Law Enforcement Cracks Down on Smokeloader Malware-as-a-Service Network

Following the May 2024 takedown of major malware loader infrastructure under Operation Endgame, law enforcement agencies have executed a coordinated follow-up campaign targeting the customers of the Smokeloader botnet. Europol, in collaboration with international partners including the FBI, Dutch and German authorities, and others, confirmed the identification and apprehension of individuals who purchased access to infected machines through a pay-per-install model. “In a coordinated series of actions, customers of the Smokeloader pay-per-install botnet, operated by the actor known as ‘Superstar’, faced consequences such as arrests, house searches, arrest warrants or ‘knock and talks’. Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities. Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, ransomware deployment, cryptomining and more.”

Authorities traced criminal operators after seizing a user database during last year’s Operation Endgame, which originally disrupted over 100 infrastructure nodes supporting malware strains like IcedID, Bumblebee, Trickbot, and Smokeloader. Europol reports that this database helped investigators map user aliases to real-world identities. Several suspects have since cooperated with law enforcement and permitted forensic review of their personal devices. Some actors also resold Smokeloader access to other criminals, expanding the botnet’s reach and complicating the affiliate network. Investigators continue to assess digital evidence gathered from these interviews and seized infrastructure.

Europol emphasized that these actions are ongoing, with new developments expected as authorities pursue unresolved leads. A dedicated website, operation-endgame[.]com, has been launched to publish updates, encourage additional reporting, and share details in multiple languages, including Russian. Europol continues to facilitate intelligence-sharing and coordination through the Joint Cybercrime Action Taskforce (J-CAT), based in The Hague. Although initial efforts focused on disrupting malware distribution services, this second phase reinforces a broader message: actors who rely on crime-as-a-service infrastructure will be held accountable—even months after such services are dismantled.