Authorities coordinated by Europol, in cooperation with partner agencies across multiple countries, have disrupted a significant cybercriminal infrastructure in what was described as the latest phase of Operation Endgame. The action took place between November 10 and 13, 2025, and targeted three prominent malware services: the infostealer Rhadamanthys, the remote-access trojan VenomRAT, and the botnet ecosystem Elysium.
Officials said that more than 1,025 servers were taken down or disrupted, and 20 domains were seized during the operation. The infrastructure was responsible for infecting hundreds of thousands of devices and gathering several million stolen credentials. Many victims reportedly remained unaware that their systems were compromised.
Among the key developments was an arrest made in Greece on November 3 of a suspect believed to be connected to the VenomRAT trojan. Authorities said this individual operated within an international framework that provided remote access tools to other cybercriminal actors. Rhadamanthys, which evolved into a malware-as-a-service offering in late 2022, had been marketed via underground forums at monthly subscription rates between $300 and $500. The infostealer’s toolkit expanded to include functionalities such as cryptocurrency wallet key extraction and browser cookie theft, making it a major enabler of further intrusions.
Europol noted that the infostealer’s operator had access to more than 100,000 cryptocurrency wallets, potentially worth millions of euros. Elysium, for its part, provided botnet infrastructure that enabled large-scale distribution of malicious payloads, anonymised proxy traffic, and remote control networks, which compromised both enterprise IT systems and, in some cases, operational technology environments.
Global law enforcement participation was broad, spanning Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. Private sector partners also contributed technical intelligence and forensic data. Some firms reported that Rhadamanthys’ back-end panels went offline, and several affiliate users found themselves locked out of malware control systems, signifying that the disruption directly affected the business model behind the stealer. The takedown of key infrastructure is expected to reduce the ease of access for affiliates renting the malware services and may temporarily reduce the volume of compromised systems.
Concrete impact and next steps for organisations
The operation achieved tangible outcomes beyond server seizure and suspect arrests. Law enforcement sources shared that the infrastructure was linked to infection campaigns in more than 226 countries and territories, with Shadowserver reporting 525,303 unique Rhadamanthys stealer infections between March and November 2025 and more than 86 million associated “information-stealing” events.
Reports show that compromised data included session tokens, login credentials, browser-stored passwords, and cryptocurrency wallet keys. Several databases of affected email addresses and passwords were published to platforms like HaveIBeenPwned, enabling individuals and organisations to check for potential exposure.
For organisations, the takedown signals an opportunity to review whether their networks or customers were infected by one of the disrupted malware families. While operational disruption of the infrastructure reduces immediate risk, cybercriminal groups may quickly rebuild or migrate to new platforms. Analysts emphasise that defenders must remain vigilant and enhance detection of threat-actor behaviours, such as abnormal outbound connections, sudden increases in remote-access activity, or unexpected use of command-and-control domains.
The focus on initial access tools like infostealers and botnets reflects a shift in the malware economy. Rather than targeting only final ransomware payloads, many attacks begin with credential theft and endpoint infiltration, followed by lateral movement toward higher-value targets. By disrupting the supply chain of these tools, Operation Endgame sought to weaken the entire ecosystem rather than take down single operators. However, authorities caution that this is not the end of the threat. The infrastructure dismantled during this phase may be redesigned or replaced with new variants.
Organisations are advised to check for indicators of the affected malware families in their environments. This includes looking for legacy remote access tools, unusual encrypted outbound traffic, or unknown processes with system-level privileges. Ensuring that backups are isolated, limiting administrative access, and applying multi-factor authentication are basic yet essential safeguards. The disruption also emphasises the importance of cross-sector collaboration, timely sharing of intelligence, and coordination between public and private entities.
Operation Endgame may represent one of the largest coordinated strikes against malware-as-a-service platforms to date. By taking down infrastructure supporting Rhadamanthys, VenomRAT, and Elysium, law enforcement agencies have struck at the foundation of multiple cybercriminal networks. The effects will likely be measured over time as criminal operators rebuild and as defenders assess the remediation of compromised assets. For the millions of victims possibly affected, the operation may offer some relief, though the broader fight against commodity malware remains far from over.
Incoming search terms:
Site Disclaimer
2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.
The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.