Operation Endgame Strikes Again: 1,025 Servers Dismantled in Coordinated Takedown of Rhadamanthys, VenomRAT, and Elysium

Law enforcement delivers crushing blow to cybercrime infrastructure, seizing control of major infostealer and RAT operations affecting hundreds of thousands of victims worldwide

Executive Summary

Between November 10 and 14, 2025, international law enforcement agencies coordinated from Europol's headquarters in The Hague executed the latest phase of Operation Endgame, successfully dismantling infrastructure behind three major cybercrime enablers: the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation represents one of the most significant coordinated actions against cybercrime infrastructure in 2025, building on the momentum of previous Operation Endgame phases that have systematically dismantled criminal networks throughout the year.

Bottom Line Up Front: The coordinated action resulted in over 1,025 servers taken down or disrupted worldwide, 20 domains seized, 11 locations searched across Germany, Greece, and the Netherlands, and one arrest in Greece of the primary suspect behind VenomRAT. The dismantled infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials, with the main suspect behind the infostealer having access to over 100,000 cryptocurrency wallets potentially worth millions of euros.

Understanding the Threat Landscape

The Rise of Infostealers as Cybercrime Infrastructure

Information-stealing malware, or "infostealers," have emerged as one of the most insidious threats in the cybercriminal ecosystem. Unlike ransomware that announces its presence with dramatic encryption screens, infostealers operate silently in the background, quietly harvesting credentials, browser data, cryptocurrency wallet information, and other sensitive data that serves as the foundation for larger cyberattacks.

According to the Shadowserver Foundation, which assisted in the enforcement action, officials accessed a Rhadamanthys database revealing more than 525,000 infections between March and November 2025 across 226 countries, collecting over 86 million individual records. This scale of compromise demonstrates why targeting infostealer infrastructure has become a priority for international law enforcement.

Operation Details: A Multi-National Effort

International Coordination at Scale

The operation brought together an unprecedented coalition of law enforcement and judicial authorities from 11 countries, demonstrating the increasingly sophisticated approach to combating transnational cybercrime. Participating nations included Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States.

Over 100 law enforcement officers from Australia, Canada, Denmark, France, Germany, Greece, the Netherlands, and the United States supported the coordination of operational actions from the command post at Europol. The command post facilitated real-time intelligence exchange on seized servers, suspects, and the transfer of seized data, with Eurojust also assisting with the execution of European Arrest Warrants and European Investigation Orders.

Private Sector Partnership: The Force Multiplier

More than 30 national and international public and private parties supported the actions, with critical contributions from cybersecurity firms that provided the intelligence foundation for the operation. Key private partners included Cryptolaemus, Shadowserver and RoLR, SpyCloud, Team Cymru, Proofpoint, CrowdStrike, Lumen's Black Lotus Labs, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, Trellix, and Bitdefender.

This public-private collaboration model has proven essential in combating sophisticated cybercrime, as private sector partners provide real-time threat intelligence and technical expertise that complements law enforcement's investigative and enforcement capabilities.

The Targets: Three Pillars of Cybercrime Infrastructure

Rhadamanthys: The Sophisticated Infostealer

Rhadamanthys has established itself as one of the premier infostealers in the cybercriminal marketplace since its emergence in late 2022. The malware quickly gained notoriety for its ability to steal login credentials, browser cookies, and most notably, cryptocurrency wallets, and was built to be sold as part of a Malware-as-a-Service (MaaS) offering on dark web forums.

Technical Sophistication

What sets Rhadamanthys apart from other infostealers is its remarkable technical sophistication. Instead of relying on traditional loaders or scripts, Rhadamanthys uses a custom virtual machine based on the Quake III Arena game engine, executing the malware's real code in the form of bytecode, making it nearly invisible to static analysis tools.

The malware has been continuously updated since its release, with the latest version 0.9.2 introducing significant changes including redesigned database operations, user management permission levels, TOR address handling, and two-factor authentication for management login. This level of active development and feature refinement demonstrates the professionalization of the cybercriminal ecosystem.

Operational Scale and Impact

Lumen's Black Lotus Labs reported that the Rhadamanthys operation grew steadily since 2023, with a notable surge in growth occurring in October and November 2025, with the malware affecting an average of over 4,000 unique IP addresses daily in October 2025. More than 60% of Rhadamanthys command-and-control servers remained undetected on VirusTotal, demonstrating the malware's advanced evasion capabilities.

