Full Report
Operation Endgame also takes down Elysium and VenomRAT infrastructure International cops have pulled apart the Rhadamanthys infostealer operation, seizing 1,025 servers tied to the malware in coordinated raids between November 10-13.…
Analysis Summary
# Incident Report: Rhadamanthys, Elysium, and VenomRAT Infrastructure Takedown (Operation Endgame)
## Executive Summary
Coordinated international law enforcement action, known as Operation Endgame, successfully dismantled the infrastructure supporting the Rhadamanthys infostealer, Elysium botnet, and VenomRAT malware between November 10 and 13, 2025. This operation resulted in the seizure of 1,025 servers, disrupting operations that had infected hundreds of thousands of computers worldwide and compromised millions of credentials, including numerous cryptocurrency wallets. The primary outcome was the disruption of the malware distribution network and the arrest of key suspects related to associated operations.
## Incident Details
- **Discovery Date:** The scale of the infrastructure disruption and seizures became public around November 13, 2025, following precursor reports around November 11.
- **Incident Date:** Coordinated raids occurred between November 10 – 13, 2025.
- **Affected Organization:** No single entity was the victim; *adversary infrastructure* was the target. Victims across 226 countries were compromised.
- **Sector:** Global Cybercrime Economy (targeting various sectors via infostealers).
- **Geography:** Raids conducted in Germany (1 location), Greece (1 location), and the Netherlands (9 locations).
## Timeline of Events
### Initial Access (Attacker Stage - Prior to Takedown)
- **Date/Time:** Rhadamanthys active since 2022, with a surge reported in 2025.
- **Vector:** Emails, web injects, and malvertising campaigns. Compromised websites used for malware delivery.
- **Details:** Attackers deployed Rhadamanthys to steal credentials, often achieving infection without the victim's knowledge. Associated operations (Elysium/VenomRAT) utilized related distribution methods.
### Command and Control Disruption (Law Enforcement Action)
- **Date/Time (Nov 3, 2025):** Arrest of the main suspect behind the VenomRAT malware in Greece.
- **Date/Time (Nov 11, 2025):** Rhadamanthys administrator instructed customers to cease operations "for safety reasons."
- **Date/Time (Nov 11, 2025):** Rhadamanthys onion service went dark.
- **Date/Time (Nov 10-13, 2025):** Coordinated raids across Europe resulting in the seizure of 1,025 servers tied to Rhadamanthys infrastructure.
### Data Exfiltration/Impact (Historical)
- **Details:** Analysis of seized databases revealed over 525,000 infections between March and November 2025. Over 86 million individual records (credentials) were collected. The main suspect allegedly accessed over 100,000 crypto wallets belonging to victims.
### Detection & Response (Law Enforcement Action)
- **Detection:** Ongoing investigation coordinated by Europol and Eurojust (Operation Endgame), supported by entities like the Shadowserver Foundation.
- **Response actions taken:** Coordinated international arrests (five pay-per-infect suspects), seizure of 1,025 servers central to Rhadamanthys operations, and access to the Rhadamanthys database for intelligence gathering.
## Attack Methodology
- **Initial Access:** Email phishing, web injects, malvertising, and using compromised websites for malware delivery.
- **Persistence:** Not explicitly detailed for Rhadamanthys, though malware operations typically establish foothold persistence.
- **Privilege Escalation:** Not detailed, standard for infostealers used by criminal networks.
- **Defense Evasion:** Implied via "many of the victims were not aware of the infection."
- **Credential Access:** Primary function of Rhadamanthys infostealer—collecting login credentials and crypto keys.
- **Discovery:** Initial reconnaissance performed by the malware upon successful infection.
- **Lateral Movement:** Not explicitly detailed regarding the malware itself, but associated botnets/RATs (Elysium/VenomRAT) would utilize lateral movement.
- **Collection:** Gathering of credentials (86 million records) and specifically access to 100,000+ crypto wallets.
- **Exfiltration:** Data was reportedly passed to customers, though the main administrator allegedly skimmed the most valuable assets (crypto keys) for personal gain.
- **Impact:** Financial theft potential (millions of euros from crypto wallets), large-scale identity data compromise.
## Impact Assessment
- **Financial:** Potential millions of euros potentially linked to compromised cryptocurrency wallets. Commercial value of access sold (Rhadamanthys access cost $300-$500 USD monthly).
- **Data Breach:** Over 86 million individual records compromised globally.
- **Operational:** Disruption of the criminal supply chain for Rhadamanthys, Elysium, and VenomRAT usage.
- **Reputational:** Undermining of trust within the criminal underground following revelations that the Rhadamanthys admin skimmed top-tier data.
## Indicators of Compromise
*(Note: Due to the focus being on infrastructure takedown rather than an internal breach, IoCs listed are generalized indicators of past distribution methods)*
- **Network indicators:** (None listed as infrastructure was seized/taken down)
- **File indicators:** (None specified, focused on malware family Rhadamanthys)
- **Behavioral indicators:** Deployment via email, malicious advertisements, or injection from compromised websites. Unusual file modification indicative of credential harvesting.
## Response Actions
- **Containment measures:** Coordinated international seizure of 1,025 Command and Control (C2) servers globally.
- **Eradication steps:** Takedown of the Rhadamanthys onion service and associated C2 infrastructure.
- **Recovery actions:** Law enforcement provided intelligence to affected parties or systems (implied, typical of Operation Endgame).
## Lessons Learned
- **Key takeaways:** International, multi-agency coordination (Europol, Eurojust) is highly effective in dismantling complex, distributed malware ecosystems like Operation Endgame. Malware operators prioritize self-preservation, often signaling shutdowns before physical raids occur.
- **What could have been done better:** The article notes that many victims were unaware of their infection, highlighting persistent gaps in user/organizational endpoint detection before the operation intervened.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement robust email filtering and DMARC/DKIM policies to mitigate phishing-based initial access vectors.
2. Utilize advanced endpoint detection and response (EDR) solutions capable of detecting credential harvesting behaviors associated with infostealers like Rhadamanthys.
3. Enhance monitoring for traffic anomalies associated with common malvertising redirects.
4. Enforce multifactor authentication universally, especially for high-value accounts like cryptocurrency wallets.