Law enforcement from nine countries—Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the United States—executed a coordinated strike on cybercrime infrastructure under Operation Endgame, led by Europol and Eurojust. Between 10–14 November 2025, authorities disabled 1,025 servers, seized 20 domains, and conducted searches at 11 locations across Germany, Greece, and the Netherlands. The action targeted infrastructure attributed to the Rhadamanthys info‑stealer, VenomRAT, and the Elysium botnet.
Global coordination and public–private partnership
The takedown combined law-enforcement efforts with leading private-sector threat intelligence and incident response teams, including Cryptolaemus, Shadowserver, SpyCloud, Team Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, Have I Been Pwned, Spamhaus, DIVD, and Bitdefender. This public–private model accelerated attribution, synchronized server sinkholing and hoster outreach, and streamlined legal processes for domain seizures.
In the lead-up to the operation, operators and customers of Rhadamanthys reported losing access to control panels. Multiple reports noted logins from German IP addresses—an early indicator of coordinated legal actions. Post-operation summaries on the official Endgame portal confirm the scope of raids and infrastructure blocks carried out by European agencies.
Threat landscape: Rhadamanthys, VenomRAT, and Elysium
Rhadamanthys is a credential-stealing malware (“info‑stealer”) built to exfiltrate saved passwords, browser cookies, autofill data, and crypto wallets. VenomRAT is a remote access tool (RAT) enabling persistent, hands-on-keyboard control over victim systems. Elysium functions as a botnet, conscripting compromised devices for follow-on attacks, spam delivery, and additional malware deployment.
Europol reports that the disrupted infrastructure controlled hundreds of thousands of infected devices and held millions of stolen credentials. A key suspect associated with the info‑stealer ecosystem allegedly had access to more than 100,000 cryptocurrency wallets belonging to potential victims. On 3 November, Greek authorities arrested an individual linked to VenomRAT.
C2 footprint and infection trends
According to Lumen telemetry, Rhadamanthys activity surged in October–November 2025, averaging roughly 300 active C2 servers daily with a peak of 535 in October. Over 60% of controllers were hosted in the United States, Germany, the United Kingdom, and the Netherlands. Notably, more than 60% of C2 servers evaded detection on VirusTotal, aligning with a spike in new infections—over 4,000 unique victim IPs per day in October.
Shadowserver observed Rhadamanthys frequently serving as an initial access vector, dropping additional payloads post-compromise. From March to November 2025, analysts recorded 525,303 Rhadamanthys infections and over 86.2 million data-theft events. Approximately 63,000 affected IPs were located in India, underscoring the global distribution of victims.
Victim risk and how to check exposure
Info‑stealers and RATs pose long-tail risks: stolen credentials, active sessions, and crypto wallets may be compromised well before detection. Europol recommends checking for compromise at politie.nl/checkyourhack and verifying whether email addresses appear in known breaches via Have I Been Pwned.
Incident response and hardening steps
- Reimage or thoroughly clean infected systems; deploy EDR/AV with behavioral analytics.
- Rotate all passwords and invalidate session tokens for browsers, SSO, VPNs, and cloud apps.
- Enable multifactor authentication (MFA) everywhere, prioritizing phishing-resistant methods where possible.
- Audit and remove suspicious browser extensions; clear cookies and saved credentials from a known-clean host.
- Move crypto assets to new wallets created on clean devices; treat prior seed phrases as exposed.
- Monitor egress traffic for connections to known C2 indicators; update IDS/IPS signatures and blocklists.
- Run retro hunts using IOCs released by participating organizations; validate persistence and scheduled tasks.
Context and implications for defenders
Earlier stages of Operation Endgame neutralized the AVCheck service and infrastructure associated with SmokeLoader, DanaBot, IcedID, Pikabot, TrickBot, Bumblebee, and SystemBC. The continued dismantling of C2 and hosting layers demonstrates that sustained, synchronized pressure can disrupt cybercrime logistics at scale. For defenders, this window is an opportunity to eradicate dwell time, close credential gaps, and harden identity and endpoint controls while adversary infrastructure is degraded.
Act quickly: rebuild or clean compromised hosts, rotate secrets, enable MFA, and push IOC-based detections across your stack. Rapid remediation reduces the chance of re-compromise and limits the downstream abuse of stolen data.
