How is Microsoft Copilot AI Disrupting Malware Networks?
Microsoft used its Copilot AI tool to assist investigators in dismantling the infrastructure behind two widely used cybercrime tools, Amadey and StealC, as part of a sweeping international law enforcement operation announced this week.
A Coordinated Global Strike
The action was carried out under Operation Endgame, a multinational effort coordinated by Europol and involving law enforcement from Canada, Denmark, Germany, the Netherlands, the United Kingdom, and the United States. Across all targeted malware families — which also included the SocGholish dropper — authorities took down 326 servers and seized 142 domains, while identifying cryptocurrency assets valued at over EUR 41 million.
Microsoft's Digital Crimes Unit targeted Amadey and StealC together because of their interconnected roles in the cybercrime supply chain. Amadey, a dropper and loader spread primarily through phishing campaigns, gains initial access to victim devices, while StealC extracts passwords and sensitive data from compromised systems. In just the first two weeks of May 2026, Microsoft's telemetry linked the two tools to more than 140,000 infected computers worldwide.
Bloomberg reported that Microsoft said its Copilot AI assisted investigators in analyzing the malware infrastructure, marking a novel use of AI in disruption operations.
AI Meets Legal Strategy
Microsoft has a long history of using civil litigation and court orders to seize botnet infrastructure. The company previously employed the Racketeer Influenced and Corrupt Organizations Act in 2012 to take down Zeus botnets, and has since used similar legal strategies against threats including Trickbot and RaccoonO365. In this operation, investigators leveraged AI-assisted analysis to identify shared infrastructure between the separately developed Amadey and StealC tools, enabling a combined legal action.
Disrupting the Cybercrime Assembly Line
Europol described the operation as a shift in strategy, targeting the entire criminal supply chain rather than individual threats. The neutralized malware variants operated under a "cybercrime-as-a-service" model, serving as tools other criminals could rent to gain initial access to systems before deploying ransomware or committing financial fraud.
As part of the broader operation, 27 million stolen login credentials were recovered, and nearly 15,000 infected WordPress websites were cleaned of SocGholish infections. Private sector partners including Proofpoint, IBM X-Force, Bitdefender, and the Shadowserver Foundation supported the effort alongside Microsoft.
