takedown Archives

Tech Optimizer

June 2, 2025

AVCheck cyber crime service snared in police takedown

An international law enforcement initiative has dismantled an online software crypting syndicate that helped cybercriminals evade malware detection. The operation, led by the FBI's Houston Field Office and involving agencies from the Netherlands, Finland, and the US Secret Service, resulted in the seizure of four domains, the takedown of 300 servers, the neutralization of 650 domains, and the issuance of nearly two dozen international arrest warrants. Matthijs Jaspers from the Netherlands' High Tech Crime Team highlighted the challenges of tracking cybercriminals and the importance of collaborative efforts in combating cybercrime.

Tech Optimizer

June 2, 2025

Key service for malware developers taken offline

The takedown of AVCheck, a major Counter Antivirus (CAV) service used by cybercriminals, disrupts their ability to test malware against antivirus detection, thereby hindering successful attacks. Matthijs Jaspers from the High Tech Crime Team highlighted that this operation is crucial in combating organized cybercrime, as it prevents early-stage criminal activities. The investigation revealed connections between AVCheck and other services like Cryptor.biz and Crypt.guru. Additionally, law enforcement has taken proactive measures, including deploying a fake login page to deter AVCheck users and collaborating with Project Melissa to target malware services. The need for coordinated efforts among various sectors is emphasized to effectively combat cybercrime.

Tech Optimizer

June 2, 2025

International authorities dismantle AVCheck in cybercrime operation

International authorities have dismantled AVCheck, a platform used by cybercriminals to test malware against antivirus software. The website avcheck.net now displays a seizure notice from the US Department of Justice, FBI, US Secret Service, and Dutch police. AVCheck was one of the largest counter antivirus services globally, aiding cybercriminals in evaluating their malware's stealth capabilities. Investigators found links between AVCheck's administrators and crypting services like Cryptor.biz and Crypt.guru. Law enforcement had placed a fake login page on AVCheck to warn users about legal risks before its shutdown on May 27, 2025. Undercover agents confirmed the illegal nature of AVCheck through transactions and connections to ransomware attacks. The FBI has also warned about the Silent Ransom Group, which has targeted law firms in the US using social engineering tactics.

Tech Optimizer

May 30, 2025

Police takes down AVCheck antivirus site used by cybercriminals

An international law enforcement initiative has dismantled AVCheck, a service that allowed cybercriminals to test malware against antivirus software. The official website, avcheck.net, now displays a seizure banner from U.S. and Dutch authorities. AVCheck was one of the largest counter antivirus services, providing insights into malware evasion tactics. Investigators found connections between AVCheck's administrators and crypting services, which help obfuscate malware. Law enforcement created a deceptive login page to warn users of legal consequences. The takedown occurred on May 27, 2025, as part of Operation Endgame, which also seized 300 servers and 650 domains linked to ransomware attacks.

Tech Optimizer

May 29, 2025

Windows PCs at risk as new tool disarms built-in security

All modern Windows PCs come with Microsoft Defender, a built-in antivirus solution. A tool called Defendnot can disable Microsoft Defender by tricking Windows into believing another antivirus is active. It uses an undocumented API to register a counterfeit antivirus, which leads to Microsoft Defender being automatically disabled without user notification. Defendnot creates a scheduled task for persistence and allows customization of the antivirus name. It is a successor to a previous project, No-Defender, which was removed due to copyright issues. Currently, Microsoft Defender flags Defendnot as a threat.

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.

Winsage

May 22, 2025

Microsoft says Lumma password stealer malware found on 394,000 Windows PCs

Microsoft, in collaboration with law enforcement, has taken legal action against the Lumma malware operation, which has affected over 394,000 Windows PCs globally, particularly in Brazil, Europe, and the United States. A federal court authorized the seizure of 2,300 domains used as command and control servers for Lumma, and the Justice Department confiscated five additional domains related to its infrastructure. Lumma is primarily spread through questionable games or cracked applications and extracts sensitive information such as logins, passwords, credit card details, and cryptocurrency wallets, which is then sold to other cybercriminals. Lumma also facilitates the deployment of additional malware, including ransomware, and has been linked to significant cyberattacks on major tech companies like PowerSchool and Snowflake, resulting in substantial data theft.