'/%3e%3cpath%20d='M50.3943%2022.237V39.5876H43.5185V22.7481C43.5185%2019.2029%2042.0411%2017.3949%2039.036%2017.3949C35.7325%2017.3949%2034.0778%2019.5338%2034.0778%2023.7585V32.9759H27.2434V23.7585C27.2434%2019.5338%2025.5857%2017.3949%2022.2822%2017.3949C19.2949%2017.3949%2017.8027%2019.2029%2017.8027%2022.7481V39.5876H10.9298V22.237C10.9298%2018.6918%2011.835%2015.8754%2013.6453%2013.7877C15.5128%2011.7049%2017.9623%2010.6355%2021.0028%2010.6355C24.522%2010.6355%2027.1813%2011.9885%2028.9542%2014.6917L30.665%2017.5633L32.3788%2014.6917C34.1517%2011.9885%2036.811%2010.6355%2040.3243%2010.6355C43.3619%2010.6355%2045.8114%2011.7049%2047.6847%2013.7877C49.4931%2015.8734%2050.3963%2018.6899%2050.3943%2022.237Z'%20fill='white'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear_89_8'%20x1='30.5'%20y1='0'%20x2='30.5'%20y2='65'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%236364FF'/%3e%3cstop%20offset='1'%20stop-color='%23563ACC'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
#smokeloader
#OperationEndgame - With the operators out of the picture, law enforcement is closing in on Smokeloader botnet’s paying customers across Europe and North America.
Read: https://hackread.com/smokeloader-users-identified-arrested-operation-endgame/
#ESETResearch’s monitoring of #AceCryptor revealed a significant decrease in prevalence of the malware in H2 2024: we only observed around 3k unique samples as opposed to 13k in H1 2024. Overall hits went down by 68% compared to H1, and by 87% compared to H2 2023.
Similarly, the number of unique users targeted by AceCryptor campaigns decreased by 58% between H1 and H2 2024, and the decrease was even more pronounced when compared to H2 2023, amounting to 85%.
As for the malware families packed by the cryptor, we could yet again see the usual suspects such as #Rescoms, #Smokeloader, and #Stealc among the most delivered threats.
While much smaller in scale than in previous periods, we still detected two notable campaigns of the malware. First, on July 11, 2024, 500 victims in Germany 
were sent emails with malicious attachments disguised as financial documents inside a password protected archive.
Instead of the documents, the archive contained an AceCryptor executable packing the Racoon Stealer successor #RecordBreaker, which then exfiltrated the victim information to a C&C server with the IP address of 45[.]153[.]231[.]163.
Then on September 23, 2024 more than 1,600 endpoints of small businesses in Czechia 
received emails whose attachments contained an AceCryptor binary packing the #XWorm RAT 
. As a C&C, XWorm RAT used easynation[.]duckdns[.]org.
The list of 
Indicators of Compromise (IoCs) can be found in our GitHub repository: https://github.com/eset/malware-ioc/tree/master/ace_cryptor
Das Bundeskriminalamt (BKA) und die Generalstaatsanwaltschaft Frankfurt am Main – Zentralstelle zur Bekämpfung der Internetkriminalität (ZIT) haben am 28. und 29. Mai 2024, unter Beteiligung des BSI, einen Schlag gegen #Cybercrime unternommen. Wir haben für den Takedown der #Schadsoftware #Smokeloader eine Sinkholing-Infrastruktur bereitgestellt und sind für die Benachrichtigung der deutschen Opfer zuständig.
Mehr Infos: 
https://www.bsi.bund.de/dok/1112442
Today we celebrate a major cybersecurity victory. 
Operation Endgame, a global law enforcement effort supported by insights from experts at Proofpoint and other industry vendors, resulted in:
• The disruption of major botnets
• Four arrests
• Over 100 servers taken down across 10 countries
• Over 2,000 domains brought under the control of law enforcement
• Illegal assets frozen
Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever possible and appropriate to do so, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats.
For #OperationEndgame, Proofpoint threat researchers lent their expertise in reverse engineering malware, botnet infrastructure, and identifying patterns in how the threat actors set up their servers to help authorities understand the malware and safely remediate the bot clients.
Proofpoint’s unmatched threat telemetry and researcher knowledge played a crucial role in the operation, providing key insights in identifying the new botnets that are most likely to grow and become the dominant threats affecting the most number of people around the world.
