TL;DR: Operation Endgame disrupted the StealC information-stealer ecosystem, seizing 25.6 million unique credentials from over 385,000 compromised systems and targeting 66 domains and 296 servers, according to Proofpoint and IBM X-Force. The broader lesson is that stolen identities remain an industrialised attack commodity, not just an endpoint problem.
At a glance
What this is: This is an analysis of the Operation Endgame disruption against StealC and the scale of credential theft it exposed across compromised systems and malware infrastructure.
Why it matters: It matters because credential theft from endpoints rapidly becomes identity abuse across cloud, SaaS, and internal systems, so IAM, PAM, and NHI teams need to treat stolen secrets as an enterprise-wide governance issue.
By the numbers:
- The operation targeted 66 domains and 296 servers associated with both Amadey and StealC.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
👉 Read Proofpoint’s analysis of the StealC disruption and credential theft ecosystem
Context
StealC is part of the industrialised infostealer economy, where browser data, cookies, tokens, and saved credentials are harvested and repackaged for reuse. For identity teams, that means endpoint compromise is often only the first step, because the real damage begins when stolen secrets are replayed against cloud services, SaaS platforms, and internal admin paths.
Operation Endgame matters because it shows how much of the identity attack surface now sits inside unmanaged secrets and token stores rather than traditional password databases. Once credentials leave the device, normal IAM controls lose visibility unless the organisation can detect reuse, revoke access quickly, and isolate high-risk non-human identities before they become a foothold.
Key questions
Q: What breaks when infostealers collect browser tokens and saved credentials?
A: What breaks is the assumption that compromise stays on the endpoint. Browser tokens, saved passwords, and cookies are often enough to impersonate users or sessions elsewhere, which means theft becomes reusable access. Teams should assume stolen identity artefacts may move directly into SaaS, cloud, and admin workflows unless they are rapidly revoked or invalidated.
Q: Why do stolen credentials create so much more risk when identity is poorly governed?
A: A stolen credential becomes dangerous when the organisation accepts it as sufficient proof without checking identity state, access scope, or session context. Poor governance lets attackers impersonate a legitimate account, move into adjacent systems, and stay active long enough to cause damage. The main failure is not the secret alone. It is the weak separation between identity, access, and proof.
Q: How should security teams detect credential compromise before it turns into account takeover?
A: Teams should correlate authentication events with post-login behaviour, privilege use, and session context. A single successful login is not enough to prove legitimacy. The useful question is whether the session behaves like the real user or identity, especially when device, location, timing, and action sequence all shift at once.
Q: What should organisations do immediately after infostealer exposure is suspected?
A: Revoke or rotate any exposed secrets, invalidate active sessions, and review privileged or third-party access paths first. Then check whether those credentials were used against cloud, SaaS, or admin services, because a stolen token often becomes a broader access path before the original malware is contained.
Technical breakdown
How StealC turns endpoint compromise into identity theft
StealC operates as malware-as-a-service, which means affiliates buy access to a panel, build payloads, and exfiltrate browser credentials, cookies, autofill data, tokens, and other sensitive material. The stolen output is processed on the command and control server, where the actor can manage infections, deliver secondary payloads, and update campaign settings. This is not just data theft. It is identity theft at machine speed, because the harvested artefacts are often enough to impersonate users, services, or sessions without needing to crack passwords.
Practical implication: treat browser-stored tokens and saved secrets as governed identity assets, not incidental endpoint data.
Why command and control infrastructure matters to defenders
The StealC panel is the operational nerve centre of the ecosystem. It registers bots, issues access tokens, receives uploaded files, and can instruct clients to pull loader payloads. Researchers extracted configurations to map C2 addresses, campaign IDs, and encryption keys, which is why infrastructure intelligence becomes so useful in these cases. When defenders can track the panel, they can see how campaigns are organised and how one malware family feeds another through chained delivery.
Practical implication: correlate C2 intelligence with identity telemetry so stolen credential reuse can be tied back to campaign infrastructure.
How malware ecosystems create downstream access risk
StealC is valuable to attackers because it is not only an infostealer. It can also stage additional malware, including RATs and ransomware, which turns a single credential theft event into a broader compromise path. That is why the ecosystem matters as much as the initial payload. A stolen browser token may lead to cloud access, which may then lead to lateral movement, privilege escalation, or destructive follow-on activity. The attack surface is therefore chained, not isolated.
Practical implication: build response playbooks that assume credential theft may be the first stage of a wider identity-led intrusion.
Threat narrative
Attacker objective: The attacker objective is to harvest reusable identity artefacts at scale and convert them into follow-on access, resale value, or secondary compromise paths.
- Entry occurs when a victim system is infected with StealC through the malware-as-a-service delivery ecosystem and its associated loaders.
- Credential access happens when the stealer extracts browser data, tokens, saved credentials, cookies, and other artefacts from the compromised device.
- Impact follows when stolen identity material is reused for follow-on access, sold on underground markets, or handed to secondary payloads such as RATs or ransomware.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Infostealer ecosystems are now an identity supply chain, not just a malware class. StealC shows how a single endpoint compromise can generate reusable browser data, tokens, and credentials that move into cloud and SaaS access paths. Once stolen identity artefacts are processed centrally, the attacker does not need to keep the original infection alive. Practitioners should treat exfiltrated credentials as inventory flowing through an underground identity pipeline.
