Connect with us

Hi, what are you looking for?


Malware & Threats

TrickBot and Other Malware Droppers Disrupted by Law Enforcement

The TrickBot botnet and other malware droppers have been targeted by international law enforcement in Operation Endgame.

The infrastructure of the TrickBot botnet and several other malware droppers was shut down or disrupted in an international operation involving authorities in over a dozen countries, Europol announced.

Between May 27 and May 29, as part of Operation Endgame, authorities targeted Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot to disrupt their criminal activities and arrest the cybercriminals operating them.

Deployed during the first stage of malicious attacks, these droppers have been used to harvest information, maintain control of the compromised machines, and deploy additional malware families, including ransomware. After malware deployment, the droppers remain inactive or remove themselves. 

Bumblebee was mainly used for payload delivery, IcedID evolved from a banking trojan to support other cybercrime, Pikabot was used for data theft, remote access, and ransomware deployment, while SystemBC provided anonymous communication with the command-and-control (C&C) server.

Active since at least 2016 and believed to be linked to cybercriminals that have ties to Russian intelligence services, TrickBot survived a takedown attempt in late 2020. The US has announced sanctions against multiple members of the cybercrime group.

Operation Endgame, Europol says, has resulted in infrastructure shut down, asset freezes, and eight individuals believed to be linked to these activities being added to the law enforcement agency’s Most Wanted list. All eight remain at large.

“The individuals are wanted for their involvement in serious cybercrime activities,” Europol says.

According to the agency, one of the main suspects linked to these activities has earned more than €69 million (roughly $75 million) in cryptocurrency from renting websites to ransomware operators.

Advertisement. Scroll to continue reading.

“The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained,” Europol says.

Operation Endgame has resulted in four arrests in Armenia and Ukraine, searches at 16 locations in Armenia, the Netherlands, Portugal, and Ukraine, the shut down of more than 100 servers, and over 2,000 domains being seized by law enforcement.

Law enforcement agencies in Armenia, Bulgaria, Denmark, France, Germany, Lithuania, the Netherlands, Portugal, Romania, Switzerland, the US, the UK, and Ukraine participated in Operation Endgame. Multiple private partners also supported the operation.

Related: Massive 911 S5 Botnet Dismantled, Chinese Mastermind Arrested

Related: Botnet Disrupted by FBI Still Used by Russian Spies, Cybercriminals

Related: German Authorities Take Down ‘Crimemarket’ Cybercrime Website

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights