One-two punch delivered in global operation disrupts cybercrime “assembly line”

全球联合行动重拳出击，摧毁网络犯罪“流水线”

International authorities and a raft of private technology companies say they have disrupted a cybercrime “assembly line” that allowed crooks to collect millions of login credentials and steal more than $47 million in ransom payments and by other fraudulent means. 国际执法机构与多家私营科技公司表示，他们已成功摧毁了一条网络犯罪“流水线”。该流水线曾协助犯罪分子窃取数百万个登录凭据，并通过勒索软件及其他欺诈手段非法获利超过 4700 万美元。

The crux of the operation was the simultaneous targeting of two unrelated tools that are widely used in various online scams. The first is Amadey, a malware-as-a-service platform for compromising devices and delivering malicious payloads for ransomware and other scams. Amadey has been observed in the wild since at least 2018 and was seen last year abusing GitHub as it collected system information from infected devices and installed customized payloads. 此次行动的核心在于同时针对两种广泛用于各类网络诈骗的工具。第一种是 Amadey，这是一个“恶意软件即服务”（MaaS）平台，用于入侵设备并投放勒索软件及其他诈骗载荷。Amadey 自 2018 年起便活跃于网络，去年还被发现滥用 GitHub 平台，从受感染设备中收集系统信息并安装定制化载荷。

The second tool was StealC, an infostealer-as-a-service platform that collects credentials, authentication cookies, cryptocurrency wallets, browser extensions, and files whose names match customer-defined patterns. 第二种工具是 StealC，这是一个“信息窃取即服务”平台，专门用于收集凭据、身份验证 Cookie、加密货币钱包、浏览器扩展程序以及符合特定命名规则的文件。

Severing a critical link in the cybercrime chain

切断网络犯罪链条的关键一环

Amadey and StealC are separate tools that are run independently of each other. Given their widespread use, however, many customers use both in their individual cybercrime activities. The tools also, it turns out, relied on some of the same underlying infrastructure to run. Microsoft said it made this determination after analyzing the tools using AI. This insight allowed Microsoft attorneys to seek an order disrupting both at the same time. Amadey 和 StealC 是相互独立的工具。然而，由于它们应用广泛，许多犯罪分子在实施网络犯罪时会同时使用这两者。调查发现，这些工具在运行过程中依赖于部分相同的底层基础设施。微软表示，在利用人工智能对这些工具进行分析后得出了这一结论，这使得微软的律师能够申请法院禁令，同时对两者进行打击。

“This action goes after the cybercrime ‘assembly line,’ where coordinated tools drive ransomware, financial fraud, and disruptions to public services,” Microsoft said Wednesday. “Amadey and StealC are often used alongside each other: Amadey helps attackers gain access to devices, while StealC steals passwords and sensitive information. Together, they form a critical link in the chain.” 微软周三表示：“此次行动旨在打击网络犯罪的‘流水线’，这些协同工具助长了勒索软件、金融欺诈和对公共服务的破坏。Amadey 和 StealC 经常被配合使用：Amadey 帮助攻击者获取设备访问权限，而 StealC 则负责窃取密码和敏感信息。它们共同构成了犯罪链条中的关键一环。”

With evidence that the tools had overlapping infrastructure, company attorneys invoked RICO statutes that target organized crime; the legal action was then able to treat both tools as part of a single conspiracy. As a result, Microsoft said, it disrupted more than 200 command-and-control servers and severed criminal control of more than 18,000 infected computers. 由于掌握了这些工具共享基础设施的证据，公司律师援引了针对有组织犯罪的《反勒索及受贿组织法》（RICO），从而使法律行动能够将这两种工具视为同一阴谋的一部分。微软称，此次行动成功摧毁了 200 多台命令与控制服务器，并切断了犯罪分子对超过 1.8 万台受感染计算机的控制。

Europol, which helped coordinate the law-enforcement part of the operation, said it recovered as many as 27 million stolen login credentials and uncovered $47 million worth of “crypto assets of criminal origin.” 负责协调执法行动的欧洲刑警组织（Europol）表示，此次行动追回了多达 2700 万个被盗登录凭据，并查获了价值 4700 万美元的“犯罪来源加密资产”。

“During this action, 326 servers and 142 domains were actioned by law enforcement and the private sector partners, severely crippling the malware’s distribution network,” Europol said. “By taking down these tools simultaneously, the collaboration between law enforcement and private parties has increased friction for cybercriminals, making it harder for attacks to succeed, spread, or recover.” 欧洲刑警组织表示：“在这次行动中，执法部门和私营部门合作伙伴对 326 台服务器和 142 个域名采取了行动，严重削弱了该恶意软件的分发网络。通过同时取缔这些工具，执法部门与私营机构的合作增加了网络犯罪分子的作案难度，使其攻击更难成功、传播或恢复。”

Other companies assisting in “Operation Endgame” include ESET, Proofpoint and IBM X-Force, Bitsight, and Mitsui Bussan Secure Directions. 参与“终局行动”（Operation Endgame）的其他公司还包括 ESET、Proofpoint、IBM X-Force、Bitsight 以及三井物产安全指导公司（Mitsui Bussan Secure Directions）。

Europol said that another tool disrupted in Operation Endgame is SocGholish, a malware loader linked to the Russian cybercrime group Evil Corp. that spreads through compromised websites. Visitors to these sites are tricked into installing trojanized apps posing as browser extensions or other legitimate software. 欧洲刑警组织指出，“终局行动”中被摧毁的另一个工具是 SocGholish。这是一款与俄罗斯网络犯罪组织 Evil Corp. 有关的恶意软件加载器，通过受感染的网站进行传播。访问这些网站的用户会被诱骗安装伪装成浏览器扩展程序或其他合法软件的木马程序。

Europol said it has responded by cleaning infected WordPress sites and urging administrators of the sites to change credentials and tighten security. It has also worked to notify parties whose data and credentials were exposed through SocGholish activities. Countries involved in the enforcement action include Canada, Denmark, Germany, the Netherlands, the UK, and the US. 欧洲刑警组织表示，已采取应对措施清理受感染的 WordPress 网站，并敦促网站管理员更改凭据并加强安全防护。此外，该组织还致力于通知那些因 SocGholish 活动而导致数据和凭据泄露的受害者。参与此次执法行动的国家包括加拿大、丹麦、德国、荷兰、英国和美国。