Global police operation strikes against malware infrastructure | CyberScoop<\/title> <meta name=\"description\" content=\"\u2018Operation Endgame\u2019 targeted well-known malware variants used to facilitate ransomware and other serious cybercrime.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/global-police-operation-strikes-against-malware-infrastructure\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Global police operation strikes against malware infrastructure \"> <meta property=\"og:description\" content=\"\u2018Operation Endgame\u2019 targeted well-known malware variants used to facilitate ransomware and other serious cybercrime.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/global-police-operation-strikes-against-malware-infrastructure\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-05-30T16:42:15+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1080\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1715117951g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1715115084g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1716385020g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80598\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80598\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fglobal-police-operation-strikes-against-malware-infrastructure%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fglobal-police-operation-strikes-against-malware-infrastructure%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80598 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/global-police-operation-strikes-against-malware-infrastructure\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.695340501792\">\n<div class=\"single-article__header-content\" readability=\"30.175675675676\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/threats\/cybercrime\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> \u2018Operation Endgame\u2019 targeted well-known malware variants used to facilitate ransomware and other serious cybercrime. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"360\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure.jpg?resize=640%2C360&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=300,168 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=768,432 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=1024,576 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=1536,864 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=600,337 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=1200,675 1200w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-2.jpg?resize=1500,843 1500w\" sizes=\"(max-width: 1200px) 100vw, 1200px\"><figcaption> Seizure notice announcing “Operation Endgame.” (Europol) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"50.186164100207\"><body readability=\"101.73622623111\"><\/p>\n<p>A coalition of international law enforcement agencies carried out what they said was the \u201clargest ever\u201d operation to counter botnet and dropper malware by taking down or disrupting more than 100 servers, seizing 2,000 domains and identifying nearly 70 million euros earned by one of the main suspects in the case. <\/p>\n<p>Officials with Europol <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem\">announced early Thursday<\/a> that \u201cOperation Endgame\u201d targeted droppers \u2014 malware used to get other malware onto a system \u2014 used extensively to facilitate a range of consequential cybercrimes, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot.<\/p>\n<p>As part of the operation, authorities made one arrest in Armenia and three in Ukraine, and eight suspects linked to the activities and wanted by Germany will be added to Europe\u2019s Most Wanted list, Europol said in its statement.<\/p>\n<p>German authorities <a href=\"https:\/\/www.bka.de\/DE\/IhreSicherheit\/Fahndungen\/Personen\/BekanntePersonen\/Endgame\/_Endgame_Uebersicht\/Uebersicht_node.html\">released images of the eight suspects<\/a> and said the operation, which began in 2022, aims \u201cto destroy the most relevant malware families in the category of initial access malware (so-called droppers or loaders),\u201d according to a machine translation.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>U.S. law enforcement agencies participated in the operation, along with their counterparts from the U.K., Denmark, France, Germany, Netherlands, Portugal and Ukraine. <\/p>\n<p>As is increasingly common in cybercrime law enforcement disruptions, authorities have leaned into the messaging aspects of their operation. A website created in both English and Russian warns criminals involved in the dropper ecosystem to use caution. <\/p>\n<p>\u201cWe have been investigating you and your criminal undertakings for a long time and we will not stop here,\u201d <a href=\"https:\/\/operation-endgame.com\/\">the website reads<\/a>. \u201cThis is Season 1 of operation Endgame. Stay tuned. It sure will be exciting. Maybe not for everyone though. Some results can be found here, others will come to you in different and unexpected ways. Feel free to get in touch, you might need us. Surely, we could both benefit from an openhearted dialogue. You would not be the first one, nor will you be the last. Think about (y)our next move.\u201d<\/p>\n<p>The site included a contact email address and Telegram handle, as well as highly produced videos, urging people with information to \u201creach out.\u201d<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure.png?w=640&ssl=1\" alt class=\"wp-image-80599\"><figcaption class=\"wp-element-caption\">Screenshot from one of the videos created by law enforcement as part of Operation Endgame (CyberScoop).<\/figcaption><\/figure>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>As part of the operation, roughly 16.5 million email addresses and 13.5 million unique passwords collected by the malware strains targeted by police were shared with Have I Been Pwned, a service used to notify users that their email and passwords have been published or compromised, <a href=\"https:\/\/www.troyhunt.com\/operation-endgame\/\">said Troy Hunt, the site\u2019s operator<\/a>. <\/p>\n<p>The droppers in question have been tied to a multitude of cybercrime operations over the years. IcedID, for instance, \u201cwas a near constant presence in email inboxes from mid-2017 until the botnet was voluntarily dismantled by its operators in November 2023,\u201d and had evolved from being used to target financial institutions in fraud operations to providing initial access to ransomware distributors, the Secureworks Counter Threat Unit told CyberScoop in an email Thursday. <\/p>\n<p>One of the others, SmokeLoader, has been \u201ca key enabler of cybercrime for nearly 15 years,\u201d the CTU said, with various plugins that allowed credential theft, data theft, remote access and the launch of DDoS attacks. <\/p>\n<p>Don Smith, CTU\u2019s vice president of threat intelligence, said in the email that the operation continues an \u201cimpressive run\u201d of law enforcement takedowns, referring to recent operations such as the <a href=\"https:\/\/cyberscoop.com\/lockbit-takedown-messaging-campaign\/\">the LockBit ransomware gang<\/a> and <a href=\"https:\/\/cyberscoop.com\/fbi-seizure-genesis-market-cybercrime\/\">cybercrime marketplaces<\/a><\/p>\n<p>\u201cIndividually these operations have been significant, in concert they demonstrate that whilst the malicious actors may be out of reach of the courts, their botnets and infrastructure is not, it can be compromised and taken offline,\u201d he said. \u201cWe\u2019re never going to get to the kernel of some of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, their ability to deploy, then that\u2019s a good thing.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.1008064516129\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/05\/global-police-operation-strikes-against-malware-infrastructure-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/global-police-operation-strikes-against-malware-infrastructure\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Global police operation strikes against malware infrastructure | CyberScoop Skip<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2080,282,2144,2145,669,168],"tags":[2082,286,2146,2147,671,169],"class_list":["post-3818","post","type-post","status-publish","format-standard","hentry","category-botnets","category-cybercrime","category-droppers","category-europol","category-federal-bureau-of-investigation-fbi","category-malware","tag-botnets","tag-cybercrime","tag-droppers","tag-europol","tag-federal-bureau-of-investigation-fbi","tag-malware"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/botnets\/\" rel=\"category tag\">botnets<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/droppers\/\" rel=\"category tag\">droppers<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/europol\/\" rel=\"category tag\">Europol<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/federal-bureau-of-investigation-fbi\/\" rel=\"category tag\">Federal Bureau of Investigation (FBI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a>","tag_info":"Malware","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3818","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3818"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3818\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3818"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3818"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3818"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3818,"date":"2024-05-30T11:42:15","date_gmt":"2024-05-30T16:42:15","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80598"},"modified":"2024-05-30T11:42:15","modified_gmt":"2024-05-30T16:42:15","slug":"global-police-operation-strikes-against-malware-infrastructure","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/30\/global-police-operation-strikes-against-malware-infrastructure\/","title":{"rendered":"Global police operation strikes against malware infrastructure\u00a0"},"content":{"rendered":"