The malware's distribution methods have evolved to include sophisticated social engineering techniques. Recent campaigns employed "ClickFix" attacks, where threat actors use social engineering to manipulate end-users into copying and executing malicious commands, usually PowerShell, provided by the attacker.

VenomRAT: The Remote Access Trojan

VenomRAT represents a different category of threat as a remote access trojan designed to provide attackers with complete control over compromised systems. First observed around 2020 and in widespread use by 2022, VenomRAT is essentially a clone of the open-source Quasar RAT with additional components, used by multiple cybercriminal threat actors.

Capabilities and Monetization

At the time of research, VenomRAT was offered at costs of one month at $150, three months at $350, and six months at $550, making it accessible to a wide range of cybercriminals. The malware can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads, with some VenomRAT variants containing ransomware functionality.

VenomRAT is capable of exfiltrating a variety of files, stealing cryptocurrency wallets and browser data, credit card details, account passwords, and authentication cookies. Some variants also include specialized tools like Velos Stealer for credential theft and can install remote access tools like UltraVNC to maintain persistent access.

Threat Actor Adoption

The most prominent actor distributing VenomRAT is TA558, tracked since 2018, with their activity accounting for 58% of the VenomRAT observed in Proofpoint email campaign data since 2022. TA558's targeting focus is mainly on Portuguese and Spanish speakers, typically located in Latin America, with additional targeting observed in Western Europe and North America.

Elysium: The Botnet Component

Less is publicly known about the Elysium botnet compared to Rhadamanthys and VenomRAT, but according to threat intelligence from Paratus, Rhadamanthys operators had been marketing tools like Elysium Proxy Bot, and it's possible that machines infected with Rhadamanthys or VenomRAT were also equipped with the proxy bot and thus roped into a botnet that could serve the criminals.

This interconnection between the three malware families suggests a sophisticated ecosystem where initial compromise through infostealers or RATs could lead to secondary monetization through botnet enrollment, creating multiple revenue streams for the operators.

The Takedown: Tactics and Techniques

Disruption Methodology

The operation employed a multi-pronged approach targeting different aspects of the criminal infrastructure simultaneously:

Server Infrastructure: Over 1,025 servers were taken down or disrupted worldwide, crippling the command-and-control infrastructure that the malware operations depended upon.

Domain Seizures: 20 domains were seized, with law enforcement replacing criminal websites with seizure notices warning users that "anyone operating or using these cybercriminal services is subject to investigation and prosecution."

Physical Actions: 11 locations were searched, including one in Germany, one in Greece, and nine in the Netherlands, gathering evidence and intelligence for ongoing investigations.

Psychological Warfare: Undermining Criminal Trust

In typical Operation Endgame fashion, officials released an animated video hinting at intelligence gathered during the operation, depicting a lone administrator allegedly skimming the most valuable secrets and cryptocurrency keys for personal gain, passing only less lucrative data to customers—a tactic designed to undermine trust within criminal organizations.

This psychological operation component has become a signature of Operation Endgame, sowing discord among cybercriminals and potentially leading to the collapse of criminal partnerships.

The Arrest: VenomRAT's Main Suspect Captured

The main suspect behind VenomRAT was arrested in Greece on November 3, 2025, representing a significant breakthrough in attributing cybercrime operations to specific individuals. The arrest came just days before the public announcement of the infrastructure takedown, suggesting a coordinated strategy to capture the operator before they could be alerted to the pending action.

Both the malware advertising and distribution domain (remotesystem[.]in) and the licensing domain (venomlicense[.]com) were taken down as part of the operation, effectively dismantling the business infrastructure that enabled VenomRAT's malware-as-a-service model.

Victim Impact and Notification Efforts

Scale of Compromise

The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials, with many victims not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros.

This massive trove of compromised credentials represents not just the direct victims of the malware infections, but potentially millions of accounts across various online services that could be targeted for account takeover attacks, financial fraud, and further cyber intrusions.

Victim Notification and Remediation

The Shadowserver Foundation published a Rhadamanthys Historical Bot Infections Special Report, which includes information about devices infected with the Rhadamanthys infostealer between March 14 and October 11, 2025, and shared it with 201 National Computer Security Incident Response Teams (CSIRTs) in 175 countries and over 10,000 network owners.

