Microsoft filed suit against the unknown operators of Amadey and StealC, invoking the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. § 1962, to treat two separately developed malware families as a single criminal conspiracy. The theory: both tools shared infrastructure.
That filing didn’t stop at legal argument. Microsoft’s Digital Crimes Unit used it to disrupt more than 200 command-and-control servers and sever criminal control from more than 18,000 infected computers. ESET, Proofpoint, IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions assisted.
The law enforcement side of Operation Endgame, coordinated by Europol across Canada, Denmark, Germany, the Netherlands, the UK, and the US, actioned 326 servers and 142 domains. Agencies recovered as many as 27 million stolen login credentials and froze €41 million ($47 million) in crypto assets of criminal origin.
A separate Endgame arm targeted SocGholish, a malware loader linked to Russian cybercrime group Evil Corp that spreads via fake browser-update prompts on compromised websites. Proofpoint, which has tracked SocGholish since 2018, assisted in the cleanup of 14,971 infected WordPress sites.
The RICO theory is the real legal precedent here. Civil RICO has been deployed against individual botnets before, but merging two independently developed malware tools into one racketeering conspiracy because they shared infrastructure is new territory. If the Southern District upholds it, Microsoft’s legal team has handed private plaintiffs a template for attacking the modular “assembly line” model — where the loader developer and the stealer operator are technically distinct businesses.
The defendants haven’t been identified publicly. Microsoft’s case will need to name them before it can proceed to service.
James Okafor