Law enforcement agencies across Europe and North America have arrested five individuals linked to the Smokeloader botnet service as part of Operation Endgame’s second phase.
This follow-up action, conducted in early April 2025, specifically targeted the “customers” of the notorious pay-per-install malware service operated by a threat actor known as ‘Superstar’.
Customers deployed malware for their own illegal operations using the service. According to investigations, a variety of uses for botnet access were bought, including keylogging, webcam access, ransomware deployment, cryptomining, and more.
The arrests mark a strategic shift in cyber enforcement tactics, focusing on the demand side of the cybercrime economy rather than just infrastructure.
According to Europol, the suspects were identified through a critical database seized during the initial phase of Operation Endgame in May 2024, which contained user records linking online identities to real-world individuals.
“Some suspects believed they had evaded scrutiny following the 2024 takedowns,” a Europol spokesperson stated.
“Instead, they were met with unexpected visits from investigators and, in some cases, detained for questioning.”
Smokeloader Evasion Techniques
SmokeLoader, first advertised on cybercrime forums in 2011, has evolved into a sophisticated modular malware with strong persistence and anti-analysis techniques.
Its primary function is to serve as a downloader that quietly installs additional payloads on infected systems, functioning as a distribution hub for credential stealers, ransomware, and surveillance tools.
Technical analysis reveals that SmokeLoader employs multiple evasion techniques, including code obfuscation, anti-debugging measures, and sandbox detection capabilities.
The malware communicates with command-and-control (C2) servers using encrypted HTTP POST requests, with payloads encrypted using RC4 algorithms.
The initial Operation Endgame in May 2024 was described by Europol as the “largest ever operation against botnets,” resulting in four arrests, the takedown of over 100 servers across 10 countries, and the seizure of more than 2,000 domains.
This operation significantly disrupted the infrastructure of several major malware families, including IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and TrickBot.
Despite this success, SmokeLoader continued to be used by threat groups with new C2 infrastructure, largely due to cracked versions available on the internet.
Recent attacks using SmokeLoader have targeted organizations in Taiwan’s manufacturing, healthcare, and IT sectors, demonstrating the malware’s ongoing threat.
During the second phase of Operation Endgame, investigators discovered that several suspects had resold access to compromised machines at increased prices, effectively operating micro-level crime-as-a-service operations.
When questioned, multiple suspects chose to cooperate, providing authorities access to personal devices that contained valuable evidence about distribution networks and malware payloads.
Europol has launched a public-facing portal—operation-endgame[.]com—where individuals can provide tips or check if they are under investigation.
The agency has made it clear that Operation Endgame is ongoing, with further enforcement actions expected against individuals involved in similar activities.
Security researchers have responded to the continued threat by developing tools like SmokeBuster, designed to detect, analyze, and remove SmokeLoader infections from compromised systems.
As cybercriminal tactics evolve, this operation demonstrates law enforcement’s commitment to pursuing not only infrastructure providers but also the customers who fund and utilize these criminal services.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
The post Authorities Seized Smokeloader Malware Operators & Seized Servers appeared first on Cyber Security News.
The original article found on Cyber Security News Read More