Potential victims can now check if their systems have been infected by visiting the Netherlands police's CheckYourHack website (politie.nl/checkyourhack) and the Have I Been Pwned portal (haveibeenpwned.com).

Law enforcement also took an unusual approach by directly contacting criminal users of the seized services through police channels and asking them to share relevant information via the Operation Endgame Telegram channel, turning the tables on the cybercriminal ecosystem.

Operation Endgame: A Sustained Campaign Against Cybercrime

Historical Context

This latest action represents the third major phase of Operation Endgame:

Operation Endgame 1.0 (May 2024): The initial phase targeted major botnet operations, describing itself as the "largest ever operation against botnets," successfully disrupting IcedID, Bumblebee, Pikabot, TrickBot, and SystemBC malware operations.

Operation Endgame 2.0 (April 2025): The second wave took direct aim at individuals in the ransomware ecosystem, targeting not just infrastructure but the people behind these operations.

Operation Endgame 3.0 (November 2025): The current phase focused on infostealer and RAT infrastructure, recognizing these threats as foundational enablers of more damaging cybercrimes.

Strategic Impact on the Threat Landscape

Operation Endgame disruptions have significantly affected the overall email threat landscape, specifically disrupting activity attributed to known initial access broker payloads and supporting malware families delivered via email-based campaigns. In February 2023, 17% of email malware campaigns in Proofpoint data were associated with malware targeted by Operation Endgame, while that number had dropped to 1% by September 2025.

This dramatic reduction demonstrates the sustained impact of coordinated law enforcement action against cybercrime infrastructure.

Connection to Broader 2025 Enforcement Trends

Operation Endgame's latest phase fits into a broader pattern of unprecedented law enforcement success in 2025. Throughout the year, international cooperation has resulted in:

• The disruption of LummaC2, another major infostealer operation
• Operation Secure, which targeted infostealer infrastructure across 26 countries
• Major ransomware takedowns targeting operations that relied on infostealer-harvested credentials
• Disruption of major cybercrime forums and marketplaces

The focus on infostealer infrastructure represents a strategic shift in law enforcement priorities, recognizing that these "silent" threats provide the foundation for more visible and damaging attacks like ransomware and business email compromise.

Technical Analysis: The Evolution of Infostealer Threats

Advanced Evasion Techniques

Modern infostealers like Rhadamanthys have evolved far beyond simple credential theft tools. Rhadamanthys' downloader component mixes advanced anti-analysis techniques coupled with heavy obfuscation, making analysis by traditional security methods incredibly difficult.

The malware employs advanced anti-analysis techniques such as PPID Spoofing, Heaven's Gate, Indirect syscall, and manual mapping of Ntdll, and communicates with its command-and-control server via TLS. It can also install additional modules to perform various malicious actions, with analysis systems detecting Rhadamanthys installing other infostealers like ACRStealer, indicating that attackers use it not only for basic information theft but also to infect systems with additional malware.

The ClickFix Social Engineering Evolution

The rise of "ClickFix" or "ClearFix" campaigns represents a concerning evolution in infostealer delivery methods. These attacks involve social engineering end-users into copying and executing malicious commands provided by the attacker, and have been gaining popularity since the second half of 2024 throughout 2025.

This technique bypasses many traditional security controls by leveraging legitimate system tools and relying on user interaction rather than exploiting technical vulnerabilities, making it particularly effective and difficult to detect.

Looking Forward: The Ongoing Battle

Resilience of Criminal Infrastructure

Despite the significant disruption, cybercriminal operations have demonstrated remarkable resilience. Customers of the seized services reported losing access to their servers, with the Rhadamanthys developer stating in a Telegram message that they believed German law enforcement was behind the disruption after web panels hosted in EU data centers logged German IP addresses connecting before the cybercriminals lost access.

However, history has shown that criminal operators often attempt to rebuild their infrastructure, albeit with increased operational security costs and diminished trust among their customer base.

The Importance of Sustained Pressure

Security researchers noted that Rhadamanthys' professionalization, with its growing customer base and expanding ecosystem, signals that such operations are likely here to stay, making it important to track not only malware updates but also the business infrastructure that sustains them.

This underscores the need for sustained, coordinated international action rather than one-off operations. Operation Endgame's multi-phase approach over 18 months demonstrates the value of persistent pressure on cybercriminal infrastructure.

