Botnets disrupted worldwide...Operation Endgame is BACK!

The long-awaited Operation Endgame, “Season 2”, is officially announced as of Friday, May 23rd, 2025. International law enforcement agencies and their partners have once again joined forces – with one aim of the (End)game – to disrupt and dismantle botnet infrastructure and their operators. The targets have all played a crucial role in facilitating successful ransomware attacks, and with Season 1’s noteworthy impact, we anticipate the same for this latest Operation. In this post, get details of the take-down tale itself and Spamhaus’ role in the current Operation, specifically with victim account remediation.

Stolen credentials: the golden information

Operation Endgame 2.0 has targeted Bumblebee, Latrodectus, Qakbot, DanaBot, Trickbot, and WarmCookie. It’s an operation focussed on initial access malware; a crucial component of running cybercrime infrastructure to penetrate systems, unnoticed, before deploying ransomware.

Stealing credentials is a critical component for many cyber criminals. Threat actors obtain these credentials through remote access tools (RATs) and infostealers, using the compromised accounts to propagate malware or to gain a foothold within targeted networks and organizations. The affected accounts are being shared with Spamhaus, who will assist in mitigating and remediating the threat.

Operation Endgame: victims' account remediation

Before diving into the takedown story, here’s the overview of the support Spamhaus is providing to aid in remediation:

• The botnet operators rely on gaining initial access often through stealing credentials. A common tactic is via phishing emails with malicious attachments - we share more on the specifics of each malware below. Those who engaged in the operator's tactics likely became part of the targeted botnets.

• The remediation effort is expansive across the globe; authorities are sharing data on these compromised accounts with Spamhaus for action to be taken.

• Information recovery from multiple components of criminal infrastructure is still ongoing; Spamhaus will notify Internet Service Providers, Email Service Providers, Hosting providers or any other organizations responsible for these accounts in due course.

• We strongly urge all organizations contacted by Spamhaus to act swiftly once contacted to support in securing these accounts. This can be achieved through a simple password reset, as these accounts are still circulating!

For more information, see our Operation Endgame remediation page.

The takedown tale – part 2

Operation Endgame is back. Following the progress initiated by May 2024’s operation, which has since facilitated detentions and interrogations, as well as server takedowns to disrupt the largest malware distributors, “Season 2” is poised to further these advancements.

As with any operation involving the cybercriminal ecosystem, we must remain cautiously optimistic, though – these operations rarely, if ever, form a linear path.

Last year’s Operation Endgame saw the disruption of IcedID, Smokeloader, SystemBC, Pikabot and Bumblebee. In its latest phase, between May 19th and May 22nd, Operation Endgame dismantled key infrastructure behind the malware used in ransomware attacks, targeting Bumblebee, Latrodectus, DanaBot, and WarmCookie. While Qakbot and Trickbot were not actively operating, this phase did include indictments against individuals connected to these groups.

Authorities have taken down more than 300 servers worldwide and seized 650 domains. Investigators have effectively disrupted the ransomware kill chain, shutting down active threats and undermining the overall cybercrime-as-a-service ecosystem. What’s more, authorities seized EUR 3.5 million in cryptocurrency, marking a significant financial blow to the criminals behind these operations.

Once again, it was a truly international effort, with contributions from authorities in Canada, Denmark, France, Germany, the Netherlands, the United Kingdom, and the United States, with support from Europol and Eurojust. The authorities have been supported by numerous partners, including Spamhaus, to share information and support with remediation efforts to ensure this operation has the greatest impact possible.

Through this coalition, 20 individuals believed to be key actors behind these ransomware operations have international warrants for their arrest. And the pressure is about to increase. On May 23rd, German authorities added 18 suspects to the EU’s Most Wanted List, putting their faces front and center.

This is more than just a tactical win. It’s a strategic disruption that weakens the entire ecosystem enabling ransomware attacks. Follow Operation Endgame on the official website to stay up-to-date with the latest developments.

Bumblebee, Latrodectus, Qakbot, DanaBot, Trickbot, and WarmCookie - what are they?

These are the botnets targeted by Endgame and have been around for some time. They have all prominently featured in our malware statistics and Botnet Threat Updates, and all with a common tactic – to steal information.

Bumblebee - first discovered in September 2021, BumbleBee is a loader capable of downloading and executing additional payloads, such as CobaltStrike, Silver, and Meterpeter, and has been acting as the initial access point for ransomware deployments.

Latrodectus - a sophisticated malware loader first spotted in 2023 used by threat actors like TA578 in phishing campaigns. Similar to IcedID and also targeted in Endgame v.1, it is delivered via malicious email attachments. Once active, it can execute commands, steal data, deploy additional malware, and maintain persistence through scheduled tasks and encrypted communication with its command-and-control servers.

Qakbot - also known as Qbot or Pinkslipbot, Qakbot has been active since 2007. Originally, known as a banking trojan, it evolved to be a modular information stealer. This malware spreads through phishing emails and once executed, injects itself into legitimate processes on the infected system. In Aug 2003, it was successfully dismantled (although temporarily) in an international law enforcement coalition: Operation Duck Hunt.

Trickbot - a module banking trojan first seen in 2016, used to steal financial credentials and personally identifiable information (PII). It is primarily distributed via phishing emails with malicious attachments. Once executed, it can move laterally to establish itself within a network and exploit vulnerabilities. The modular nature of Trickbot makes it highly adaptable to a variety of environments and networks.

DanaBot – initially discovered as a modular banking Trojan in 2018, Danabot focuses on stealing valuable information by spreading phishing emails. It primarily aims to steal banking credentials, browser data, and personal information. DanaBot is known for its persistent updates thanks to its modular design and is used in large-scale, global cybercrime campaigns, often operated by multiple affiliates using the malware-as-a-service model.

Warm Cookie - is a backdoor distributed via phishing emails and malicious downloads. It uses deceptive lures, such as job-related attachments, to trick users into executing malicious payloads. Once active, it enables remote access, data theft, and further malware deployment via a botnet command and controller. Warm Cookie has targeted organizations across various sectors, focusing on persistence and evasion techniques to avoid detection and maintain long-term access.

The disruption of these malware families and their operators cannot have come soon enough. We are deeply grateful to all those involved; we look forward to supporting the ongoing remediation efforts.

Press releases & announcements

Operation Endgame website

Europol: Operation ENDGAME strikes again: the ransomware kill chain broken at its source