Law enforcement agencies have taken significant action against the criminal ecosystem surrounding the SmokeLoader malware
detaining at least five individuals who were customers of the malicious software. The operation, coordinated by Europol, targeted the so-called "demand side" of cybercrime, focusing on those who used the SmokeLoader botnet service to deploy various malicious tools on victims' systems.
According to Europol, the campaign involved arrests, home searches, arrest warrants, and interviews — part of a broader, ongoing initiative known as Operation Endgame. This operation aims to dismantle both the infrastructure and the user base of major malware loader services. SmokeLoader, operated by a threat actor known as "Superstar", was a pay-per-install botnet that allowed its customers to gain unauthorized access to infected machines and install additional malware payloads of their choice.
These payloads enabled a range of malicious activities, including keylogging, ransomware deployment, webcam access, and cryptocurrency mining. Europol noted that several suspects had even resold their access or services at a profit, further deepening their involvement in criminal activity. Authorities used data from a previously seized database to identify and track these individuals, linking online handles to real-world identities.
Countries involved in this global effort include Canada, the Czech Republic, Denmark, France, Germany, the Netherlands, and the United States. Some of the suspects reportedly agreed to cooperate, submitting their devices for forensic analysis.
Meanwhile, new threats continue to surface. Symantec recently reported a phishing campaign using Windows .SCR (screensaver) files to spread ModiLoader, a Delphi-based malware loader also known as DBatLoader or NatsoLoader. In parallel, Legion Loader is being distributed via malicious MSI installer files, with campaigns using techniques like pastejacking (clipboard hijacking) and CAPTCHA evasion to avoid detection.
Another loader, Koi Loader, has been seen in phishing campaigns that lead to the deployment of Koi Stealer, a tool designed to exfiltrate sensitive information. Security firm eSentire highlighted the use of anti-virtual machine (Anti-VM) techniques in Koi malware, enabling it to evade analysis environments.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
