In a significant advancement in the fight against cybercrime, law enforcement agencies across Europe and North America have arrested five individuals connected to the SmokeLoader botnet service. This action, part of the second phase of Operation Endgame conducted in early April 2025, specifically targeted the clientele of the notorious pay-per-install malware service operated by a threat actor known as ‘Superstar’.
Operation Endgame: A Strategic Shift in Cyber Enforcement
Operation Endgame represents a strategic shift in cyber enforcement tactics, focusing not only on dismantling cybercriminal infrastructure but also on apprehending those who utilize these illicit services. The initial phase, executed between May 27 and 29, 2024, led to the seizure of over 100 servers worldwide used by major malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, SmokeLoader, and SystemBC. This coordinated effort involved 16 location searches across Europe and resulted in the arrest of four individuals—one in Armenia and three in Ukraine. Additionally, eight fugitives linked to these operations were identified and added to Europol’s ‘Most Wanted’ list.
The seized infrastructure spanned Europe and North America, encompassing over 2,000 domains that facilitated illicit services. This operation was a collaborative effort involving police forces from Germany, the United States, the United Kingdom, France, Denmark, and the Netherlands, supported by intelligence from cybersecurity experts at Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD.
SmokeLoader: A Persistent Cyber Threat
SmokeLoader, first advertised on cybercrime forums in 2011, has evolved into a sophisticated modular malware known for its adaptability and evasion techniques. Its primary function is to serve as a downloader, quietly installing additional payloads on infected systems. These payloads can include credential stealers, ransomware, and surveillance tools, making SmokeLoader a versatile tool in the cybercriminal arsenal.
Technical analyses reveal that SmokeLoader employs multiple evasion techniques, including code obfuscation, anti-debugging measures, and sandbox detection capabilities. The malware communicates with command-and-control (C2) servers using encrypted HTTP POST requests, with payloads encrypted using RC4 algorithms. This level of sophistication allows it to evade detection and maintain persistence on compromised systems.
Exploitation of Vulnerabilities and Targeted Attacks
In recent campaigns, threat actors have exploited vulnerabilities in widely used software to deploy SmokeLoader. Notably, a zero-day vulnerability in the popular file archiver 7-Zip (CVE-2025-0411) was identified in September 2024. This high-severity vulnerability allowed attackers to bypass Windows’ Mark-of-the-Web (MoTW) security mechanism, enabling the execution of malicious scripts or executables without triggering security warnings. Russian cybercrime groups weaponized this vulnerability, distributing double-archived malicious files through spear-phishing emails, leading to the deployment of SmokeLoader on victim systems.
Additionally, SmokeLoader has been used in targeted attacks against companies in Taiwan’s manufacturing, healthcare, and IT sectors. These campaigns often begin with phishing emails containing malicious attachments that exploit vulnerabilities in Microsoft Office (CVE-2017-0199 and CVE-2017-11882). Once opened, these attachments deliver the initial malware stages, leading to the deployment of SmokeLoader. The malware’s modularity enables the deployment of various plugins for tasks such as credential theft, cookie retrieval, and code injection.
Law Enforcement’s Continued Efforts
Despite the significant disruptions caused by Operation Endgame, SmokeLoader continued to be used by threat groups with new C2 infrastructure, largely due to cracked versions available on the internet. Recognizing the persistent threat, law enforcement agencies initiated the second phase of Operation Endgame, focusing on the demand side of the cybercrime economy.
Investigators identified suspects through a critical database seized during the initial phase, which contained user records linking online identities to real-world individuals. Some suspects believed they had evaded scrutiny following the 2024 takedowns. Instead, they were met with unexpected visits from investigators and, in some cases, detained for questioning.
During this phase, it was discovered that several suspects had resold access to compromised machines at increased prices, effectively operating micro-level crime-as-a-service operations. When questioned, multiple suspects chose to cooperate, providing authorities access to personal devices that contained valuable evidence about distribution networks and malware payloads.
Public Engagement and Ongoing Operations
Europol has launched a public-facing portal—operation-endgame[.]com—where individuals can provide tips or check if they are under investigation. The agency has made it clear that Operation Endgame is ongoing, with further enforcement actions expected against individuals involved in similar activities.
Security researchers have responded to the continued threat by developing tools like SmokeBuster, designed to detect, analyze, and remove SmokeLoader infections from compromised systems. As cybercriminal tactics evolve, this operation demonstrates law enforcement’s commitment to adapting and responding to emerging threats in the digital landscape.
Conclusion
The dismantling of the SmokeLoader network and the arrest of its operators mark a significant milestone in the fight against cybercrime. By targeting both the infrastructure and the clientele of these illicit services, law enforcement agencies have disrupted a major component of the cybercriminal ecosystem. However, the persistence of threats like SmokeLoader underscores the need for continuous vigilance, collaboration, and innovation in cybersecurity efforts.
