Law Enforcement Disruption of Major Malware and Ransomware Operations
International law enforcement agencies have intensified efforts to disrupt the infrastructure of prominent malware and ransomware operations. Europol, as part of Operation Endgame, targeted the servers supporting the Rhadamanthys information stealer, resulting in a sudden loss of access for its operators and a halt in observed activity since late October 2025. Rhadamanthys, a C++-based stealer-as-a-service, had been widely distributed through phishing campaigns and malicious ads, with its latest version released in October 2025. The operation's impact on the long-term viability of Rhadamanthys remains to be seen, but the immediate effect has been a significant reduction in its activity.
In parallel, law enforcement agencies across the US and Europe have made notable arrests and infrastructure takedowns targeting ransomware groups. The UK’s National Crime Agency apprehended a suspect linked to a ransomware attack that disrupted multiple European airports, while US authorities filed charges against the administrator of several notorious ransomware gangs and seized assets from a Zeppelin ransomware distributor. Additionally, a coordinated international operation dismantled the infrastructure of the BlackSuit ransomware group, further demonstrating the global commitment to combating cybercrime. These actions collectively signal a robust and ongoing crackdown on cybercriminal operations by international authorities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SpyCloud reports Rhadamanthys activity drops sharply after Operation Endgame
By December 2025, SpyCloud reported that Rhadamanthys infections and newly recaptured logs had fallen sharply following the November 10 Operation Endgame takedown, with only limited residual activity observed. SpyCloud also assessed that many former Rhadamanthys customers were shifting to rival infostealers such as Vidar as the service struggled to recover.
Kaspersky publishes Q3 2025 non-mobile threat statistics
Securelist published Kaspersky's report on IT threat evolution in Q3 2025 covering non-mobile malware statistics for PCs and IoT. This marked the release of a quarterly snapshot of the threat landscape rather than a specific incident disclosure.
Europol disrupts Rhadamanthys infrastructure in Operation Endgame
In November 2025, Europol disrupted infrastructure associated with the Rhadamanthys information stealer as part of Operation Endgame. The action was described as potentially affecting the malware's prevalence, though the long-term impact remained uncertain.
Rhadamanthys activity surges through paste-and-run delivery campaigns
During October 2025, Rhadamanthys saw increased activity, with the information stealer frequently delivered via paste-and-run campaigns and operated as a malware-as-a-service offering. The surge was noted alongside broader use of social engineering, fake installers, and compromised websites to infect victims.
JustAskJacky becomes the most prevalent threat observed in October 2025
Red Canary reported that in October 2025, JustAskJacky was the most prevalent cyber threat it observed. The malware family consists of malicious NodeJS applications disguised as AI or utility tools that perform reconnaissance, create scheduled tasks for persistence, and execute arbitrary commands in memory.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Cybercrime Disruption: Rhadamanthys Stealer & MaaS Ecosystem
spycloud.com
Open sourceIntelligence Insights: October 2025
redcanary.com
Open sourceDesktop and IoT malware report for Q3 2025 | Securelist
securelist.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Operation Endgame Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations
International law enforcement agencies, coordinated by Europol and Eurojust, executed a major crackdown on the infrastructures supporting the Rhadamanthys infostealer, VenomRAT remote access trojan, and the Elysium botnet. The operation, part of the ongoing Operation Endgame, resulted in the takedown of over 1,025 servers and the seizure of 20 domains used to control and distribute these malware families. Authorities also arrested the main suspect behind VenomRAT in Greece, and the dismantled infrastructure included hundreds of thousands of infected computers and millions of stolen credentials, with many victims unaware of the compromise. The operation involved law enforcement from at least nine countries and was supported by numerous private sector partners, including cybersecurity firms and threat intelligence organizations. Rhadamanthys, a modular information stealer sold as malware-as-a-service, and VenomRAT, a commodity RAT favored by threat actors like TA558, were both widely distributed through email campaigns, malvertising, and other vectors. The Elysium botnet, less well-documented, was also linked to these operations, potentially serving as a proxy network for criminal activity. The disruption has caused significant operational issues for cybercriminals, with many reporting loss of access to their command-and-control panels and servers. Authorities have advised potential victims to check if their systems were compromised and to take remediation steps, as the takedown is expected to have a substantial impact on the cybercrime ecosystem.
