- Cyber Syrup
- Posts
- Global Operation Takes Down Malware Obfuscation Services Aiding Cybercriminals
Global Operation Takes Down Malware Obfuscation Services Aiding Cybercriminals
A multinational law enforcement operation has led to the seizure of online services used by cybercriminals to hide malicious software from security tools
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
The key to a $1.3T opportunity
A new trend in real estate is making the most expensive properties obtainable. It’s called co-ownership, and it’s revolutionizing the $1.3T vacation home market.
The company leading the trend? Pacaso. Created by the founder of Zillow, Pacaso turns underutilized luxury properties into fully-managed assets and makes them accessible to the broadest possible market.
The result? More than $1b in transactions, 2,000+ happy homeowners, and over $110m in gross profits for Pacaso.
With rapid international growth and 41% gross profit growth last year, Pacaso is ready for what’s next. They even recently reserved the Nasdaq ticker PCSO.
But the real opportunity is now, before public markets. Until 5/29, you can join leading investors like SoftBank and Maveron for just $2.80/share.
This is a paid advertisement for Pacaso’s Regulation A offering. Please read the offering circular at invest.pacaso.com. Reserving a ticker symbol is not a guarantee that the company will go public. Listing on the NASDAQ is subject to approvals. Under Regulation A+, a company has the ability to change its share price by up to 20%, without requalifying the offering with the SEC.
Global Operation Takes Down Malware Obfuscation Services Aiding Cybercriminals
A multinational law enforcement operation has led to the seizure of online services used by cybercriminals to hide malicious software from security tools. These services, known as crypting and counter-antivirus (CAV) tools, allow attackers to refine malware and evade antivirus detection, increasing the likelihood of successful system compromise.
The takedown, announced by the U.S. Department of Justice (DoJ) on May 27, 2025, involved authorities from the Netherlands, Finland, France, Germany, Denmark, Portugal, and Ukraine.
Domains Seized in the Crackdown
The operation, carried out in coordination with European partners, resulted in the seizure of four primary domains, including:
AvCheck[.]netCryptor[.]bizCrypt[.]guru
These domains, now displaying law enforcement seizure notices, were integral to cybercriminal operations that tested and encrypted malware to ensure it remained undetected by security software.
“Crypting is the process of using software to make malware difficult for antivirus programs to detect,” the DoJ explained.
The seized platforms offered obfuscation services and counter-antivirus scanning, enabling cybercriminals to refine their malware to bypass even the most robust defense systems.
Undercover Investigations Confirm Criminal Use
Authorities confirmed the illicit use of these services through undercover purchases, validating their role in facilitating cybercrime. Dutch officials identified AvCheck[.]net as one of the largest global CAV platforms used by cyber actors.
Archived versions of the AvCheck website revealed that it marketed itself as a “high-speed antivirus scantime checker,” providing users with the ability to scan files against 26 antivirus engines, and to scan IPs and domains against 22 engines and threat intelligence blocklists.
Part of a Broader Initiative: Operation Endgame
This enforcement action is the latest milestone in Operation Endgame, a coordinated international effort launched in 2024 to disrupt cybercriminal infrastructure. It follows the dismantling of:
Lumma Stealer
DanaBot
Hundreds of domains distributing ransomware and infostealers
These efforts reflect a growing global commitment to dismantling the supply chain of cybercrime—not just targeting threat actors, but also the platforms that enable them.
“Cybercriminals don’t just create malware; they perfect it for maximum destruction,” said FBI Special Agent Douglas Williams. “These services allow attackers to evade detection and maximize impact.”
The Role of Malware-as-a-Service (MaaS) and PureCrypter
As the crackdown on traditional malware continues, law enforcement is turning attention to Malware-as-a-Service (MaaS) offerings. A recent investigation by eSentire uncovered the continued operation of PureCrypter, a tool advertised on underground forums to facilitate the delivery of data-stealing malware like Lumma and Rhadamanthys.
Marketed by a threat actor known as PureCoder on Hackforums[.]net, PureCrypter offers:
3-month access for $159
1-year access for $399
Lifetime access for $799
The crypter is distributed via an automated Telegram bot (@ThePureBot) and bundled with other tools such as PureRAT and PureLogs.
Though marketed as an “educational tool” through a deceptive Terms of Service (ToS) agreement, these crypters are widely used in real-world attacks.
Advanced Evasion Techniques
PureCrypter employs a range of evasion tactics, including:
AMSI bypass
DLL unhooking
Anti-VM and anti-debugging measures
API patching to bypass Windows 11 24H2 security
One notable technique involves patching the NtManageHotPatch API in memory, allowing process hollowing-based code injection, even on modern Windows builds.
“The developers market these tools as Fully UnDetected (FUD) using AvCheck[.]net results,” noted eSentire. “However, many are still flagged by mainstream antivirus tools like VirusTotal, highlighting the false security provided by CAV services.”
Conclusion
The dismantling of crypting and CAV services underscores the importance of targeting not just the malware itself, but also the support infrastructure that enables its development and distribution. Tools like AvCheck and PureCrypter allow cybercriminals to refine malware for stealth and persistence, contributing significantly to the success of ransomware and infostealing campaigns.
As cybercrime becomes increasingly modular and service-driven, law enforcement and security professionals must focus on disrupting the entire malware development and deployment pipeline. This includes monitoring underground marketplaces, Telegram-based distribution channels, and anonymized sales forums.