More information on the takedown and Proofpoint’s involvement can be found in our blog: https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown.
H3lium@infosec.exchange/:~# 
Operation Endgame - Largest Ever Operation Against Botnets Hits Dropper Malware Ecosystem
Date: May 30, 2024
CVE: Not specified
Vulnerability Type: Malware
CWE: [[CWE-94]], [[CWE-502]]
Sources: Europol News, Eurojust News
Issue Summary
Europol, in coordination with law enforcement agencies from multiple countries, conducted the largest ever operation targeting botnets. This operation, dubbed "Operation Endgame," took place from May 27 to 29, 2024, and led to the disruption of major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. The effort resulted in four arrests and the takedown of over 100 servers worldwide. These droppers were used to facilitate ransomware and other cyber-attacks by installing additional malware onto target systems. The operation was supported by Eurojust and involved contributions from countries including France, Germany, the Netherlands, Denmark, the UK, the US, and others. Private partners also played a role in the operation, which aimed to dismantle the infrastructure supporting these malicious activities. The success of this operation marks a significant step in combating cybercrime on a global scale.
Operation Endgame, coordinated by Europol, dismantled several major botnets including IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee. This international effort involved law enforcement agencies from multiple countries and led to the arrest of four individuals and the takedown of over 100 servers. The botnets targeted facilitated ransomware and other cyber-attacks.
Technical Key Findings
The malware droppers involved are designed to infiltrate systems and install additional malware, often avoiding detection through sophisticated evasion techniques. These droppers were used to deploy ransomware and other malicious payloads by bypassing security measures and enabling further system compromises.
Vulnerable Products
The operation did not specify particular products but targeted the infrastructures supporting droppers like IcedID, SystemBC, Pikabot, Smokeloader, and Bumblebee.
Impact Assessment
If abused, these vulnerabilities could lead to widespread ransomware attacks, financial losses, and significant disruption of services. The infrastructure taken down had facilitated numerous cyber-attacks globally, highlighting the severe impact on cybersecurity.
Patches or Workaround
The report did not mention specific patches or workarounds. However, continuous monitoring and updating of security measures are recommended to protect against such threats.
Tags
We are proud to announce that we assisted the joint international law enforcement operation #OperationEndgame, targeting the notorious botnets #IcedID, #Smokeloader, #SystemBC and #Pikabot 
abuse.ch has provided key infrastructure to LEA and internal partners to disrupt these botnet operations 
More information on the operation is available here: https://operation-endgame.com/
#IcedID, #Smokeloader, #SystemBC, #Pikabot and #Bumblebee botnets have been disrupted by Operation Endgame!! This is the largest operation EVER against botnets involved with ransomware, with gargantuan thanks to a coordinated effort led by international agencies
As with the #Qakbot and #Emotet takedowns, Spamhaus are again providing remediation support - those affected will be contacted from today with steps to take.
For more information, read our write-up here: https://www.spamhaus.org/resource-hub/malware/operation-endgame-botnets-disrupted-after-international-action/
Spamhaus researchers have observed a new panel at hxxp://185[.]221[.]198[.]118/ seen from a malware downloaded by #Smokeloader.
Based on the panel logo and name, the malware is determined to be "Hornet Stealer" 
According to our researchers this is an infostealer written in Golang, targeting applications such as browsers, wallets, steam and telegram.
It uses Fernet with a hardcoded key to decrypt its various strings and its C2 address.
The stolen information is encrypted by calculating the MD5 hash of key"5hKEw9TAVDZPA6CblkDK86Dhd9HF1E5B" (previously decrypted with Fernet) and using it in AES GCM mode.
The encrypted data is then transmitted to the server via a TCP connection.
If anyone else seeing this activity, let us know in the comments 
8Base Group Deploying New #Phobos Ransomware Variant via #SmokeLoader 
https://thehackernews.com/2023/11/8base-group-deploying-new-phobos.html
Today, a #Smokeloader #malware campaign is observed, which is sending emails with links to hacked sites.
The malware is hidden in the "contract" folder created by the hacker.
The next stage download link is not a normal one as the IP is in decimal notation, which makes it look tricky.
@3236135985 = 192.227.132.49
Evidence - https://tria.ge/221114-lpyrzabe9s