A major Europol-led cybersecurity operation, codenamed Operation Endgame, has delivered a significant blow to global cybercrime networks by targeting some of the most dangerous malware droppers in circulation.
Carried out between 27 and 29 May, the coordinated crackdown focused on high-value droppers including IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot — tools frequently used as the first step in large-scale ransomware attacks. These droppers are crucial components in the cybercriminal supply chain, allowing malicious actors to infiltrate networks and install further malware undetected.
The operation resulted in the widespread disruption of dropper activity, with key figures within the ecosystem arrested, critical infrastructure dismantled, and illicit proceeds frozen. The scale and speed of the enforcement actions mark it as one of the most extensive botnet takedowns to date.
Authorities Behind Operation Endgame
The operation is the largest so far against botnets, which have been crucial for ransomware deployments. Notable participants included France, Germany, and the Netherlands. Other key corroborating authorities included Eurojust, the UK, Denmark, and the US.
Many other European authorities also facilitated the initiative through arrests, interviews of suspects, searches, and the disabling of various domains and servers.
Shutdowns by major international private organisations like Bitdefender, Cryptolaemus, and Zscaler further strengthened the initiative's efforts against cybercrime. Microsoft, for example, revealed that 394,000 Windows computers were hit by the Lumma malware in just two months, dealing a severe blow to the hackers behind it.
Major achievements included:
- 4 arrests (one in Armenia and three in Ukraine)
- 16 property searches (one in Armenia, one in the Netherlands, three in Portugal and 11 in Ukraine)
- Over 100 servers shut down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, the United States, and Ukraine
- Over 2,000 domains under the control of law enforcement
Investigations also uncovered at least 69 million euros in illicit crypto earnings by a primary suspect renting criminal infrastructure sites to deploy ransomware. Currently, authorities are monitoring the suspect's transactions and have obtained legal clearance to confiscate assets from their crypto transactions whenever necessary in the future.
What Are Malware Droppers?
Malware droppers are not malware themselves but are software tools that enable hackers to install and deploy malicious programs in target networks. In the first phase of a malware attack, they allow cybercrime actors to bypass security protocols and release malicious programs such as spyware, ransomware, and other harmful software.
Phases of Droppers' Operation
- Infiltration: Droppers gain access to systems through a variety of channels, including email attachments and compromised websites. They can also be concealed within legitimate software downloads.
- Execution: Once activated, the dropper installs additional malware onto the victim's device, often without the user's knowledge or consent.
- Evasion: Designed to avoid detection by security software, droppers employ tactics such as code obfuscation, running solely in memory without writing to disk, or masquerading as legitimate software processes.
- Payload Delivery: Following the deployment of additional malware, the dropper may either lie dormant or delete itself to evade detection, leaving the payload free to carry out its malicious objectives.
Lumma is one of many Russian-developed malware tools aimed at disrupting private and public network infrastructures to facilitate breach attacks, cyber theft, and other malicious efforts. According to the FBI's deputy assistant director for cyber operations, Brett Leatherman, cybercriminals have used Lumma to exploit airlines, universities, banks, hospitals and US state governments, with Fortune 500 companies among the victims.
As Europol recently blogged, Operations Endgame's success doesn't stop there: 'New actions will be announced on the website Operation Endgame.'
'In addition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to account for their actions. Suspects and witnesses will find information on how to reach out via this website.'
Cian Heasley, threat team lead at Adarma, supported the move in her statement: 'Hopefully, it will serve as a strong deterrent to cyber criminals and reassure individuals and enterprises that authorities are proactively tackling the rising problem of bots.'