Defensive Recommendations

Organizations should take proactive steps to protect against infostealer and RAT infections:

Technical Controls

1. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting behavioral indicators of compromise beyond signature-based detection
2. Multi-Factor Authentication: Implement MFA across all systems, particularly those handling sensitive data or providing remote access
3. Browser Security: Deploy browser isolation technologies and regularly clear cached credentials
4. Network Segmentation: Implement zero-trust architectures to limit lateral movement if systems are compromised

User Education

1. ClickFix Awareness: Train users to recognize social engineering tactics that prompt them to execute commands or disable security controls
2. Phishing Recognition: Continuous training on identifying suspicious emails and download sources
3. BYOD Policies: Establish clear policies for personal device use and require security controls on devices accessing corporate resources

Monitoring and Response

1. Log Analysis: Monitor for suspicious authentication attempts and unusual data access patterns
2. Credential Monitoring: Utilize services like Have I Been Pwned to check if organizational credentials appear in breach databases
3. Incident Response Planning: Develop and regularly test comprehensive incident response plans specific to infostealer and RAT infections

Conclusion

Operation Endgame's latest phase represents a significant victory in the ongoing battle against cybercrime infrastructure, but it is not an endpoint. Law enforcement agencies stress that this action is not an endpoint but rather a significant milestone in ongoing efforts to protect citizens worldwide from evolving cyber threats.

The dismantling of Rhadamanthys, VenomRAT, and Elysium infrastructure removes critical tools from the cybercriminal arsenal, at least temporarily. The seizure of over 1,025 servers and the arrest of key operators sends a clear message that international law enforcement has the capability and coordination to strike at the heart of cybercrime operations.

However, the professional nature of these operations—with their malware-as-a-service models, continuous development cycles, and sophisticated evasion techniques—demonstrates that the cybercrime ecosystem has become increasingly mature and resilient. Sustained international cooperation, continued public-private partnerships, and strategic targeting of both infrastructure and operators will be essential to maintain pressure on these criminal networks.

For organizations and individuals, the operation serves as a reminder of the pervasive threat posed by infostealers and RATs. With hundreds of thousands of systems infected and millions of credentials compromised, the secondary impacts of these infections will likely continue for months or years as stolen credentials are exploited for account takeovers, financial fraud, and as initial access for more damaging attacks.

The fight against cybercrime requires vigilance at all levels—from individual users practicing good security hygiene, to organizations implementing robust security controls, to law enforcement agencies maintaining sustained pressure on criminal infrastructure. Operation Endgame's continued success provides hope that coordinated international action can disrupt even the most sophisticated cybercriminal operations.

Related Articles:

• Global Cybercrime Crackdown 2025: A Mid-Year Assessment of Major Arrests and Takedowns
• Operation Secure: How Interpol and Tech Giants Dismantled a Global Infostealer Empire
• Inside Microsoft's Global Operation to Disrupt Lumma Stealer's 2,300-Domain Malware Network
• Japanese Media Giant Nikkei Suffers Slack Breach Through Infostealer Malware: 17,000 Users Exposed
• The 10 Most Recent and Significant Cyber Attacks and Data Breaches Worldwide (Q1 2025)
• Global Cybercrime Crackdown: Major Law Enforcement Operations of 2024-2025
• Global Cybercrime Takedowns in 2025: A Year of Unprecedented Law Enforcement Action

Sources:

• Europol: End of the game for cybercrime infrastructure: 1025 servers taken down
• BleepingComputer: Police disrupts Rhadamanthys, VenomRAT, and Elysium malware operations
• The Hacker News: Operation Endgame Dismantles Rhadamanthys, Venom RAT, and Elysium Botnet in Global Crackdown
• Help Net Security: Rhadamanthys infostealer operation disrupted by law enforcement
• The Register: Cops take down Rhadamanthys infostealer, VenomRAT
• The Record: Operation Endgame: Police reveal takedowns of three key cybercrime tools
• Shadowserver Foundation: Rhadamanthys Historical Bot Infections Special Report
• Proofpoint: Security brief: VenomRAT is defanged
• Check Point Research: Rhadamanthys 0.9.x - walk through the updates
• Forescout: Infostealer Watch: Will Lumma's Takedown Help Rhadamanthys' Rise?