Nearly a year after the landmark Operation Endgame dismantled the infrastructure behind several major malware droppers, law enforcement agencies have launched a follow-up offensive targeting of the demand side of the cybercrime economy.
Authorities across Europe and North America arrested five individuals, conducted house searches, and interrogated suspects linked to the use of the SmokeLoader botnet service.
The second phase of Operation Endgame focused on so-called “customers” — individuals who paid for access to compromised systems through pay-per-install services, primarily run by a threat actor operating under the alias ‘Superstar’. By purchasing access to infected machines, these customers deployed additional malware for illicit operations, including ransomware attacks, keylogging, cryptojacking, webcam surveillance, and more.
The investigative breakthrough stems from a critical database seized in May 2024, during the first phase of Operation Endgame. This database contained user records linking online identities to real-world individuals. Law enforcement used this data to identify former SmokeLoader clients, uncovering a sprawling network of lower-level actors who had largely flown under the radar during earlier enforcement actions.
Unlike the initial sweep — which targeted the operators of malware delivery platforms like IcedID, Pikabot, SystemBC, Bumblebee, and SmokeLoader — this operation zoomed in on users who purchased access to the infected machines. These individuals were not merely passive participants; investigators found that several suspects resold access to compromised machines at a markup, effectively operating their own micro-level crime-as-a-service operations.
SmokeLoader, the botnet at the center of this wave of arrests, has long served as a modular loader malware with strong persistence and anti-analysis techniques. It enables threat actors to quietly install additional payloads on infected systems, functioning as a distribution hub for credential stealers, ransomware, and surveillance tools. ‘Superstar', the administrator of the pay-per-install service, offered a scalable platform for customers to deploy malware at will, significantly lowering the barrier of entry to cybercrime.
According to Europol, some suspects believed they had evaded scrutiny following the 2024 takedowns. Instead, they were met with unexpected visits from investigators and, in some cases, detained for questioning. Multiple suspects chose to cooperate, granting access to personal devices that provided further evidence and insights into the distribution and use of purchased malware payloads.
Europol has made clear that this is not the final chapter of Operation Endgame. Investigations are ongoing, and further enforcement actions are expected. Authorities have launched a public-facing portal — operation-endgame.com — where individuals can provide tips or check if they are under investigation. Europol also warns that individuals involved in related activity who have not yet been arrested will be held accountable.
Leave a Reply