Law enforcement agencies recently dismantled avcheck[.]net through Operation Endgame, a major international effort targeting cybercrime infrastructure. This platform was known for helping cybercriminals test their concealed malware against antivirus systems to ensure it would go undetected.
With AvCheck now offline, eSentire's Threat Response Unit (TRU) has observed cybercriminals shifting to alternative platforms like scanner[.]to, kleenScan[.]com, and avscanner[.]org, which offer similar capabilities for testing malware against multiple antivirus engines.
![Figure 1 – avcheck[.]net seizure banner](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Operation-Endgame-Figure-1.png)
Threat Actor Methodology
Cybercriminals who provide or use "crypting" services - where malware is specially encoded or "packed" to avoid detection before being distributed to victim machines typically follow a systematic testing process:
1. They begin by using a crypter to pack (or disguise) their original but detectable malware
2. The newly packed malware is then uploaded to scanning services to test against antivirus (AV) and endpoint detection and response (EDR) systems
3. Based on the scan results, they either:
- Proceed with distribution, if few or no security tools detect the malware
- Or, if detection rates are too high, return to step one to try different packing methods
This cycle continues until the threat actors achieve their desired level of evasion. The figure below illustrates this systematic process.
Services like KleenScan provide cybercriminals with a user-friendly interface for uploading their packed malware, which is then tested against several antivirus engines.
Shown in the figure below, the platform prominently displays "No Distribution" in red text, assuring users that their malware samples won't be shared with antivirus vendors - a practice that would increase detection rates of their malicious payloads.
This practice is what separates illegitimate scanning services from legitimate scanning services like VirusTotal.
On May 14th, 2025, just days before AvCheck's shutdown, a user named "kleenscan" posted a promotional advertisement on a hacking forum marketing the service. This activity demonstrates how scanning services explicitly market their services to cybercriminals on hacking forums.
Crypter Promotion
The interconnected nature of scanning services and the crypting ecosystem is demonstrated by cybercriminals who showcase their effectiveness using scanner results.
The figure below for example displays a threat actor selling a crypter product and using results from KleenScan to demonstrate that only 1/40 antivirus engines detected the payload.
Alternative “No Distribute” Scanning Services
The following table is a list of alternatives actively being used by cybercriminals following the disruption of AvCheck:
| Domain Name |
| kleenscan[.]com |
| scanner[.]to |
| avscanner[.]org |
| av-sense[.]net |
| redcheck[.]cc |
Key Learnings
The recent disruption of AvCheck through Operation Endgame offers a look into the operational dependencies of cybercriminals. While law enforcement’s intervention marked a significant win, it also highlighted how adaptable threat actors are when faced with sudden infrastructure loss. This adaptability reflects not only the decentralization of cybercrime tools but also the commoditization of malware development workflows.
According to eSentire’s Threat Response Unit (TRU), here’s how these changes reflect broader patterns of behavior for threat actors and the tools they continue to use:
- The disruption of cybercrime infrastructure (AvCheck) through Operation Endgame by law enforcement has caused threat actors to migrate to alternative services like KleenScan and Scanner[.]to, demonstrating that threat actors quickly adapt in response to actions taken by law enforcement agencies.
- Malware scanning services play a crucial role in the cybercrime ecosystem by allowing threat actors to test their malicious code against antivirus detection before deployment.
- These illicit scanning platforms differentiate themselves from legitimate services by explicitly marketing to cybercriminals and maintaining "no distribution" policies to protect their users' malware from detection.
- The systematic process used by cybercriminals (pack, test, distribute or re-pack) highlights the methodical nature of modern cyberattacks and the importance of evading detection.
By mimicking legitimate multi-engine antivirus scanning services while removing ethical guardrails like detection reporting or data sharing – these services reinforce a cycle of rapid iteration and persistent evasion.
References
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level MDR, connect with an eSentire Security Specialist now.
GET STARTEDABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.