Operation Endgame Dismantles Rhadamanthys, Venom RAT, and Elysium Botnet in Global Crackdown

Nov 13, 2025Ravie LakshmananBotnet / Cybercrime

Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust.

The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers worldwide.

Besides dismantling the “three large cybercrime enablers,” authorities have also arrested the main suspect behind Venom RAT in Greece on November 3, more than 1,025 servers have been taken down, and 20 domains have been seized.

“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” Europol said in a statement. “Many of the victims were not aware of the infection of their systems.”

It’s currently not clear if the Elysium botnet Europol refers to is the same proxy botnet service RHAD security (aka Mythical Origin Labs), the threat actor associated with Rhadamanthys, was observed advertising as recently as last month.

Europol also noted that the main suspect behind the infostealer had access to no less than 100,000 cryptocurrency wallets belonging to victims, potentially amounting to millions of euros.

A recent analysis published by Check Point revealed that the latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar.

“It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts,” the Shadowserver Foundation said. “These victim systems may also have been used in historic or recent intrusions and ransomware incidents.”

The non-profit, which assisted in the enforcement action, said 525,303 unique Rhadamanthys Stealer infections were identified between March and November 2025 across 226 countries and territories, representing over 86.2 million “information stealing events.” Of these, about 63,000 IP addresses are located in India.

“Operation Endgame 3.0 shows what’s possible when law enforcement and the private sector work together,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement. “Disrupting the front end of the ransomware kill chain – the initial-access brokers, loaders, and infostealers – instead of just the operators themselves has a ripple effect through the eCrime ecosystem.”

“By targeting the infrastructure that fuels ransomware, this operation struck the ransomware economy at its source. But disruption isn’t eradication. Defenders should use this window to harden their environments, close visibility gaps, and hunt for the next wave of tools these adversaries will deploy.”

Authorities that participated in the effort included law enforcement agencies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the U.S.

(This is a developing story. Please check back for more updates.)

Source