Connect with us

Hi, what are you looking for?


Malware & Threats

Identities of Cybercriminals Linked to Malware Loaders Revealed

Law enforcement reveals the identities of eight cybercriminals linked to recently disrupted malware loaders.

Authorities in Europe have revealed the identities of eight individuals linked to several malware loader families that were disrupted last week as part of Operation Endgame.

The suspects are wanted for their involvement in the distribution and administration of Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot, which have been used for years to steal user data, distribute other malware families, and facilitate phishing and other malicious activities.

As part of Operation Endgame, law enforcement agencies in 13 countries, with support from Europol, performed arrests and house searches, and shut down servers and seized domains serving as the infrastructure for the six malware loader families.

Europol also announced that it was monitoring financial accounts linked to eight suspects, including one that earned more than €69 million (roughly $75 million) in proceeds from the illegal activities.

On May 30, Europol added the eight individuals to its Most Wanted list, disclosing their alleged involvement in the operation of the malware loaders.

According to Europol, Airat Rustemovich Gruber, 42, of Russia, has been the administrator of the Smokeloader botnet, which first appeared in 2011, abusing the infected machines for data theft and the installation of other malware for a fee.

Five other Russian nationals, namely Oleg Vyacheslavovich Kucherov, Sergey Valerievich Polyak, Fedor Aleksandrovich Andreev, Georgy Sergeevich Tesman, and Anton Alexandrovich Bragin, are wanted for their ties with the TrickBot cybergang.

They allegedly sought new infection methods, searched for new victims, tested the malware, obfuscated the TrickBot code, and improved the botnet’s admin panel, respectively.

Advertisement. Scroll to continue reading.

Andrei Andreyevich Cherepanov and Nikolai Nikolaevich Chereshnev, Europol notes, presumably worked as crypters for TrickBot, ensuring that its code is disguised. Chereshnev also maintained the group’s VPN infrastructure.

“According to investigations conducted by the BKA [the German Federal Criminal Police Office], the TrickBot group temporarily consisted of more than 100 members. It works in an organized and hierarchically structured manner and is project and profit oriented. The group is responsible for the infection of several hundred thousand systems in Germany and worldwide,” Europol notes.

In addition to TrickBot, the TrickBot cybergang is also known for using malware families such as Bazarloader, Conti, Diavol, IcedID, Ryuk, and SystemBC.

The eight suspects are also listed on the BKA’s website, along with a brief on Operation Endgame and on the harm malware loaders can cause.

Related: German Authorities Take Down ‘Crimemarket’ Cybercrime Website

Related: Police Dismantle Major Ukrainian Ransomware Operation

Related: DoJ: Estonian Man Tried to Acquire US-Made Hacking Tools for Russia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights