A multinational law enforcement operation has successfully dismantled an online cybercrime syndicate that provided specialized services to threat actors. This syndicate offered tools that allowed malicious software to remain undetected by common security programs, posing a significant threat to cybersecurity worldwide. The U.S. Department of Justice announced that, on May 27, 2025, in cooperation with Dutch and Finnish authorities, they seized four domains and associated servers involved in these illicit activities. The domains, which include AvCheck[.]net and Cryptor[.]biz, now display a seizure notice. France and Germany also participated in this operation.
The Department of Justice explained that “crypting” refers to using software to make malware harder to detect, preventing antivirus programs from identifying and neutralizing it. The seized domains offered these crypting and counter-antivirus (CAV) services, enabling cybercriminals to obfuscate their malware and bypass security solutions. This, in turn, allowed unauthorized access to computer systems. Undercover purchases by authorities confirmed that these services were indeed used for cybercrime. Dutch officials described AvCheck as one of the largest CAV services in existence.
AvCheck[.]net promoted itself as a high-speed checker that allowed registered users:
Scan their files against 26 antivirus engines. It also enabled scanning of domains and IP addresses against 22 antivirus engines and various online blocklists. These domain seizures were part of Operation Endgame, a global effort launched in 2024 to dismantle cybercrime networks. This operation marks the fourth major action in recent times, following the takedown of Lumma Stealer and DanaBot, and the removal of hundreds of other domains used for delivering ransomware.
The FBI emphasized that cybercriminals go beyond merely creating malware, they refine it for maximum damage, leveraging counter-antivirus services to test and perfect their attacks. This helps malware slip past robust security systems and evade forensic analysis, ultimately allowing threat actors to cause significant disruption.
This development coincides with eSentire’s recent report on PureCrypter, a malware-as-a-service (MaaS) solution that distributes information stealers like Lumma. PureCrypter uses the ClickFix initial access vector and multiple advanced evasion techniques, underscoring the evolving threat landscape in the cybersecurity space.
Reference:
