Endgame

What is Operation Endgame?

Operation Endgame is a coordinated international law enforcement action that targeted multiple key cybercrime botnets such as IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee, as well as the operators of these botnets. It is the largest operation ever against botnets involved with ransomware.

An important part of operating cybercrime infrastructure like these botnets relies on the use of stolen credentials. Law enforcement has shared these accounts with Spamhaus, who will help with remediating them.

How were these accounts involved?

Threat actors acquire credentials by operating remote access tools (RATs) and infostealers and use these newly-compromised accounts to further spread malware, or to gain initial access into networks and organizations. The data we provide here covers these breached accounts.

As the data that is being shared has been recovered from various parts of criminal infrastructure, we were not able to verify each entry individually. Some of the reported accounts may be old or may have already been fixed. Due to the nature of the threat we feel that reporting the full set is nevertheless worth the effort.

Please note: that the data we share covers roughly the last 3 months (from February 2024 until end of May 2024), the current situation may be different.

What should be done?

All passwords for the identified breached (email) accounts should be changed as soon as possible.

What should we as the ISP or service provider tell our customers?

Here is a handy template you can use:

Dear Administrator,

Spamhaus, who is working in conjunction with international law enforcement, 
has notified us regarding mailboxes that are hosted on a server that your user 
controls. These email addresses were identified as having been potentially 
compromised for use by the Endgame cybercrime group targeted.

We ask that you immediately reset the passwords of these mailboxes to prevent 
any further abuse. This is the only action required to resolve this issue. The 
list of breached mailboxes identified are as follows:

example@example.com
......

We greatly appreciate any action you take in securing these mailboxes and helping 
to ensure that that they are not further abused by miscreants to do any harm to 
other users on the internet.

Regards,
Example Trust and Safety Department

What do the various fields in the data mean?

Both the JSON and the CSV formats contain the same fields. Here is a CSV example:

#type, ip address, url or hostname, account, password
imap,192.0.2.1, mail.example.com, johnappleseed, *****tree

Type: Type of account (ADFS, IMAP, SMTP)

IP: IP address of the mailserver or ADFS server the account belongs to

Hostname: Hostname of the mailserver or ADFS server the account belongs to

Account: Account username

Password: The (partially redacted) password as it was found

A note on timing: this is information as-is from the malware infrastructure. We recommend a password reset if one has not been done recently, since the dataset was very recently actively used and may have been shared with other bad actors as well.

Where can I find publications about Endgame and the takedown?

Official publications: Operation Endgame website

Europol: Largest ever operation against botnets hits dropper malware ecosystem

Dutch National Police: Meerdere botnets ontmanteld in grootste internationale operatie tegen ransomware ooit

You contacted us at the wrong/out of date address, can this be changed?

Yes! Please tell us what addresses we should use instead by emailing:

remediation-team@spamhaus.org.

I have a question that is not answered here

You can get in touch with the team via our contact form.