Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operations
The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
In the latest stage of its Operation Endgame campaign, Europol has seriously disrupted the Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware operations.
More than 1,000 servers used by the groups to infect hundreds of thousands of victims worldwide with malware were last week taken down.
Law enforcement searched one location in Germany, one in Greece, and nine in the Netherlands, seizing 20 domains. One arrest, related to the VenomRAT tool, has been made in Greece.
"The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems," Europol said.
"The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."
These hadn't yet been used to steal assets, Europol said. However, it's recommended checking politie.nl/checkyourhack and haveibeenpwned.com to find out whether computers have been hacked and learn what to do.
The Rhadamanthys infostealer harvests browser-resident data, including credentials, browser data, autofill information, and cryptocurrency wallet artifacts from browsers, password managers, and crypto wallets.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
According to Proofpoint, it costs between $300 and $500 a month, with options for a higher price point for customized uses. The firm said it appears that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates.
"In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them," the firm pointed out.
According to the Shadowserver Foundation, which assisted in the operation, Rhadamanthys has grown to become one of the leading infostealers since Operation Endgame 2.0 disrupted the infostealer landscape earlier this year.
"It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts," the Shadowserver Foundation warned.
"These victim systems may also have been used in historic or recent intrusions and ransomware incidents."
VenomRAT, which first appeared in 2020, generally arrives through malicious email attachments or links, also using fake antivirus pages.
It gives its operators remote desktop-style control, allowing the theft of files, browser data, cryptocurrency wallets, credit card details, account passwords, and authentication cookies.
While it's mainly been used to target Latin American organizations, it has also claimed victims in North America and Western Europe.
The Elysium botnet meanwhile, carries out data theft, payload delivery and other tasks.
Operation Endgame, launched in 2024, has now led to total seizures of more than €21 million. This latest action follows an Operation Endgame raid in May that saw 300 servers taken down and 650 domains seized, along with €3.5 million.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Botnets are being sold on the dark web for as little as $99
- What is polymorphic malware?
- Everything you need to know about Malware as a Service
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
AWS hits back at EU cloud 'gatekeeper' designation hintsNews Gatekeeper designation under the legislation would force AWS and Microsoft to make concessions
-
Is the Top500 meaningless? Not so, says US national laboratory CTOIn-depth LINPACK may measure only one process, but there are real and meaningful use cases for exascale systems
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Security experts sound alarm over 'expanded' China-linked botnet used to target US critical infrastructure and military assetsNews The China-linked botnet highlights risk of leaving routers and IoT devices unpatched
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
