Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust.
The activity, which took place between November 10 and 13, 2025, marks Please remove image compression the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers worldwide.
Besides dismantling the “three large cybercrime enablers,” authorities have also arrested the main suspect behind Venom RAT in Greece on November 3, more than 1,025 servers have been taken down, and 20 domains have been seized.
“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” Europol said in a statement. “Many of the victims were not aware of the infection of their systems.”
It’s worth noting that the Elysium botnet neutralized by authorities is the same proxy botnet service RHAD security (aka Mythical Origin Labs), the threat actor associated with Rhadamanthys, was observed advertising as recently as last month.
Europol also noted that the main suspect behind the infostealer had access to no less than 100,000 cryptocurrency wallets belonging to victims, potentially amounting to millions of euros.
A recent analysis published by Check Point revealed that the latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar.
Rhadamanthys, according to the cybersecurity company, was offered under two paid models, a self-hosted subscription and a subscription with a rented server and additional benefits. It’s assessed that the impact of the crackdown will be felt differently for each of them, Sergey Shykevich, group manager at Check Point Research, told The Hacker News.
 |
| Rhadamanthys infections per country |
“The takedowns of RedLine and Lumma changed the ecosystem last year, and Rhadamanthys became one of the most dominant and widely used infostealers,” Shykevich added. “The current takedown operation is another important step in fighting the big brands in the underground ecosystem.”
“Rhadamanthys developer had many ups and downs during the last years, and nevertheless, was able to continue and even accelerate its activity. We assume that now the developer behind Rhadamanthys will try to revive its operations in a few days, likely using only the new version 0.9.3, which was launched just recently.”
“It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts,” the Shadowserver Foundation said. “These victim systems may also have been used in historic or recent intrusions and ransomware incidents.”
The non-profit, which assisted in the enforcement action, said 525,303 unique Rhadamanthys Stealer infections were identified between March and November 2025 across 226 countries and territories, representing over 86.2 million “information stealing events.” Of these, about 63,000 IP addresses are located in India.
“Operation Endgame 3.0 shows what’s possible when law enforcement and the private sector work together,” Adam Meyers, head of Counter Adversary Operations at CrowdStrike, said in a statement. “Disrupting the front end of the ransomware kill chain – the initial-access brokers, loaders, and infostealers – instead of just the operators themselves has a ripple effect through the eCrime ecosystem.”
“By targeting the infrastructure that fuels ransomware, this operation struck the ransomware economy at its source. But disruption isn’t eradication. Defenders should use this window to harden their environments, close visibility gaps, and hunt for the next wave of tools these adversaries will deploy.”
Authorities that participated in the effort included law enforcement agencies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the U.S.
(The story was updated after publication to include additional insights from Check Point Research.)
