Police Takedown: Rhadamanthys, VenomRAT, and Elysium Malware Operations Disrupted
▼ Summary
– Law enforcement from nine countries dismantled over 1,000 servers used by Rhadamanthys, VenomRAT, and Elysium botnet malware in Operation Endgame.
– The coordinated action involved Europol and Eurojust, supported by private partners, and included searches in Germany, Greece, and the Netherlands.
– A key suspect linked to VenomRAT was arrested in Greece, and the malware infrastructure contained millions of stolen credentials from infected computers.
– Rhadamanthys malware grew significantly in late 2025, with many command servers undetected by antivirus tools, affecting thousands of victims daily.
– Operation Endgame has previously disrupted multiple malware operations, including IcedID and Trickbot, and targeted ransomware infrastructure.
A major international law enforcement effort has successfully dismantled a sprawling network of cybercrime infrastructure, dealing a significant blow to several prominent malware families. Authorities from nine countries collaborated in the latest phase of Operation Endgame, a coordinated initiative that resulted in the takedown of more than one thousand servers used by the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. This large-scale disruption was orchestrated by Europol and Eurojust, with crucial support from numerous private cybersecurity firms.
Between November 10th and 14th, 2025, police executed searches at eleven locations across Germany, Greece, and the Netherlands. The operation led to the seizure of twenty domains and the dismantling of 1,025 servers that powered the malicious activities. A key breakthrough came with the arrest of a primary suspect in Greece on November 3rd, who is believed to be connected to the distribution of the VenomRAT remote access trojan.
According to Europol, the compromised infrastructure consisted of hundreds of thousands of infected computers, which held several million stolen login credentials. A vast number of the victims were completely unaware that their systems had been compromised. The main suspect behind the infostealer had access to over 100,000 cryptocurrency wallets belonging to these victims, representing a potential financial loss worth millions of euros. Europol has since advised the public to use specific online resources to check if their computers were affected by these malware strains.
Analysis from Lumen’s Black Lotus Labs, which assisted in the operation, revealed that the Rhadamanthys operation had been growing steadily since 2023, with a dramatic surge in activity during October and November of 2025. They tracked an average of three hundred active servers daily, peaking at 535 in October. Over sixty percent of the command-and-control servers used by Rhadamanthys were located in the United States, Germany, the United Kingdom, and the Netherlands. Notably, more than sixty percent of these servers remained undetected on the VirusTotal scanning platform, a factor that contributed to the malware infecting an average of over 4,000 unique IP addresses each day during its peak.
This official announcement confirms earlier reports that the Rhadamanthys infostealer service had been disrupted, with its customers losing access to their panels. The developer of the malware indicated in a Telegram message that they believed German law enforcement was responsible, citing that web panels hosted in EU data centers showed connections from German IP addresses just before access was cut off.
Operation Endgame has a history of successful interventions against cybercrime. Its previous actions have led to the seizure of servers supporting malware like IcedID, Bumblebee, Pikabot, Trickbot, and SystemBC. The joint initiative has also taken aim at ransomware infrastructure, the AVCheck site, and customers of the Smokeloader botnet. In a related development from April 2024, Ukrainian cyber police arrested a Russian individual in Kyiv for allegedly assisting the Conti and LockBit ransomware gangs in evading detection by antivirus software.
(Source: Bleeping Computer)
