The rumors were true: Operation Endgame, a joint effort between law enforcement and judicial authorities of several European countries, Australia, Canada, the UK and the US, has disrupted the infrastructure supporting the operation of the Rhadamanthys infostealer.
“Between 10 and 14 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealers (Rhadamanthys), the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers,” Europol announced on Thursday.
The malware
The Rhadamanthys is capable of stealing login credentials, browser data, cryptocurrency wallet information, autofilled data, and other sensitive information from browsers, password managers, and crypto wallets.
It is sold or rented as “malware-as-a-service”: customers get the malware to spread and use as they will and they harvest the stolen data via a web panel.
VenomRAT is remote access trojant that can exfiltrate a variety of files, steal cryptocurrency wallets and browser data, credit card details, account passwords, and authentication cookies.
Not much is known about the Elysium botnet, but according to threat intelligence by Paratus, Rhadamanthys operators have been marketing tools like Elysium Proxy Bot.
It’s possible that machines infected with Rhadamanthys or VenomRAT may have also been equipped with the proxy bot and thus roped into a botnet that could serve the criminals.
What happened?
Europol says that this phase of Operation Endgame resulted in the takedown/disruption of over 1,025 servers worldwide, the seizure of 20 domains, and the arrest of the main suspect for VenomRAT in Greece on November 3, 2025.
“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind the infostealer had access to over 100 000 crypto wallets belonging to these victims, potentially worth millions of euros,” the EU agency shared.
“There were actions aimed at criminal services and their criminal users. These users were directly contacted by the police and asked to share relevant information regarding infostealers via the Operation Endgame Telegram channel.”
The Operation Endgame website has been updated with a new video mocking the Rhadamanthys operators and asking their customers to get in touch with law enforcement.
The operation gathers a variety of law enforcement partners, cybersecurity companies, and institutions, and has previously disrupted DanaBot, Qakbot, SmokeLoader, IcedID, and other malware operations.
What should users do?
Users have been advised to check whether their computer has been infected malware and whether their credentials have been compromised.
Shadowserver has published a Rhadamanthys Historical Bot Infections Special Report, which includes information about devices infected with the Rhadamanthys infostealer between March 14 and October 11, 2025.
The report has also been shared with 201 National CSIRTs in 175 countries and 10,000+ network owners, which should use it to identify compromised computers and alert their owners.
“If you receive a Rhadamanthys notification, please act to identify and remediate those compromised devices and user accounts immediately,” the non-profit urged.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!