Operation Endgame Disrupts IcedID, SmokeLoader, Trickbot and Other Malware Botnets
An international law enforcement operation dubbed Operation Endgame disrupted major malware delivery and botnet infrastructure tied to IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot, and remnants of Bumblebee, in what Europol and participating agencies described as the largest action of its kind against botnets. Authorities said the networks had been used to spread malware through hundreds of millions of phishing emails and to enable follow-on ransomware attacks and financial fraud, with investigators identifying several million infected computers worldwide over the past year.
The coordinated action, supported by Europol and Eurojust, took down more than 100 servers, seized over 2,000 domains, and disinfected more than 10,000 infected systems, while additional operations across multiple countries led to arrests, interrogations, searches, and server seizures. Investigators also identified a key suspect allegedly linked to 69 million euros in cryptocurrency proceeds, and separate reporting and research highlighted scrutiny of a SmokeLoader actor targeted as part of the crackdown.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Analyst1 profiles a SmokeLoader actor targeted by Operation Endgame
Analyst1 published research examining the life and personality of a SmokeLoader actor said to have been targeted by Operation Endgame. The report added attribution-focused detail around one of the individuals linked to the disrupted malware ecosystem.
Investigators identify key suspect tied to €69 million in crypto
Authorities said they had identified a main suspect allegedly connected to 69 million euros in cryptocurrency earnings from the criminal activity. They stated that the assets would be seized as soon as possible.
Authorities disinfect over 10,000 infected systems
As part of Operation Endgame, law enforcement and partners reported disinfecting more than 10,000 infected computers. The cleanup accompanied the broader disruption of malware delivery infrastructure used to enable ransomware and financial fraud.
Operation Endgame seizes servers and domains across multiple countries
Authorities, supported by Europol and Eurojust, took down more than 100 servers and seized over 2,000 domains during the operation. Additional police actions in several countries included arrests, interrogations, searches, and server seizures.
International Operation Endgame disrupts major malware botnets
An international law enforcement action dubbed Operation Endgame targeted criminal infrastructure tied to IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot, and remnants of Bumblebee. The operation was described as the largest coordinated action to date against malware botnets and their supporting infrastructure.
Authorities identify millions of botnet-infected systems worldwide
Investigators reported that several million infected computers linked to the targeted malware ecosystems had been identified worldwide over the prior year. The infections were associated with botnets including IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot, and Bumblebee remnants.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Smoked Out: Uncovering the Life & Personality of a SmokeLoader Actor Targeted by Operation Endgame | Analyst1
analyst1.com
Open sourceMalware | Operation Endgame | Botnets disrupted after international action | Resources
spamhaus.org
Open sourceOver 100 malware servers shut down in 'largest ever' operation against botnets | The Record from Recorded Future News
therecord.media
Open sourceOperation Endgame - A large-scale operation focused on disrupting botnets and associated criminal infrastructures. | Europol
europol.europa.eu
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations. Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
Apr 11, 2026
International Operation Dismantles QakBot Botnet Used in Ransomware Campaigns
U.S. and European law enforcement agencies disrupted the **QakBot** botnet, seizing infrastructure tied to malware that had infected more than **700,000 computers** worldwide and enabled ransomware, financial fraud, and other criminal activity. Europol and U.S. authorities said the operation cut off command-and-control systems and removed malware from compromised hosts, while CISA published guidance on the botnet’s tactics, indicators, and the broader effort to identify and disrupt the infrastructure behind it. Officials said QakBot operators and affiliates had generated at least **EUR 54 million** in ransom payments over the years. The takedown also produced a large cache of stolen data that the FBI shared for victim notification, allowing affected individuals to check exposed information through **Have I Been Pwned**. Reporting after the operation said the action could serve as a model for future botnet disruptions, with investigators using legal authorities and international coordination to seize servers, redirect traffic, and weaken criminal ecosystems that support follow-on ransomware attacks.
May 25, 2026
Operation Tovar Disrupts GameOver Zeus Botnet and CryptoLocker Infrastructure
U.S. and European authorities, working with security companies and researchers, disrupted the **GameOver Zeus** peer-to-peer botnet and seized infrastructure tied to **CryptoLocker** in a multinational action known as **Operation Tovar**. The malware network was estimated to have infected **500,000 to 1 million Windows systems** worldwide and was used to steal banking credentials, personal data, and funds through account takeovers, spam campaigns, and DDoS-assisted fraud. U.S. prosecutors said the operation caused more than **$100 million** in losses, while CryptoLocker had infected more than **234,000 computers** and generated over **$27 million** in ransom payments shortly after its emergence. The U.S. Justice Department charged Russian national **Evgeniy Mikhailovich Bogachev**, also known as `Slavik` and `Pollingsoon`, as the alleged administrator behind the botnet. Authorities said the takedown created a roughly **two-week window** for victims and enterprises to clean infected machines before operators could attempt to regain control, and agencies including **US-CERT** and internet service providers were mobilized to support remediation. Investigators said GameOver Zeus spread largely through phishing emails, malicious spam, and compromised websites exploiting outdated software, prompting officials to urge users to update systems, run security scans, and change passwords.
May 26, 2026