A sweeping international law enforcement effort has disrupted several prominent malware families, including Rhadamanthys Stealer, Venom RAT, and the Elysium botnet. The coordinated action, carried out between November 10 and 13, 2025, represents the latest phase of Operation Endgame, an ongoing initiative spearheaded by Europol and Eurojust to dismantle criminal infrastructures supporting global ransomware activity.
According to officials, the joint operation resulted in the takedown of more than 1,025 servers and the seizure of 20 domains linked to these cybercrime networks. Authorities also arrested the main suspect behind Venom RAT in Greece on November 3. Beyond the technical disruptions, investigators confirmed that the targeted systems formed part of extensive criminal ecosystems used to steal data, facilitate remote access, and support ransomware campaigns.
“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,[…]Many of the victims were not aware of the infection of their systems.”
– Europol
One key unknown remains whether the Elysium botnet referenced by Europol matches the proxy botnet recently promoted by RHAD Security (also known as Mythical Origin Labs), the group tied to the Rhadamanthys infostealer. The investigation also revealed that the main suspect linked to Rhadamanthys had access to at least 100,000 compromised cryptocurrency wallets, a potential haul worth millions of euros.
Recent research from Check Point showed that newer variants of Rhadamanthys have become more sophisticated, adding features to gather device and browser fingerprints and employing advanced evasion techniques.
The Shadowserver Foundation, which supported the enforcement action, emphasized the broader risks associated with Rhadamanthys infections.
“It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts,[…]These victim systems may also have been used in historic or recent intrusions and ransomware incidents.”
Shadowserver reported identifying 525,303 unique Rhadamanthys infections between March and November 2025 across 226 countries and territories, resulting in more than 86.2 million “information stealing events.” Roughly 63,000 of those infected IP addresses were located in India.
CrowdStrike, which also contributed expertise to the operation, highlighted the strategic value of striking early in the ransomware chain. “Operation Endgame 3.0 shows what’s possible when law enforcement and the private sector work together,” said Adam Meyers, CrowdStrike’s head of Counter Adversary Operations. “Disrupting the front end of the ransomware kill chain – the initial-access brokers, loaders, and infostealers – instead of just the operators themselves has a ripple effect through the eCrime ecosystem.”
“By targeting the infrastructure that fuels ransomware, this operation struck the ransomware economy at its source. But disruption isn’t eradication. Defenders should use this window to harden their environments, close visibility gaps, and hunt for the next wave of tools these adversaries will deploy.”
The operation involved authorities from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the United States, underscoring the global nature of the cybercriminal landscape—and the increasingly coordinated response required to confront it.
Source: CanalTech
