Full Report
Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust. The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers
Analysis Summary
# Incident Report: Operation Endgame Disruption of Cybercrime Infrastructure (Rhadamanthys, Venom RAT, Elysium)
## Executive Summary
Coordinated international law enforcement action (Operation Endgame), led by Europol and Eurojust, successfully disrupted major cybercrime infrastructures between November 10 and 13, 2025. The operation targeted the operators behind the Rhadamanthys Stealer, Venom RAT, and the Elysium botnet, resulting in the takedown of over 1,025 servers and the seizure of 20 domains. The overall impact includes mitigating the continued theft of millions of credentials and potentially millions of euros in compromised cryptocurrency assets.
## Incident Details
- **Discovery Date:** The operation culminated on November 13, 2025; however, the criminal activities involving these malware families were ongoing prior to this date.
- **Incident Date (Operation Window):** November 10 – November 13, 2025
- **Affected Organization:** Hundreds of thousands of infected computers worldwide (Victims were largely unaware of the compromise).
- **Sector:** Not explicitly stated, but implicated sectors likely include finance and general users targeted for credential theft.
- **Geography:** Global operation involving agencies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the U.S.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing prior to November 2025. The earliest published activity related to the suspects mentioned (such as the solicitation of Elysium services) occurred in the preceding months.
- **Vector:** Not explicitly detailed for every malware family, but the result involved hundreds of thousands of infected computers. Rhadamanthys Stealer is known to employ various vectors to steal credentials.
- **Details:** The infrastructure facilitated widespread infection, exposing victims to credential harvesting.
### Lateral Movement
- **Details:** Not specified in the source material, but the deployment of RATs (Venom RAT) and botnets (Elysium) implies sophisticated command and control capabilities for subsequent internal network movement where possible.
### Data Exfiltration/Impact
- **Details:** The compromised infrastructures contained several million stolen credentials across affected computers. The main suspect behind Rhadamanthys had access to at least 100,000 cryptocurrency wallets, potentially amounting to millions of euros.
### Detection & Response
- **Date/Time:** Coordinated takedown occurred between November 10 and 13, 2025. A separate precursor action involved the arrest of the main Venom RAT suspect in Greece on November 3, 2025.
- **Response actions taken:** Law enforcement agencies executed a synchronized operation leading to the seizure/shutdown of 1,025 servers and 20 domains.
## Attack Methodology
*(Based on characteristics of the disrupted malware families)*
- **Initial Access:** Varied, exploiting user-facing vulnerabilities or social engineering to deploy initial payloads (common for Stealers and RATs).
- **Persistence:** Not specified, but typical for RAT/Botnet operations to maintain long-term access.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Rhadamanthys utilized mechanisms "to fly under the radar," including collecting device and web browser fingerprints for evasion/targeting.
- **Credential Access:** Rhadamanthys Stealer specifically focused on harvesting credentials, including access to 100,000 cryptocurrency wallets.
- **Discovery:** Standard reconnaissance by malware to locate valuable data/credentials.
- **Lateral Movement:** Implied through the operation of the Venom RAT and Elysium botnet services.
- **Collection:** Harvesting of web browser data and cryptocurrency wallet information.
- **Exfiltration:** Data was sent back to the threat actors' infrastructure for monetization.
- **Impact:** Financial loss through cryptocurrency theft and extensive identity compromise via credential harvesting.
## Impact Assessment
- **Financial:** Potential loss of "millions of euros" due to compromised cryptocurrency wallets.
- **Data Breach:** Several million stolen credentials exposed across hundreds of thousands of machines.
- **Operational:** Disruption of major "three large cybercrime enablers" provides significant blow to ransomware-related economies.
- **Reputational:** Although victims were largely unaware, this takedown prevents future reputational damage for organizations that would have been victimized next.
## Indicators of Compromise
*(Source material does not list specific IOCs, as the focus is on the operation itself. The following are indicators related to the malware families mentioned, listed in a defanged manner.)*
- **Network indicators:** None provided in the article.
- **File indicators:** Threat intelligence platforms should monitor for binaries associated with "Rhadamanthys Stealer," "Venom RAT," and "Elysium" botnet command structures.
- **Behavioral indicators:** Evidence of extensive credential enumeration, use of peer-to-peer C2 frameworks (common for botnets), and attempts to collect browser fingerprint data.
## Response Actions
- **Containment measures:** Seizure/shutdown of 1,025 infected servers and 20 associated domains used by the criminal infrastructure.
- **Eradication steps:** Takedown of the primary command and control capabilities for Rhadamanthys, Venom RAT, and Elysium.
- **Recovery actions:** Law enforcement actions are underway following the disruption; specific victim notification procedures were not detailed.
## Lessons Learned
- **Key takeaways:** Coordinated, multi-national law enforcement efforts (like Operation Endgame) are highly effective in dismantling complex, globally distributed cybercrime infrastructure, especially those enabling ransomware.
- **What could have been done better:** Many victims were unaware of their infection, indicating a need for improved endpoint visibility and proactive detection capabilities across end-user environments.
## Recommendations
- **Prevention measures for similar incidents:** Enhance endpoint detection and response (EDR) solutions to rapidly identify file-less malware or information stealers like Rhadamanthys. Implement stricter policies against unnecessary credential storage in browsers. Maintain up-to-date threat intelligence feeds regarding known malware families active in the cybercrime ecosystem to aid rapid identification.