“Operation Endgame” Seizes 100 Servers Used by Malware Dropper Ecosystem

In an unprecedented international effort, Europol has successfully disrupted a vast network of malware droppers and botnets through Operation Endgame, leading to significant arrests and the takedown of over 100 servers worldwide.

This landmark operation targeted notorious malware such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, disrupting the infrastructure used by cybercriminals to deploy ransomware and other malicious software.

Operation Endgame

Operation Endgame, coordinated by Europol between May 27 and May 29, 2024, marked the largest operation ever conducted against botnets, which are crucial in the deployment of ransomware.

The operation was spearheaded by France, Germany, and the Netherlands, with support from Eurojust and various countries, including Denmark, the United Kingdom, and the United States. The collaboration extended to private partners such as Bitdefender, Cryptolaemus, and Proofpoint, among others.

The key results of the operation are summarized below:

• The operation led to four arrests—one in Armenia and three in Ukraine. Sixteen locations were searched across Armenia, the Netherlands, Portugal, and Ukraine.
• Over 100 servers were disrupted or taken down across Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine. Additionally, law enforcement gained control over more than 2,000 domains.
• Investigations revealed that a key suspect amassed at least EUR 69 million in cryptocurrency by renting out criminal infrastructure for ransomware deployment. These assets are under constant monitoring, with legal permission to seize them and secure them for future actions.

Malware dropper operations

Malware droppers are specialized software designed to install additional malicious programs on target systems. They infect users by infiltrating their systems via email attachments, compromised websites, or bundled with legitimate software. Once executed, they install other malware onto the victim's computer, often without detection.

Droppers use techniques like code obfuscation and running in memory to avoid detection by security software. After delivering the payload, the dropper may remain inactive or remove itself to evade further detection.

The malware targeted in Operation Endgame—SystemBC, Bumblebee, SmokeLoader, IcedID, and Pikabot—played various roles in facilitating cyberattacks. For instance, SystemBC enabled anonymous communication between infected systems and command-and-control servers, while Bumblebee and SmokeLoader delivered and executed additional payloads. IcedID, initially a banking trojan, evolved to serve broader cybercriminal purposes, and Pikabot facilitated initial access for ransomware deployments.

Operation Endgame is not a one-time effort. Europol has announced that further actions will be revealed on the Operation Endgame dedicated website. Eight fugitives linked to these cybercriminal activities will be added to Europe's Most Wanted list soon.