Three malware strains popular with cybercriminals have been taken down in a large-scale law enforcement operation that spanned 11 countries.
The dismantling of the malware networks is part of an ongoing effort, dubbed Operation Endgame. The latest activity, Operation Endgame 3.0, occurred between November 10 and 13.
Infrastructure linked to Rhadamanthys, a notorious information stealer (infostealer), a remote access trojan called VenomRAT and the Elysium botnet have all been impacted.
The raids also resulted in:
- Over 1025 servers taken down or disrupted worldwide
- 20 domains seized
- 11 locations searched (one in Germany, one in Greece, and 9 in the Netherlands)
- The arrest of the suspected main operator of VenomRAT in Greece
“The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware,” said Europol in a public statement published on November 13.
The operation involved law enforcement agencies from six EU countries, Australia, Canada, the UK and the US, with the collaboration of Europol, Eurojust and over 30 private partners from the cybersecurity industry. The initiative was coordinated from Europol’s headquarters in The Hague, Netherlands.
Takedown of Rhadamanthys, VenomRAT and Elysium
Rhadamanthys infostealer “had grown to become one of the leading infostealers since Operation Endgame ‘Season 2’ disrupted the infostealer landscape,” according to a Shadowserver Foundation statement published on November 13.
In this statement, the UK government-funded non-profit announced that it had sent notifications about devices infected with the Rhadamanthys infostealer malware between March and November 2025 to 201 national computer security incident response teams (CSIRTs) in 175 countries and over 10,000 network owners globally.
“The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros,” the Europol announcement noted.
The Europol announcement was also accompanied by a new video about Rhadamanthys on the Operation Endgame website, entitled S03E01 “STICKY FINGERS.”
First discovered in June 2020, VenomRAT is a modified fork of the Quasar remote access trojan (QuasarRAT).
VenomRAT has been advertised as an effective tool to remotely access computers for $150 per month. It is generally distributed as malicious attachments in spam emails.
Once installed, VenomRAT uses obfuscated Microsoft Office macro script to download malicious files, then executes functions from library and uses PowerShell scripts for further actions.
“The dismantled malware infrastructure, encompassing Rhadamanthys, VenomRAT and the Elysium botnet, consisted of hundreds of thousands of infected computers containing several million stolen credentials,” said Europol.
“Many of the victims were not aware of the infection of their systems.” Potential victims can now check if their systems have been infected by visiting the Netherlands police’s CheckYourHack website and the Have I Been Pwned portal.
Operation Endgame 3.0: Third Blow to Cybercrime-Enabling Industry
This latest operation is the third series of takedowns of cybercrime-enabling infrastructure after Operation Endgame 1.0 (May 2024) and Operation Endgame 2.0 (April 2025).
This new series involved over 100 law enforcement officers from Australia, Canada, Denmark, France, Germany, Greece and the US.
The Europol command post facilitated the exchange of intelligence on seized servers, suspects, and the transfer of seized data.
Eurojust also assisted with the execution of a European Arrest Warrant and European Investigation Orders.
The private sector partners included Abuse.ch, Bitdefender, Crowdstrike, Cryptolaemus, Cymru, the Dutch Institute for Vulnerability Disclosure (DIVD), HaveIBeenPwned, Lumen, Proofpoint, the Shadowserver Foundation and its Registrar of Last Resort (RoLR), Spamhaus and Spycloud.
