{
	"id": "eb9d6193-05e9-4dc2-83fe-36d6935f25d4",
	"created_at": "2026-04-06T00:14:07.159935Z",
	"updated_at": "2026-04-10T03:23:38.84743Z",
	"deleted_at": null,
	"sha1_hash": "cfbac4fa01c5279ef19b58c8720dfd9d8b29b4f3",
	"title": "Global action targeting Shylock malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48722,
	"plain_text": "Global action targeting Shylock malware\r\nBy Europol\r\nPublished: 2014-07-10 · Archived: 2026-04-05 12:35:14 UTC\r\nOn 8 and 9 July 2014, an alliance of law enforcement and industry undertook measures against the Internet\r\ndomains and servers that form the core of an advanced cybercriminal infrastructure attacking online banking\r\nsystems around the globe using the Shylock Trojan.\r\nLaw enforcement agencies took action to disrupt the system which Shylock depends on to operate effectively. This\r\ncomprised the seizure of servers which form the command and control system for the Trojan, as well as taking\r\ncontrol of the domains Shylock uses for communication between infected computers.\r\nThe operation, coordinated by the UK National Crime Agency (NCA), brought together partners from the law\r\nenforcement and private sectors, including Europol, the FBI, BAE Systems Applied Intelligence, Dell\r\nSecureWorks, Kaspersky Lab and the UK's GCHQ (Government Communications Headquarters) to jointly\r\ncombat the threat.\r\nInvestigative actions were undertaken from the operational centre at the European Cybercrime Centre (EC3) at\r\nEuropol in The Hague. Investigators from the NCA, the FBI, Italy, the Netherlands and Turkey gathered to\r\ncoordinate action in their respective countries, in concert with counterparts in Germany, France and Poland.\r\nCoordination through Europol was instrumental to taking down the servers that form the core of the botnets,\r\nmalware and Shylock infrastructure. The CERT-EU (the CERT for the EU institutions, bodies and agencies)\r\nparticipated in the take down and distributed information on the malicious domains to their peers.\r\nDuring the action several previously unknown parts of the infrastructure were discovered and follow-up actions\r\ncould be initiated immediately/be set-up and coordinated from the operational centre in The Hague.\r\nShylock – so-called because its code contains excerpts from Shakespeare's The Merchant of Venice - has infected\r\nat least 30 000 computers running Microsoft Windows worldwide. Intelligence suggests that Shylock targets the\r\nUK more than any other country, nevertheless the US, Italy and Turkey are also being targeted hard by the\r\nmalicious code. It is thought that the suspected developers are based elsewhere.\r\nVictims are typically infected by clicking on malicious links, and then persuaded to download and run the\r\nmalware. Shylock will then seek to access funds held in business or personal bank accounts, and transfer them to\r\nthe criminal controllers.\r\nTroels Oerting, head of the European Cybercrime Centre (EC3) at Europol, said: \"The European Cybercrime\r\nCentre (EC3) is very happy about this operation against sophisticated malware, playing a crucial role in the work\r\nto take down the criminal infrastructure. EC3 has provided a unique platform and operational rooms equipped\r\nwith state-of-the-art technical infrastructure and secure communication means, as well as cyber analysts and\r\ncyber experts\".\r\nhttps://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware\r\nPage 1 of 2\n\n\"In this way we have been able to support frontline cyber investigators, coordinated by the UK's NCA, and\r\nworking with the physical presence of the United States' FBI and colleagues from Italy, Turkey and the\r\nNetherlands, with virtual links to cyber units in Germany, France and Poland.\"\r\n\"It has been a pleasure for me to see the international cooperation between police officers and prosecutors from\r\nmany countries, and we have again tested our improved ability to rapidly react to cyber threats in or outside the\r\nEU. It's another step in the right direction for law enforcement and prosecutors in the EU and I thank all involved\r\nfor their huge commitment and dedication. A specific thanks goes to Kaspersky Lab who have contributed\r\nsignificantly to the successful outcome of the operation - and our cooperation continues to grow in this and future\r\ncases\"\r\nAndy Archibald, Deputy Director of the NCA's National Cyber Crime Unit in the UK, said:\"The NCA is\r\ncoordinating an international response to a cybercrime threat to businesses and individuals around the world. This\r\nphase of activity is intended to have a significant effect on the Shylock infrastructure, and demonstrates how we\r\nare using partnerships across sectors and across national boundaries to cut cybercrime\".\r\nThose opting for automated operating system updates - which can ensure computers infected with malware such\r\nas Shylock are cleaned automatically following a system restart - need take no action at this time. Those not\r\nopting for automatic updates, or who would like to learn more about how to check their Windows-operated\r\ncomputers and remove infections, can go to can go to Microsoft Virus and Security Centre.\r\nAdvice on internet security can be found at Cyber Streetwise and Get Safe Online. \r\nFor more information, please contact:\r\nEUROPOL\r\nMs Lisanne Kosters\r\nCorporate Communications\r\nTel: +31 70 302 5001 \r\nSource: https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware\r\nhttps://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware"
	],
	"report_names": [
		"global-action-targeting-shylock-malware"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434447,
	"ts_updated_at": 1775791418,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cfbac4fa01c5279ef19b58c8720dfd9d8b29b4f3.pdf",
		"text": "https://archive.orkl.eu/cfbac4fa01c5279ef19b58c8720dfd9d8b29b4f3.txt",
		"img": "https://archive.orkl.eu/cfbac4fa01c5279ef19b58c8720dfd9d8b29b4f3.jpg"
	}
}