Global Operation Dismantles Major Crypting Service Network Used by Cybercriminals
In a sweeping multinational law enforcement operation, authorities have dismantled a cybercrime syndicate responsible for enabling malware to bypass antivirus software and remain hidden from security defenses.
The U.S. Department of Justice (DoJ) announced the seizure of four domains—AvCheck[.]net, Cryptor[.]biz, Crypt[.]guru, and an undisclosed fourth—on May 27, 2025. These sites provided crypting and counter-antivirus (CAV) services that allowed cybercriminals to obfuscate malicious code, making it stealthy and undetectable. The action was carried out in coordination with authorities from the Netherlands and Finland, with support from France, Germany, Denmark, Portugal, and Ukraine.
“Crypting is the process of using software to make malware difficult for antivirus programs to detect,” the DoJ stated. “When paired with CAV tools, these services enable cybercriminals to bypass modern security systems and infiltrate targeted machines.”
How the Services Worked
The domains now display official seizure banners, but prior to the takedown, they offered malware authors and threat actors the ability to test and improve their payloads against a variety of antivirus engines. For example, AvCheck[.]net advertised itself as a "high-speed antivirus scantime checker," allowing users to scan files, domains, and IP addresses across dozens of antivirus tools.
Undercover investigations confirmed that the services were being actively used to enhance malware before distribution. Dutch authorities called AvCheck one of the largest CAV services on the dark web.
Part of Operation Endgame
This crackdown is part of Operation Endgame, a global initiative launched in 2024 targeting cybercriminal infrastructure. It follows recent enforcement actions against malware families and tools such as Lumma Stealer, DanaBot, and others used in ransomware operations.
“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” said FBI Houston Special Agent in Charge Douglas Williams. “These services help them evade detection, bypass firewalls, and wreak havoc.”
Related Threat: PureCrypter on the Rise
The disruption coincides with new intelligence from cybersecurity firm eSentire, which has detailed the increasing use of PureCrypter, a malware-as-a-service (MaaS) tool. Sold on Hackforums[.]net by a developer named PureCoder, it’s marketed under a “Terms of Service” that claims the tool is for educational use only—an all-too-common façade in the cybercrime world.
Available via a Telegram channel, @ThePureBot, PureCrypter enables buyers to distribute advanced malware like Lumma and Rhadamanthys using initial access vectors such as ClickFix. The tool includes advanced evasion features like:
-
AMSI bypass
-
DLL unhooking
-
Anti-VM and anti-debugging measures
-
Bypassing Windows 11 24H2 security mechanisms via NtManageHotPatch API patching
eSentire researchers noted that despite PureCrypter’s claims of “Fully UnDetected” (FUD) status, its malware is often detected by major antivirus solutions on VirusTotal, revealing discrepancies in the service’s claimed capabilities.
No comments:
Post a Comment