An international law enforcement operation, codenamed 'Operation Endgame,' has successfully seized over 100 servers worldwide used by several major malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC.
Between May 27 and 29, 2024, coordinated actions across Europe led to 16 searches and the arrest of four individuals—one in Armenia and three in Ukraine. Furthermore, authorities have identified eight fugitives linked to these malware operations, who will be added to Europol’s ‘Most Wanted’ list later today.
The infrastructure, spread across Europe and North America, hosted over 2,000 domains used for illicit activities. This infrastructure is now under the control of the authorities.
Operation Endgame was a collaborative effort involving police forces from Germany, the United States, the United Kingdom, France, Denmark, and the Netherlands. The operation was supported by intelligence from experts at Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.
Seized Domains and Infected Systems
Millions of computers worldwide have been compromised by these malware droppers, which are specialised tools designed to establish initial access to devices. Cybercriminals typically use malicious emails or trojanized installers promoted through malvertising or torrents to deliver the malware.
Initially developed as banking trojans, many of these droppers have evolved to focus on initial access while simplifying their operation to evade detection. They employ sophisticated evasion techniques, such as heavy code obfuscation and legitimate process impersonation, often residing in memory. Once established, they introduce more dangerous payloads, including information stealers and ransomware.
Financial Impact and Ongoing Investigations
Europol reported that one of the main suspects involved in the targeted malware operations made over 69 million Euros ($74.5M) by renting out infrastructure for ransomware deployment. “Investigations revealed that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites for ransomware deployment,” Europol announced. Authorities are monitoring the suspect’s transactions and have obtained legal permission to seize these assets in future actions.
Further details about the suspects and the law enforcement operation will be published on a dedicated portal later today.
