According to Europol, the suspects were identified through a critical database seized during the initial phase of Operation Endgame in May 2024, which contained user records linking online identities to real-world individuals. Law enforcement agencies across Europe and North America have arrested five individuals linked to the Smokeloader botnet service as part of Operation Endgame’s second phase. When questioned, multiple suspects chose to cooperate, providing authorities access to personal devices that contained valuable evidence about distribution networks and malware payloads. This follow-up action, conducted in early April 2025, specifically targeted the “customers” of the notorious pay-per-install malware service operated by a threat actor known as ‘Superstar’. Security researchers have responded to the continued threat by developing tools like SmokeBuster, designed to detect, analyze, and remove SmokeLoader infections from compromised systems. This operation significantly disrupted the infrastructure of several major malware families, including IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and TrickBot. Recent attacks using SmokeLoader have targeted organizations in Taiwan’s manufacturing, healthcare, and IT sectors, demonstrating the malware’s ongoing threat. The agency has made it clear that Operation Endgame is ongoing, with further enforcement actions expected against individuals involved in similar activities. Its primary function is to serve as a downloader that quietly installs additional payloads on infected systems, functioning as a distribution hub for credential stealers, ransomware, and surveillance tools. The malware communicates with command-and-control (C2) servers using encrypted HTTP POST requests, with payloads encrypted using RC4 algorithms. As cybercriminal tactics evolve, this operation demonstrates law enforcement’s commitment to pursuing not only infrastructure providers but also the customers who fund and utilize these criminal services. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. According to investigations, a variety of uses for botnet access were bought, including keylogging, webcam access, ransomware deployment, cryptomining, and more. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 10 Apr 2025 10:20:15 +0000