In a novel maneuver for a disruption operation against cyber attackers, industry and law enforcement teamed up to conduct a court takedown of two widely-used criminal tools at once rather than individually, Microsoft said Tuesday.

The takedown simultaneously went after Amadey, a botnet that can serve as a malware delivery system, and StealC, an infostealer. Cybercriminals often use them in conjunction and they rely on the same infrastructure, Microsoft said.

“When multiple parts of an operation are disrupted together, attacks are harder to launch, scale, and recover from,” said Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit. “The result: fewer disrupted services, fewer opportunities for cybercriminals to profit, and more friction when they try to rebuild. It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.”

Microsoft had been tracking Amadey with ESET, BitSight, Lumen and Mitsui Bussan Secure Directions. Meanwhile, Europol had been investigating StealC alongside law enforcement partners including Germany’s Federal Criminal Police Office and the Dutch and Danish National Police as well as IBM X-Force and Proofpoint.

They then joined forces and turned to the Racketeer Influenced and Corrupt Organizations (RICO) Act, used to help authorities go after organized crime, to disrupt more than 200 command-and-control servers. Microsoft said it gained insights from its artificial intelligence product Copilot that “allowed the legal team to treat both malware families as part of a single criminal conspiracy.”

Microsoft regularly leads court-authorized disruption operations, but the industry and law enforcement partnerships combined with AI to expand data collection and identify connections beyond what one company could normally do, it said.

Amadey and StealC were linked to more than 140,000 infected computers around the globe in the first week of May alone, the company said. StealC has ranked among the top infostealers for years since its emergence in 2023 and sells in underground forums as a malware-as-a-service. It’s typically used by Russia-linked groups.

Amadey dates back to 2018, and is also commonly employed by Russian groups, including in attacks on Ukraine.

Their interaction shows the assembly line-like structure of modern cybercrime, Microsoft said. Even if the cybercriminals behind both tools never coordinate, their tools are designed to work together, it said.

“StealC is an infostealer that collects sensitive data from browsers, cryptocurrency wallets, messaging applications, email clients, and gaming platforms,” the company wrote in a separate blog post. “It is a malware-as-a-service (MaaS) offering that threat actors use to generate customized payloads and manage stolen data through a centralized web panel. Meanwhile, Amadey is a MaaS loader that threat actors use to deliver StealC and other malware. Modular, pay-as-you-go models like StealC and Amadey allow threat actors to use a single initial infection to quickly escalate into multiple other threats.”

The post In a first, a court takedown goes after two cybercrime tools at once appeared first on CyberScoop.

An operation to crack down on the widely used RedLine infostealer has netted the extradition of an Armenian man to the United States, where he made an initial appearance in a Texas court Wednesday.

Authorities charged Hambardzum Minasyan with conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act and conspiracy to commit money laundering for his alleged role with RedLine. Infostealers thieve billions of user credentials such as passwords annually.

“Hambardzum Minasyan allegedly conspired with others to enrich himself by developing and administering RedLine, one of the most prevalent infostealing malware variants in the world, which has previously been used to conduct intrusions against major corporations,” a Justice Department news release said. “When executed, RedLine would steal data, including access devices, from victims’ computers.”

According to a summary of the indictment, Minasyan allegedly registered two virtual private servers to host RedLine, established repositories of online file sharing for distributing Redline to affiliates and registered a cryptocurrency account to receive affiliate payments.

Collectively, the conspirators also responded to questions and requests from affiliates, conspired to steal and own financial information and laundered cybercrime proceeds through cryptocurrency exchanges, the indictment states.

In 2024, the U.S. Justice Department teamed with Belgium, the Netherlands, Eurojust and others on Operation Magnus to disrupt the RedLine and Meta infostealers, the latter of which derived from the former. That same year, the Justice Department charged a Russian man, Maxim Rudometov, for his alleged role in developing RedLine.

Eurojust assisted with the extradition of Minasyan.

Court records related to Minasyan’s case had not been posted on the Pacer court system as of Wednesday afternoon. The U.S. Attorney’s Office for the Western District of Texas, which is prosecuting the case, did not immediately respond to requests for a copy of the indictment.

The post Alleged RedLine infostealer conspirator extradited to US appeared first on CyberScoop.