European and American law enforcement agencies have announced the successful takedown of AVCheck, one of the world’s most widely used Counter Antivirus (CAV) services.
AVCheck enabled malware developers to stealthily test their malicious software against commercial antivirus solutions. The takedown, which took place on May 27, was carried out in coordination with law enforcement partners from the United States, the Netherlands, Finland, France, Germany, and Denmark, with operational support from Ukraine and Portugal.
Authorities are now sifting through the seized data to identify and track down users of the illicit service, many of whom are believed to be involved in large-scale ransomware and malware campaigns.
The AVCheck takedown is part of the broader Operation Endgame, launched in May 2024, which targets the infrastructure supporting initial access malware strains such as IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot. These loaders often serve as the first stage in ransomware attacks, allowing threat actors to gain unauthorized entry into victim networks.
As part of the coordinated crackdown, US authorities also seized four domains linked to AVCheck and associated server infrastructure. These sites provided services to cybercriminals, including both CAV and crypting tools.
An affidavit supporting the seizures revealed that investigators conducted undercover purchases and technical analysis of the services. Additionally, court documents allege that the services were tied to email addresses and other identifiers linked to known ransomware groups that have targeted victims across both the US and Europe.
