That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster," he said.
"Those insights allowed the legal team to treat both malware families as part of a single conspiracy. Instead of going after each tool separately, as we have done in the past, we used RICO to charge multiple complicit enablers involved across the operation."
The action against SocGholis involved cleaning infected WordPress sites and notifying victims, urging them to update their platforms and strengthen login credentials.
WordPress users are being encouraged to change their login credentials, enable multi‑factor authentication, delete any unknown additional WordPress accounts and keep their WordPress site up to date in the future.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
DIY hackers are turning to ‘flat-pack’ malware components to speed up attacks and cut costsNews While these malware campaigns are very basic, researchers noted “they still work”
