The operation of multinational law enforcement agencies has resulted in takedowns of online cybercrime syndicates, providing services to threat actors to prevent malicious software from being detected in security software.
Therefore, the US Department of Justice (DOJ) said it had seized four domains and that its associated servers promoted cryptographic services on May 27, 2025 in partnership with Dutch and Finnish authorities. These include AvCheck(.)Net, Crypor(.)Biz, and Crypt(.)Guru. All of these will display seizure notifications.
Other countries that participated in this effort include France, Germany, Denmark, Portugal and Ukraine.
“Cryptography is the process of making malware difficult to detect by using software,” DOJ said. “Sied Domains provided services to cybercriminals, including counter antivirus (CAV) tools. When used together, CAV and mobile services allow criminals to obfuscate malware, allowing undetectable and unauthorized access to computer systems.”
The DOJ said the authorities have made masked purchases to analyze the services and have confirmed that they are being used for cybercrime. In a coordinated announcement, Dutch officials characterized AvCheck as one of the biggest CAV services used by bad actors around the world.
According to the snapshot captured by the Internet Archive, AvCheck (.)Net billed as a “fast antivirus scantime checker” and provided registered users with the ability to scan files against 26 antivirus engines and 22 antivirus engines and blocklist domains and IP addresses.
The domain attack was carried out as part of Operation Endgame, an ongoing global effort launched in 2024 to dismantle cybercrime. It marks the fourth major action in recent weeks after the hundreds of domains and servers used by Lumma Stealer, Danabot and various malware families have become confused.
“Cybercriminals don’t just create malware, they’re perfect for maximum destruction,” said a special agent at FBI Houston, who is responsible for Douglas Williams. “By leveraging counter anti-virus services, malicious actors refine their weapons against the world’s toughest security systems, passing through firewalls, circumventing forensic analysis, and wreaking havoc across the victim’s system.”
This development comes as the Esentire Detterment Purecrypter, a malware as a service (MAAS) solution used to distribute information steels such as Lumma and Rhadamanthys using the initial access vectors of ClickFix.
Crypter, sold at Hackforums (.) by a threat actor named Purecoder for $159 for three months, $399 for a year and $799 for lifetime access, at Hackforums (.) is also a market for other products, including Pureerat and Purelogs.
Like other providers of such tools, PureCoder must grant a Terms of Use (TOS) agreement that claims that the software is intended for educational purposes only and that violations lead to immediate revocation of access and serial keys.
The malware incorporates the ability to patch the NTMANAGEHOTPATCH API into memory on Windows machines running 24H2. The findings show how threat actors can quickly adapt and devise ways to beat new security mechanisms.
“The malware employs the ability to add AMSI bypass, DLL display, anti-VM detection, prevention measures and the recently added Windows 11 24H2 security features via NTMANAGEHOTPATCH API patching,” the Canadian cybersecurity company said.
“Developers use deceptive marketing tactics by promoting a ‘fully undetected’ (FUD) status based on the results of AvCheck (.), but Virustotal shows detection by multiple AV/EDR solutions, revealing key inconsistencies in detection rates. ”
