Full Report
Law enforcement authorities from 9 countries have taken down 1,025 servers used by the Rhadamanthys infolstealer, VenomRAT, and Elysium botnet malware operations in the latest phase of Operation Endgame, an international action targeting cybercrime. [...]
Analysis Summary
# Incident Report: Takedown of Rhadamanthys, VenomRAT, and Elysium Operations (Operation Endgame Phase)
## Executive Summary
Law enforcement agencies from nine countries conducted a coordinated international takedown targeting the infrastructure supporting the Rhadamanthys infostealer, VenomRAT trojan, and Elysium botnet. The operation seized 1,025 servers and 20 domains, significantly disrupting criminal operations that had compromised hundreds of thousands of computers and stolen millions of credentials, including potential access to millions of euros in crypto wallets. The primary outcome was the dismantling of the C2 infrastructure supporting these major malware strains.
## Incident Details
- **Discovery Date:** Ongoing multinational law enforcement investigation culminating in November 2025.
- **Incident Date:** Enforcement actions conducted between 10 and 14 November 2025. Key arrest occurred on 3 November 2025.
- **Affected Organization:** Global victim base (Note: No single organization specified, targets were individual end-users and businesses).
- **Sector:** Global Cybercrime Ecosystem (Targets likely spanned all sectors due to widespread malware distribution).
- **Geography:** Operations coordinated globally, with physical searches conducted in Germany, Greece, and the Netherlands.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing prior to November 2025 enforcement.
- **Vector:** Attack vectors utilized by Rhadamanthys (infolstealer), VenomRAT (RAT), and Elysium (botnet) were widespread, often leveraging initial compromises that led to infection.
- **Details:** The systems affected contained hundreds of thousands of infected computers loaded with these malware strains.
### Lateral Movement
- **Details:** VenomRAT is a remote access trojan, implying established capability for lateral movement post-initial infection. Details on the specific techniques used in the victims' environments are not specified beyond the malware capability.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing, prior to takedown.
- **Details:** Several million stolen credentials were held within the compromised infrastructure. The Rhadamanthys developer reportedly had access to over 100,000 crypto wallets belonging to victims, potentially worth millions of euros.
### Detection & Response
- **Date/Time:** 10–14 November 2025 (Enforcement actions).
- **Details:** Coordinated international action led by Europol and Eurojust, supported by 9 countries and multiple private security partners. Actions included physical searches and seizure of digital assets.
## Attack Methodology
*Note: Specific methods for Privilege Escalation, Defense Evasion, Discovery, and Exfiltration are inherent capabilities of the malware families listed and inferred from the context of their operation as "infolstealer" and "RAT."*
- **Initial Access:** Distribution mechanisms associated with the three malware types (details unspecified in the article, but typically phishing, exploitation of vulnerabilities, or piggybacking on prior compromises).
- **Persistence:** Maintained via the operation of the Elysium botnet and VenomRAT C2 connections.
- **Privilege Escalation:** Not explicitly detailed, but standard for RAT/Infostealer operations.
- **Defense Evasion:** Not explicitly detailed, but the focus on infrastructure disruption implies evasion was necessary for prolonged operation.
- **Credential Access:** Achieved via the Rhadamanthys infostealer's function.
- **Discovery:** Reconnaissance capabilities inherent to RAT (VenomRAT).
- **Lateral Movement:** Implied capability of VenomRAT.
- **Collection:** Focused on gathering credentials and accessing crypto wallet information (Rhadamanthys).
- **Exfiltration:** Data likely routed through the 1,025 seized C2 servers.
- **Impact:** Financial theft (crypto wallets), widespread credential compromise, and covert access (RAT).
## Impact Assessment
- **Financial:** Potential loss measured in "millions of euros" tied to accessible crypto wallets.
- **Data Breach:** Several million stolen credentials.
- **Operational:** Significant operational disruption to the cybercriminals themselves due to infrastructure loss. Victims were largely unaware of their infection status prior to the takedown.
- **Reputational:** Increased public notoriety for the affected malware strains due to high-profile international law enforcement action.
## Indicators of Compromise
*Since the goal was infrastructure seizure, IoCs focus on the threat actors' previous infrastructure.*
- **Network Indicators (Defanged):** Takedown of 1,025 C2 servers and seizure of 20 domains related to Malware-as-a-Service operations.
- **File Indicators:** Infected systems running Rhadamanthys infostealer, VenomRAT, and Elysium botnet components.
- **Behavioral Indicators:** Unauthorized remote access (VenomRAT), systematic credential harvesting (Rhadamanthys).
## Response Actions
- **Containment:** Physical searches conducted at 11 locations across Germany, Greece, and the Netherlands. Seizure of 20 domains.
- **Eradication:** Takedown of 1,025 C2 servers supporting the three malware operations, effectively severing victim command and control.
- **Recovery:** Law enforcement advised victims to check their systems via provided public resources ([politie.nl/checkyourhack](http://politie.nl/checkyourhack) and [haveibeenpwend.com](http://haveibeenpwend.com/)). An arrest of a key suspect linked to VenomRAT was also made.
## Lessons Learned
- **Cooperation is Key:** Operation Endgame demonstrates the effectiveness of large-scale, multi-national coordination involving multiple government agencies and private cyber defense partners.
- **Infrastructure Targets High Value:** Directly targeting C2 infrastructure (servers and domains) is highly effective in immediately disrupting complex malware ecosystems and stopping ongoing victim exploitation.
- **Victim Awareness Gap:** Many victims were unaware their systems were compromised, highlighting the necessity of proactive endpoint detection and user education initiatives.
## Recommendations
- **Proactive IoC Sharing:** Continue to rapidly share intelligence regarding malware infrastructure (C2 IPs/domains related to Rhadamanthys, VenomRAT, Elysium) with ISPs and hosting providers for immediate blocking or sinkholing efforts.
- **User Remediation Tools:** Promote and support victim remediation efforts by continually highlighting accessible public tools designed to check for legacy infection (e.g., CheckYourHack portals).
- **Focus on the Supply Chain:** Given the Rhadamanthys description as Malware-as-a-Service, future operations should prioritize identifying and disrupting the developers and primary distributors who service groups using these tools.