eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Law enforcement agencies recently dismantled avcheck[.]net through Operation Endgame, a major international effort targeting cybercrime infrastructure. This platform was known for helping cybercriminals test their concealed malware against antivirus systems to ensure it would go undetected.
With AvCheck now offline, eSentire's Threat Response Unit (TRU) has observed cybercriminals shifting to alternative platforms like scanner[.]to, kleenScan[.]com, and avscanner[.]org, which offer similar capabilities for testing malware against multiple antivirus engines.
Figure 1 – avcheck[.]net seizure banner
Threat Actor Methodology
Cybercriminals who provide or use "crypting" services - where malware is specially encoded or "packed" to avoid detection before being distributed to victim machines typically follow a systematic testing process:
1. They begin by using a crypter to pack (or disguise) their original but detectable malware
2. The newly packed malware is then uploaded to scanning services to test against antivirus (AV) and endpoint detection and response (EDR) systems
3. Based on the scan results, they either:
Proceed with distribution, if few or no security tools detect the malware
Or, if detection rates are too high, return to step one to try different packing methods
This cycle continues until the threat actors achieve their desired level of evasion. The figure below illustrates this systematic process.
Figure 2 – Threat actor workflow
Services like KleenScan provide cybercriminals with a user-friendly interface for uploading their packed malware, which is then tested against several antivirus engines.
Shown in the figure below, the platform prominently displays "No Distribution" in red text, assuring users that their malware samples won't be shared with antivirus vendors - a practice that would increase detection rates of their malicious payloads.
This practice is what separates illegitimate scanning services from legitimate scanning services like VirusTotal.
Figure 3 – KleenScan user interface
On May 14th, 2025, just days before AvCheck's shutdown, a user named "kleenscan" posted a promotional advertisement on a hacking forum marketing the service. This activity demonstrates how scanning services explicitly market their services to cybercriminals on hacking forums.
Figure 4 – KleenScan promo on hacking forum
Crypter Promotion
The interconnected nature of scanning services and the crypting ecosystem is demonstrated by cybercriminals who showcase their effectiveness using scanner results.
The figure below for example displays a threat actor selling a crypter product and using results from KleenScan to demonstrate that only 1/40 antivirus engines detected the payload.
Figure 5 – User using KleenScan results as advert for crypter product
Alternative “No Distribute” Scanning Services
The following table is a list of alternatives actively being used by cybercriminals following the disruption of AvCheck:
Domain Name
kleenscan[.]com
scanner[.]to
avscanner[.]org
av-sense[.]net
redcheck[.]cc
Key Learnings
The recent disruption of AvCheck through Operation Endgame offers a look into the operational dependencies of cybercriminals. While law enforcement’s intervention marked a significant win, it also highlighted how adaptable threat actors are when faced with sudden infrastructure loss. This adaptability reflects not only the decentralization of cybercrime tools but also the commoditization of malware development workflows.
According to eSentire’s Threat Response Unit (TRU), here’s how these changes reflect broader patterns of behavior for threat actors and the tools they continue to use:
The disruption of cybercrime infrastructure (AvCheck) through Operation Endgame by law enforcement has caused threat actors to migrate to alternative services like KleenScan and Scanner[.]to, demonstrating that threat actors quickly adapt in response to actions taken by law enforcement agencies.
Malware scanning services play a crucial role in the cybercrime ecosystem by allowing threat actors to test their malicious code against antivirus detection before deployment.
These illicit scanning platforms differentiate themselves from legitimate services by explicitly marketing to cybercriminals and maintaining "no distribution" policies to protect their users' malware from detection.
The systematic process used by cybercriminals (pack, test, distribute or re-pack) highlights the methodical nature of modern cyberattacks and the importance of evading detection.
By mimicking legitimate multi-engine antivirus scanning services while removing ethical guardrails like detection reporting or data sharing – these services reinforce a cycle of rapid iteration and persistent evasion.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
![Figure 1 – avcheck[.]net seizure banner](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Operation-Endgame-Figure-1.png)
