Malware households like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as a part of a coordinated regulation enforcement operation led by Europol and Eurojust.
The exercise, which is happening between November 10 and 13, 2025, marks the most recent section of Operation Endgame, an ongoing operation designed to take down legal infrastructures and fight ransomware enablers worldwide.
Apart from dismantling the “three giant cybercrime enablers,” authorities have additionally arrested the primary suspect behind Venom RAT in Greece on November 3, greater than 1,025 servers have been taken down, and 20 domains have been seized.
“The dismantled malware infrastructure consisted of a whole bunch of hundreds of contaminated computer systems containing a number of million stolen credentials,” Europol mentioned in a press release. “Lots of the victims weren’t conscious of the an infection of their techniques.”
It is value noting that the Elysium botnet neutralized by authorities is similar proxy botnet service RHAD safety (aka Legendary Origin Labs), the menace actor related to Rhadamanthys, was noticed promoting as not too long ago as final month.
Europol additionally famous that the primary suspect behind the infostealer had entry to a minimum of 100,000 cryptocurrency wallets belonging to victims, probably amounting to hundreds of thousands of euros.
A current evaluation printed by Test Level revealed that the most recent model of Rhadamanthys added help for accumulating system and net browser fingerprints, together with incorporating a number of mechanisms to fly underneath the radar.
Rhadamanthys, in accordance with the cybersecurity firm, was supplied underneath two paid fashions, a self-hosted subscription and a subscription with a rented server and extra advantages. It is assessed that the impression of the crackdown will probably be felt in another way for every of them, Sergey Shykevich, group supervisor at Test Level Analysis, advised The Hacker Information.
 |
| Rhadamanthys infections per nation |
“The takedowns of RedLine and Lumma modified the ecosystem final yr, and Rhadamanthys grew to become one of the dominant and extensively used infostealers,” Shykevich added. “The present takedown operation is one other necessary step in preventing the large manufacturers within the underground ecosystem.”
“Rhadamanthys developer had many ups and downs over the past years, and however, was capable of proceed and even speed up its exercise. We assume that now the developer behind Rhadamanthys will attempt to revive its operations in a couple of days, doubtless utilizing solely the brand new model 0.9.3, which was launched only recently.”
“You will need to be aware that Rhadamanthys could have been used to drop extra malware on contaminated techniques, so different malware infections may additionally be lively on these techniques and require additional native remediation efforts,” the Shadowserver Basis mentioned. “These sufferer techniques may additionally have been utilized in historic or current intrusions and ransomware incidents.”
The non-profit, which assisted within the enforcement motion, mentioned 525,303 distinctive Rhadamanthys Stealer infections had been recognized between March and November 2025 throughout 226 international locations and territories, representing over 86.2 million “info stealing occasions.” Of those, about 63,000 IP addresses are situated in India.
“Operation Endgame 3.0 exhibits what’s doable when regulation enforcement and the personal sector work collectively,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, mentioned in a press release. “Disrupting the entrance finish of the ransomware kill chain – the initial-access brokers, loaders, and infostealers – as a substitute of simply the operators themselves has a ripple impact by means of the eCrime ecosystem.”
“By concentrating on the infrastructure that fuels ransomware, this operation struck the ransomware economic system at its supply. However disruption is not eradication. Defenders ought to use this window to harden their environments, shut visibility gaps, and hunt for the subsequent wave of instruments these adversaries will deploy.”
Authorities that participated within the effort included regulation enforcement businesses from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the U.S.
(The story was up to date after publication to incorporate extra insights from Test Level Analysis.)
