Microsoft uses AI to link StealC and Amadey, shutting 200+ C2 servers in RICO move

Microsoft just described a cyber disruption strategy that targets the plumbing, not the pirate ship. In a Wednesday blog, Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, said Microsoft used AI analysis to connect two separate malware operations, then used the Racketeer Influenced and Corrupt Organizations Act (RICO) to go after them as a single conspiracy.

The headline number here is concrete: Microsoft says the takedown involved the suspension and blocking of more than 200 domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. The practical effect is that criminals who depended on that infrastructure for command, control, and data movement had their “main roads” disrupted, even though StealC and Amadey were developed by different criminal crews.

This matters because Microsoft is arguing, implicitly to CISOs and boards, that the old playbook of “take down one tool at a time” is not enough anymore. Masada said, “It’s no longer enough to go after threats one by one. We need to interrupt how the attacks are put together.” That is a shift in emphasis from single-service takedowns to tracing relationships across a broader attack supply chain. Microsoft previously announced a Europol-led disruption involving SocGholish last week, and this latest move is positioned as part of that same broader pattern: interrupt the systems that let multiple criminal offerings work together.

Technically, the two malware strands are not just similar. They are linked in how they operate. StealC is described as a stealer that collects multiple browser credentials and cookies, cryptocurrency wallets, chats from messaging apps, and other sensitive data. It exfiltrates that data to a C2 server and also functions as a secondary loader, which lets criminals who rent the stealer download additional malware onto compromised devices. Amadey, meanwhile, is a malware-as-a-service used to deliver StealC and other stealers, plus other types of malware including remote access trojans, cryptominers, and ransomware.

What makes this case legally and operationally interesting is the overlap in infrastructure. Microsoft says both Amadey and StealC used the same infrastructure. That overlap gave Microsoft’s legal team grounds to treat both malware families as part of a single conspiracy under RICO and to bring civil claims against five defendants allegedly involved across both operations. Microsoft’s court documents describe the defendants as a group running a “Malware as a Service enterprise” that leverages malicious software known as the Amadey Malware Suite and StealC Malware Suite (the “MaaS Enterprise”). According to the same documents, defendants and accomplices have victimized “hundreds of thousands of innocent computer users,” including many users of Microsoft’s software and services.

Microsoft also attributes its ability to make these connections faster to AI. Masada said investigators used Copilot and other AI tools to analyze both malwares and their infrastructure. The approach, as described in the blog, was “asking questions in plain English instead of manually combing through complex code.” Microsoft claims this surfaced key details, uncovered hidden data, and tested findings in a fraction of the time, turning what would have taken hours or days into minutes. In an environment where criminal infrastructure changes quickly, speed is not a nice-to-have. It is what determines whether disruptions hit while the attack chain is still “hot.”

On the enforcement and finance side, Microsoft says multiple security companies helped dismantle the alleged operations, naming ESET, BitSight, Mitsui Bussan Secure Directions (MBSD), IBM X-Force, and Proofpoint. It also references an earlier Europol-led coalition and says the effort flagged and restricted cryptocurrency assets valued at more than $47 million and recovered about 27 million stolen credentials. Separately, Microsoft says that in just the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers globally.

For executives, the second-order implication is straightforward: when malware operators reuse infrastructure across products, the “network” view of cybercrime becomes the most valuable lens, both for defense and for legal strategy. Microsoft’s framing is that disruption should reflect how MaaS ecosystems actually work. If you run a security program, a board, or any organization that relies on platform trust, the message is that legal and technical teams are converging on faster attribution and faster disruption. And if you are a vendor, operator, or investor reading this from the sidelines, the takeaway is that supply-chain attacks are being treated less like a collection of unrelated incidents and more like a coordinated enterprise that can be targeted end-to-end.