Apr 11, 2026
Law Enforcement Disrupts Cybercrime Networks and Arrests Ransomware and Fraud Suspects
International and national law enforcement actions were reported targeting a range of cybercrime activity, including ransomware, extortion, and large-scale fraud. SentinelOne summarized multiple cases: Dutch authorities arrested a man accused of attempting to extort officials after receiving sensitive documents by mistake and refusing to delete them; Polish authorities detained a suspect linked to the **Phobos** ransomware-as-a-service ecosystem as part of Europol-coordinated **Operation Aether**, seizing materials such as stolen credentials and access information; and **Operation Red Card 2.0** (coordinated through Interpol/AFJOC) resulted in hundreds of arrests across multiple African countries, along with seizures of devices, takedowns of malicious sites, and recovery of funds tied to investment fraud and mobile-money/loan scams. Separately, Security Affairs’ weekly newsletter highlighted additional ongoing cyber risk items that align with the same broad theme of active cybercrime and enforcement pressure, including an **FBI warning** about a surge in **ATM jackpotting** losses and reporting on **Operation Red Card 2.0**. Other items in the Security Affairs roundup (e.g., additions to CISA’s KEV catalog, vendor/software issues, and various malware reports) were presented as a curated link list rather than a single unified incident. A SOCRadar profile on the China-attributed **Lotus Blossom** espionage group and a Tom’s Hardware historical piece on the first computer search warrant are not part of the law-enforcement disruption story and do not materially support the same specific event narrative.
Mar 21, 2026
Law Enforcement Disruption and Ransomware Group Realignment in 2025
Law enforcement agencies have intensified their efforts against major ransomware groups, leading to significant disruptions in the global ransomware ecosystem. In Q2 2025, prominent ransomware-as-a-service (RaaS) groups such as LockBit and RansomHub either ceased operations or stopped publishing victim data, resulting in a fractured landscape previously dominated by a few powerful actors. This shift was largely attributed to coordinated international law enforcement operations, which in May 2025 dismantled over 300 malicious servers, shut down more than 650 domains, and issued arrest warrants for at least 20 individuals connected to ransomware and initial access malware infrastructure. The takedown of LockBit’s infrastructure in late 2024 under Operation Cronos set a precedent, demonstrating the vulnerability of even the most prolific ransomware groups when faced with unified global action. As a result, the ransomware ecosystem became more fragmented, with smaller, agile actors attempting to fill the void left by the dismantled groups. Concurrently, the profitability of ransomware attacks has declined due to evolving regulations, including bans on ransom payments, further pressuring threat actors. Despite these setbacks, LockBit has attempted a resurgence, announcing a strategic alliance with other major ransomware groups, Qilin and DragonForce, in Q3 2025. This coalition aims to share techniques, resources, and infrastructure, potentially restoring LockBit’s reputation among affiliates and increasing the operational capabilities of all involved groups. The emergence of LockBit 5.0, capable of targeting Windows, Linux, and ESXi systems, marks a technological advancement in their toolkit, first advertised in September 2025. Qilin, now the most active ransomware group, claimed over 200 victims in Q3 2025, with a particular focus on North American organizations. The alliance between LockBit, Qilin, and DragonForce is expected to trigger a surge in attacks, especially on critical infrastructure and sectors previously considered low risk. The ongoing evolution of the ransomware threat landscape underscores the dynamic interplay between law enforcement actions and the adaptability of cybercriminal groups. The future trajectory of ransomware will likely depend on the continued effectiveness of law enforcement operations and the ability of threat actors to reorganize and innovate. Organizations are advised to remain vigilant, as the threat landscape remains volatile and unpredictable. The collaboration among major ransomware groups signals a potential escalation in both the scale and sophistication of future attacks. The global cybersecurity community must continue to coordinate efforts to counter these evolving threats and mitigate their impact on critical sectors.
Mar 21, 2026