Cyber Blog

In a coordinated international operation, the U.S. Department of Justice (DoJ) has seized four domains linked to cybercriminal services that helped threat actors evade detection by antivirus software.

Announced on May 27, 2025, the operation—conducted in partnership with law enforcement agencies from the Netherlands, Finland, France, Germany, Denmark, Portugal, and Ukraine—targeted websites that provided crypting and counter-antivirus (CAV) tools. The seized domains include AvCheck[.]net, Cryptor[.]biz, and Crypt[.]guru, all of which now display official seizure notices.

“Crypting is the process of making malware harder for antivirus programs to detect,” the DoJ explained. “These services allowed cybercriminals to obfuscate their malicious code, making it easier to compromise computer systems undetected.”

Investigators conducted undercover purchases to analyze the services and confirmed their use in cybercrime. Dutch authorities described AvCheck as one of the world’s most popular CAV platforms used by cybercriminals. Internet Archive records show AvCheck promoted itself as a “high-speed antivirus scantime checker,” allowing users to scan files, domains, and IPs against dozens of antivirus engines and blocklists.

The takedown was part of Operation Endgame, a global law enforcement effort launched in 2024 aimed at dismantling cybercriminal infrastructure. This marks the fourth major enforcement action under the initiative, following recent disruptions of Lumma Stealer, DanaBot, and numerous malware-hosting domains and servers.

“Cybercriminals don’t just create malware—they refine it for maximum damage,” said FBI Houston Special Agent in Charge Douglas Williams. “By using counter-antivirus tools, they improve their chances of bypassing security systems, avoiding detection, and inflicting harm.”

The announcement comes as cybersecurity firm eSentire reported new activity related to PureCrypter, a malware-as-a-service (MaaS) offering. PureCrypter is being used to distribute information-stealing malware like Lumma and Rhadamanthys through a delivery method known as ClickFix.

Marketed by a threat actor named PureCoder on Hackforums[.]net, PureCrypter is sold for $159 (3 months), $399 (1 year), or $799 (lifetime), and is distributed via the Telegram bot @ThePureBot. The Telegram channel also promotes related tools such as PureRAT and PureLogs.

Although PureCoder requires users to agree to Terms of Service that claim the tools are for “educational use only,” such disclaimers are widely regarded as attempts to evade legal liability.

eSentire also noted PureCrypter’s evolving evasion capabilities. The malware now includes functionality to patch the NtManageHotPatch API in memory on newer Windows versions (24H2 and later), enabling process hollowing—a code injection technique used to bypass modern security features.

Other evasion methods include AMSI bypass, DLL unhooking, anti-VM, anti-debugging, and spoofed “Fully UnDetected (FUD)” claims based on AvCheck[.]net results. However, scans via VirusTotal often show detection by multiple antivirus and endpoint security systems, revealing discrepancies in advertised stealth.