Credential replay is the real control failure exposed by StealC. The problem is not only that secrets are stolen, but that many organisations still rely on static authentication artefacts that remain valid long enough to be reused. That makes browser-stored tokens, cached sessions, and shared secrets highly transferable between endpoints and operators. The implication is that authentication design must assume theft and replay, not just compromise detection.
StealC confirms that NHI governance and human IAM are now operationally coupled. Browser cookies, API keys, VPN credentials, and SaaS sessions all sit in the same theft path, even though they are often governed by different teams. This creates a governance gap where human identity recovery, workload access review, and secret rotation are handled as separate processes. Practitioners should collapse those silos into one response model for stolen identity artefacts.
Identity blast radius is the named concept this disruption reinforces. A stolen token is not valuable because of the token itself, but because of how far it can travel before revocation, detection, or session invalidation occurs. StealC turns a local endpoint event into a cross-domain access problem in minutes. The implication is that organisations need to measure how much access any one stolen artefact can unlock.
Operation Endgame shows that disruption matters, but it does not eliminate the underlying credential economy. Takedowns can raise attacker cost and reduce active infrastructure, yet the underlying market for stolen identity data remains intact as long as organisations keep producing reusable secrets. The practitioner takeaway is to assume that every exposed secret may be monetised quickly and at scale, even after infrastructure is seized.
From our research:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which keeps the credential supply chain easy to exploit.
- StealC and similar infostealers turn secret handling into a governance issue, so pair this with Guide to the Secret Sprawl Challenge to map where reusable credentials enter your environment.
What this signals
Identity blast radius is becoming the practical measure that matters. When stolen credentials can be replayed across SaaS, cloud, and admin systems, the control question is no longer whether the endpoint was infected, but how much access a single artefact can unlock before revocation. That is why stolen-secret governance needs to sit alongside Ultimate Guide to NHIs, Static vs Dynamic Secrets in programme design.
With 23.7% of organisations still sharing secrets through insecure methods such as email or messaging applications, the downstream value of infostealer campaigns remains structurally high. The operational response should focus on secret provenance, token lifetime, and where identity material is allowed to persist outside the authenticator boundary.
For practitioners, the next maturity step is to connect secret discovery, malware intelligence, and session revocation into one response workflow. That is where NHI governance, human IAM, and privileged access management start to converge in practice.
For practitioners
- Inventory browser-stored identity artefacts Identify where credentials, cookies, tokens, and autofill data are stored on managed endpoints, then classify which of those artefacts can be reused outside the originating device context.
- Shorten the usefulness window of stolen secrets Prioritise session invalidation, token revocation, and secret rotation for systems that accept browser-based or long-lived authentication material, especially where access can be reused without step-up checks.
- Correlate infostealer indicators with IAM events Feed malware intelligence, C2 indicators, and suspicious authentication telemetry into the same detection path so identity teams can see when harvested credentials begin to appear in live access logs.
- Treat third-party and privileged access as high-value theft targets Review accounts that can reach SaaS admin panels, cloud consoles, or sensitive internal systems, then tighten monitoring around those credentials because infostealers often target the easiest reusable path.
Key takeaways
- StealC demonstrates that infostealers are identity theft engines, not just endpoint malware.
- The scale of seized credentials and infrastructure shows that stolen secrets remain a large, monetisable attack surface.
- The most effective containment lever is shortening the usefulness window of exposed credentials and sessions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Stolen secrets and reused credentials are central to this infostealer-driven identity risk. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0010 , Exfiltration | StealC’s core behaviour is credential harvesting followed by data theft and reuse. |
| NIST CSF 2.0 | PR.AC-1 | Credential theft breaks access control assumptions across identity systems. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management is directly implicated by stolen credentials and tokens. |
| NIST Zero Trust (SP 800-207) | Zero trust assumptions fail when stolen identity artefacts are replayed from untrusted contexts. |
Map infostealer activity to TA0006 and TA0010, then tune detections for token and browser-data theft.
Key terms
- Infostealer: An infostealer is malware built to collect credentials, session material, tokens, and other authentication data from infected systems. In NHI programmes, the risk is not only theft but reuse, because harvested workload secrets can unlock cloud access long after the initial infection.
- Command and Control Panel: A command and control panel is the server-side interface attackers use to register infected clients, issue instructions, and collect stolen data. In malware-as-a-service ecosystems, it also acts as the operational hub for configuration, campaign management, and payload delivery.
- Credential replay: Credential replay is the reuse of stolen authentication material to impersonate a legitimate user or system. In human identity programmes, replay risk grows when passwords, OTPs, or weak recovery flows can be captured and used from a separate device or session.
- Identity Blast Radius: The amount of damage a compromised identity can cause across systems, data, and infrastructure. In NHI environments, it is shaped by permissions, network reach, and administrative capability rather than by the credential alone. Reducing blast radius is a containment strategy that limits lateral movement and data exposure.
What's in the full article
Proofpoint's full analysis covers the operational detail this post intentionally leaves for the source:
- The StealC configuration extraction workflow used to track campaigns, affiliates, and payload delivery patterns.
- The C2 panel vulnerability and how it enabled the disruptive action against StealC infrastructure.
- The emulator approach used to coerce payload URLs from active infrastructure and observe downstream malware delivery.
- The list of payload families observed in the StealC ecosystem, including chained loader and ransomware activity.
👉 Proofpoint’s full post covers the C2 vulnerability, emulator workflow, and observed payload chains.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org