{ "id": "a4efaf7f-a644-4f3d-b080-50fc94ab50e7", "created_at": "2026-04-06T00:15:33.398035Z", "updated_at": "2026-04-10T03:20:52.286587Z", "deleted_at": null, "sha1_hash": "0b621379e7a459b36b9a68348aa78eda71cb41de", "title": "Largest ever operation against botnets hits dropper malware ecosystem", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58885, "plain_text": "Largest ever operation against botnets hits dropper malware\r\necosystem\r\nBy Europol\r\nPublished: 2024-05-30 · Archived: 2026-04-02 10:51:51 UTC\r\nBetween 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers\r\nincluding, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting\r\ncriminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing\r\nillegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure\r\nwas taken down during the action days, facilitated attacks with ransomware and other malicious software.\r\nFollowing the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to\r\nEurope’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious\r\ncybercrime activities.\r\nThis is the largest ever operation against botnets, which play a major role in the deployment of ransomware. The\r\noperation, initiated and led by France, Germany and the Netherlands was also supported by Eurojust and involved\r\nDenmark, the United Kingdom and the United States. In addition, Armenia, Bulgaria, Lithuania, Portugal,\r\nRomania, Switzerland and Ukraine also supported the operation with different actions, such as arrests,\r\ninterviewing suspects, searches, and seizures or takedowns of servers and domains. The operation was also\r\nsupported by a number of private partners at national and international level including Bitdefender, Cryptolaemus,\r\nSekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT,\r\nHaveIBeenPwned, Spamhaus, DIVD, abuse.ch and Zscaler.\r\nThe coordinated actions led to:\r\n4 arrests (1 in Armenia and 3 in Ukraine)\r\n16 location searches (1 in Armenia, 1 in the Netherlands, 3 in Portugal and 11 in Ukraine)\r\nOver 100 servers taken down or disrupted in Bulgaria, Canada, Germany, Lithuania, the Netherlands,\r\nRomania, Switzerland, the United Kingdom, the United States and Ukraine\r\nOver 2 000 domains under the control of law enforcement\r\nFurthermore, it has been discovered through the investigations so far that one of the main suspects has earned at\r\nleast EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware. The\r\nsuspect’s transactions are constantly being monitored and legal permission to seize these assets upon future\r\nactions has already been obtained.\r\nWhat is a dropper and how does it work?\r\nMalware droppers are a type of malicious software designed to install other malware onto a target system. They\r\nare used during the first stage of a malware attack, during which they allow criminals to bypass security measures\r\nand deploy additional harmful programs, such as viruses, ransomware, or spyware. Droppers themselves do not\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem\r\nPage 1 of 3\n\nusually cause direct damage but are crucial for accessing and implementing harmful softwares on the affected\r\nsystems.\r\nSystemBC facilitated anonymous communication between an infected system and a command-and-control\r\nservers. Bumblebee, distributed mainly via phishing campaigns or compromised websites, was designed to enable\r\nthe delivery and execution of further payloads on compromised systems. SmokeLoader was primarily used as a\r\ndownloader to install additional malicious softwares onto the systems it infects. IcedID (also known as BokBot),\r\ninitially categorised as a banking trojan, had been further developed to serve other cybercrimes in addition to the\r\ntheft of financial data. Pikabot is a trojan  used to get initial access to infected computers which enables\r\nransomware deployments, remote computer take-over and data theft. All of them are now being used to deploy\r\nransomware and are seen as the main threat in the infection chain.\r\nDroppers’ operation phases\r\nInfiltration: Droppers can enter systems through various channels, such as email attachments, compromised\r\nwebsites, they can also be bundled with legitimate software.\r\nExecution: Once executed, the dropper installs the additional malware onto the victim's computer. This\r\ninstallation often occurs without the user's knowledge or consent.\r\nEvasion: Droppers are designed to avoid detection by security software. They may use methods like obfuscating\r\ntheir code, running in memory without saving to disk, or impersonating legitimate software processes.\r\nPayload Delivery: After deploying the additional malware, the dropper may either remain inactive or remove\r\nitself to evade detection, leaving the payload to carry out the intended malicious activities.\r\nEndgame doesn’t end here\r\nOperation Endgame does not end today. New actions will be announced on the website Operation Endgame. In\r\naddition, suspects involved in these and other botnets, who have not yet been arrested, will be directly called to\r\naccount for their actions. Suspects and witnesses will find information on how to reach out via this website.\r\nCommand post at Europol to coordinate the operational actions\r\nEuropol facilitated the information exchange and provided analytical, crypto-tracing and forensic support to the\r\ninvestigation. To support the coordination of the operation, Europol organised more than 50 coordination calls\r\nwith all the countries as well as an operational sprint at its headquarters.\r\nOver 20 law enforcement officers from Denmark, France, Germany and the United States supported the\r\ncoordination of the operational actions from the command post at Europol and hundreds of other officers from the\r\ndifferent countries involved in the actions. In addition, a virtual command post allowed real-time coordination\r\nbetween the Armenian, French, Portuguese and Ukrainian officers deployed on the spot during the field activities.\r\nThe command post at Europol facilitated the exchange of intelligence on seized servers, suspects and the transfer\r\nof seized data. Local command posts were also set up in Germany, the Netherlands, Portugal, the United States\r\nand Ukraine. Eurojust supported the action by setting up a coordination centre at its headquarters to facilitate the\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem\r\nPage 2 of 3\n\njudicial cooperation between all authorities involved. Eurojust also assisted with the execution of European Arrest\r\nWarrants and European Investigation Orders.\r\nNational authorities at the core of Operation Endgame\r\nEU Member States:\r\nDenmark: Danish Police (Politi)\r\nFrance: National Gendarmerie (Gendarmerie Nationale) and National Police (Police Nationale); Public\r\nProsecutor Office JUNALCO (National Jurisdiction against Organised Crime) Cybercrime Unit; Paris\r\nJudicial Police (Préfecture De Police de Paris)\r\nGermany: Federal Criminal Police Office (Bundeskriminalamt), Prosecutor General's Office Frankfurt am\r\nMain – Cyber Crime Center\r\nNetherlands: National Police (Politie), Public Prosecution Office (Openbaar Ministerie)\r\nNon-EU Member States:\r\nThe United Kingdom: National Crime Agency\r\nThe United States: Federal Bureau of Investigation, United States Secret Service, The Defense Criminal\r\nInvestigative Service, United States Department of Justice\r\nAuthorities involved in local coordination centres for Operation Endgame:\r\nPortugal: Judicial Police (Polícia Judiciária)\r\nUkraine: Prosecutor General’s Office (Офіс Генерального прокурора); National Police (Національна\r\nполіція України); Security Service (Служба безпеки України)\r\nThe list of participating authorities was updated on 30 May 2024 at 12:10 CET.\r\nThe list of private partners was updated on 30 May 2024 at 17:00 CET.\r\nEmpact\r\nThe European Multidisciplinary Platform Against Criminal Threats (EMPACT) tackles the most important threats\r\nposed by organised and serious international crime affecting the EU. EMPACT strengthens intelligence, strategic\r\nand operational cooperation between national authorities, EU institutions and bodies, and international partners.\r\nEMPACT runs in four-year cycles focusing on common EU crime priorities.\r\nSource: https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem\r\nhttps://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem" ], "report_names": [ "largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775791252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b621379e7a459b36b9a68348aa78eda71cb41de.pdf", "text": "https://archive.orkl.eu/0b621379e7a459b36b9a68348aa78eda71cb41de.txt", "img": "https://archive.orkl.eu/0b621379e7a459b36b9a68348aa78eda71cb41de.jpg" } }