Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations.
Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Law enforcement and partners notify victims and criminal users
Following the takedown announcement, authorities and partners directed potential victims to breach-checking and compromise-notification services and said they had contacted users of the criminal services. The outreach was intended both to help exposed victims and to generate investigative leads on operators and customers.
Authorities publicly announce Rhadamanthys, VenomRAT, and Elysium disruption
On November 13, 2025, Europol and partner agencies publicly revealed the latest Operation Endgame takedowns affecting Rhadamanthys, VenomRAT, and the Elysium botnet. Officials also said the main infostealer suspect had access to more than 100,000 cryptocurrency wallets potentially worth millions of euros.
Operation Endgame seizes 1,025 servers and 20 domains
International law enforcement dismantled infrastructure used by Rhadamanthys, VenomRAT, and Elysium, taking down 1,025 servers and seizing 20 domains. Europol said the infrastructure had infected hundreds of thousands of computers and was tied to several million stolen credentials.
Rhadamanthys operators lose access to servers
Customers and operators of the Rhadamanthys malware-as-a-service platform lost access to their servers during the law enforcement disruption. Reporting indicated the developer suspected German law enforcement involvement after seeing German IP connections.
Searches conducted across Germany, Greece, and the Netherlands
Law enforcement carried out coordinated searches at 11 locations in Germany, Greece, and the Netherlands during the action days of Operation Endgame. These searches took place between November 10 and 14, 2025.
Operation Endgame begins new action phase
A new phase of Operation Endgame began on November 10, 2025, targeting infrastructure tied to the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. The multinational effort was coordinated by Europol and Eurojust.
Police arrest key VenomRAT suspect in Greece
Authorities arrested a main suspect linked to VenomRAT in Greece as part of Operation Endgame. Multiple reports place the arrest on November 3, 2025, ahead of the broader public announcement of the operation.
Operation Endgame Season 2 officially launches
Operation Endgame "Season 2" was officially launched as a renewed international effort to disrupt botnet infrastructure and the operators behind it. Spamhaus said it supported the action with victim account remediation, while law enforcement and partners coordinated the broader campaign.
Operation Endgame first announced against major botnets
A coalition of international law enforcement agencies announced the original Operation Endgame on May 30, 2024, targeting major botnets including IcedID, SmokeLoader, SystemBC, Pikabot, and Bumblebee. The action marked the initial public launch of the multinational botnet disruption effort later followed by Season 2.
Rhadamanthys infostealer first observed
Proofpoint described Rhadamanthys as a malware-as-a-service infostealer first seen in 2022, used to steal credentials, financial data, and system information. It later became a tool used by multiple cybercriminal actors across email, web-inject, and malvertising campaigns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
36 references tracked. Mallory keeps watching after this page renders.
Weekly Update 478
troyhunt.com
Open sourceRisky Bulletin: Europol takes down Elysium, VenomRAT, and Rhadamanthys infrastructure
news.risky.biz
Open sourceRhadamanthys malware admin rattled as cops seize a thousand-plus servers
go.theregister.com
Open sourcePolice disrupts Rhadamanthys, VenomRAT, and Elysium malware operations
bleepingcomputer.com
Open sourceMalware Digest Sep 2022 | Stats for URLs, IOCs & malware from abuse.ch
spamhaus.org
Open sourceMalware Digest Aug 2022 | Stats for URLs, IOCs & malware from abuse.ch
spamhaus.org
Open sourceMalware | Brazilian internet users suffer SoftLayer's security fail | Spamhaus
spamhaus.org
Open sourceMalware | Summer Break arrives early for Malware Botnet Gang | Spamhaus
spamhaus.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity. In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
Apr 12, 2026
Operation Endgame Disrupts IcedID, SmokeLoader, Trickbot and Other Malware Botnets
An international law enforcement operation dubbed **Operation Endgame** disrupted major malware delivery and botnet infrastructure tied to **IcedID, SmokeLoader, SystemBC, Pikabot, Trickbot**, and remnants of **Bumblebee**, in what Europol and participating agencies described as the largest action of its kind against botnets. Authorities said the networks had been used to spread malware through hundreds of millions of phishing emails and to enable follow-on ransomware attacks and financial fraud, with investigators identifying several million infected computers worldwide over the past year. The coordinated action, supported by **Europol** and **Eurojust**, took down more than **100 servers**, seized over **2,000 domains**, and disinfected more than **10,000** infected systems, while additional operations across multiple countries led to arrests, interrogations, searches, and server seizures. Investigators also identified a key suspect allegedly linked to **69 million euros** in cryptocurrency proceeds, and separate reporting and research highlighted scrutiny of a **SmokeLoader** actor targeted as part of the crackdown.
May 25, 2026
Operation Tovar Disrupts GameOver Zeus Botnet and CryptoLocker Infrastructure
U.S. and European authorities, working with security companies and researchers, disrupted the **GameOver Zeus** peer-to-peer botnet and seized infrastructure tied to **CryptoLocker** in a multinational action known as **Operation Tovar**. The malware network was estimated to have infected **500,000 to 1 million Windows systems** worldwide and was used to steal banking credentials, personal data, and funds through account takeovers, spam campaigns, and DDoS-assisted fraud. U.S. prosecutors said the operation caused more than **$100 million** in losses, while CryptoLocker had infected more than **234,000 computers** and generated over **$27 million** in ransom payments shortly after its emergence. The U.S. Justice Department charged Russian national **Evgeniy Mikhailovich Bogachev**, also known as `Slavik` and `Pollingsoon`, as the alleged administrator behind the botnet. Authorities said the takedown created a roughly **two-week window** for victims and enterprises to clean infected machines before operators could attempt to regain control, and agencies including **US-CERT** and internet service providers were mobilized to support remediation. Investigators said GameOver Zeus spread largely through phishing emails, malicious spam, and compromised websites exploiting outdated software, prompting officials to urge users to update systems, run security scans, and change passwords.
May 26, 2026