Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operations

Image of a Europol sign affixed to its Amsterdam headquarters — (Image credit: Shutterstock)

In the latest stage of its Operation Endgame campaign, Europol has seriously disrupted the Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware operations.

More than 1,000 servers used by the groups to infect hundreds of thousands of victims worldwide with malware were last week taken down.

Law enforcement searched one location in Germany, one in Greece, and nine in the Netherlands, seizing 20 domains. One arrest, related to the VenomRAT tool, has been made in Greece.

"The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems," Europol said.

"The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."

These hadn't yet been used to steal assets, Europol said. However, it's recommended checking politie.nl/checkyourhack and haveibeenpwned.com to find out whether computers have been hacked and learn what to do.

The Rhadamanthys infostealer harvests browser-resident data, including credentials, browser data, autofill information, and cryptocurrency wallet artifacts from browsers, password managers, and crypto wallets.

According to Proofpoint, it costs between $300 and $500 a month, with options for a higher price point for customized uses. The firm said it appears that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates.

"In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them," the firm pointed out.

According to the Shadowserver Foundation, which assisted in the operation, Rhadamanthys has grown to become one of the leading infostealers since Operation Endgame 2.0 disrupted the infostealer landscape earlier this year.

"It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts," the Shadowserver Foundation warned.

"These victim systems may also have been used in historic or recent intrusions and ransomware incidents."

VenomRAT, which first appeared in 2020, generally arrives through malicious email attachments or links, also using fake antivirus pages.

It gives its operators remote desktop-style control, allowing the theft of files, browser data, cryptocurrency wallets, credit card details, account passwords, and authentication cookies.

While it's mainly been used to target Latin American organizations, it has also claimed victims in North America and Western Europe.

The Elysium botnet meanwhile, carries out data theft, payload delivery and other tasks.

Operation Endgame, launched in 2024, has now led to total seizures of more than €21 million. This latest action follows an Operation Endgame raid in May that saw 300 servers taken down and 650 domains seized, along with €3.5 million.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.