Operation Endgame: International Sting Disrupts Rhadamanthys, Venom RAT, and 1,000+ Servers

Coordinated actions by law-enforcement agencies across multiple countries have delivered a major blow to networks that for years formed the backbone of numerous malicious operations. The latest phase of Operation Endgame, conducted from 10 to 13 November, continues a multistep campaign aimed at dismantling criminal infrastructures responsible for distributing spyware and remote-access tools. The scale of the effort demonstrates how international cooperation is gradually shifting the balance of power, depriving threat actors of the platforms on which their schemes once depended.

Authorities, under the leadership of Europol and Eurojust, reported the disruption of several well-known malware families, including Rhadamanthys Stealer, Venom RAT, and the Elysium botnet. Over the course of the operation, more than a thousand servers were taken offline, and roughly two dozen domain names were seized.

The primary suspect associated with Venom RAT was arrested in Greece earlier this month. According to Europol, the dismantled infrastructure relied on hundreds of thousands of compromised devices used for data theft and the expansion of criminal networks. The systems of the victims contained millions of stolen credentials, including no fewer than one hundred thousand cryptocurrency wallets, whose contents were valued at substantial sums.

Questions remain regarding the Elysium botnet. Europol has not clarified whether it refers to the service promoted last month by RHAD Security alongside Rhadamanthys. This leaves room for interpretation, as the group has previously been linked to proxy networks used to mask malicious activity.

In early October, Check Point researchers reported that the latest version of Rhadamanthys had acquired device- and browser-fingerprinting capabilities and implemented new methods of evading detection, making it one of the most persistent and adaptable spyware strains on the market.

Operation Endgame involved law-enforcement bodies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the United States. Their synchronized actions are gradually dismantling infrastructures long used to target companies and private individuals across regions, reducing the influence of groups whose tools have supported ransomware operators and online fraudsters for years.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy