Europol, in an international effort named Operation Endgame between May 27 and 29, initiated a crackdown on several notorious droppers, including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. The operation led to four arrests and the shutting down of more than 100 malicious servers.
The operation saw the collaboration of law enforcement agencies from France, Germany, the United Kingdom, the Netherlands, the United States, and Denmark, with additional support from Armenia, Bulgaria, Lithuania, Portugal, Romania, Switzerland, and Ukraine. Several private players, including Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodraft, Proofpoint, and Northware, were also involved.
The command post at Europol’s headquarters allowed for real-time coordination among law officers from Denmark, France, Germany and the US. In contrast, virtual command posts ensured communication with teams in Armenia, France, Portugal, and Ukraine.
Furthermore, local command posts were established in Germany, the Netherlands, Portugal, the US, and Ukraine, with the European Union Agency for Criminal Justice Cooperation (Eurojust) setting up a coordination centre to assist with judicial cooperation and the execution of European arrest warrants and investigation orders.
The operation led to four arrests — one in Armenia and three in Ukraine — and involved 16 location searches across Armenia, the Netherlands, Portugal, and Ukraine. Over 100 servers were taken down or disrupted in multiple countries, including Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the UK, the US, and Ukraine. Law enforcement also gained control of over 2,000 domains.
One key suspect was identified as having earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure for ransomware deployment. Legal action has been taken against the individual and the process of seizing the assets has begun.
“Via so-called ‘sinkholing’ techniques or the use of tools to access the systems of operators behind the malware, investigators managed to block and take down the botnets,” said Eurojust.
Droppers are a critical component of cybercrime operations, serving as the initial stage in malware attacks. These malicious programs facilitate the installation of additional malware on target systems, allowing cybercriminals to bypass security measures and deploy harmful software such as viruses, ransomware, or spyware. Though droppers may not cause direct damage, they are essential for enabling access and control over compromised systems.
For instance, SystemBC enables anonymous communication between infected systems and command-and-control servers, while Bumblebee, often spread via phishing campaigns, delivers and executes further payloads.
Similarly, Smokeloader primarily acts as a downloader for additional malicious software, and IcedID, initially a banking trojan, has evolved to serve broader cybercrime purposes. Pikabot facilitates initial access to systems, enabling ransomware deployment, remote takeovers, and data theft.
As per Europol, the operation is still in motion, and new updates will be available on the website Operation Endgame.
“Operation Endgame does not end today. New actions will be announced on the website Operation Endgame. In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions,” said Europol.
In the News: Google confirms authenticity of the 2500 leaked Search documents
