Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operations
The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down
In the latest stage of its Operation Endgame campaign, Europol has seriously disrupted the Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware operations.
More than 1,000 servers used by the groups to infect hundreds of thousands of victims worldwide with malware were last week taken down.
Law enforcement searched one location in Germany, one in Greece, and nine in the Netherlands, seizing 20 domains. One arrest, related to the VenomRAT tool, has been made in Greece.
"The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems," Europol said.
"The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."
These hadn't yet been used to steal assets, Europol said. However, it's recommended checking politie.nl/checkyourhack and haveibeenpwned.com to find out whether computers have been hacked and learn what to do.
The Rhadamanthys infostealer harvests browser-resident data, including credentials, browser data, autofill information, and cryptocurrency wallet artifacts from browsers, password managers, and crypto wallets.
According to Proofpoint, it costs between $300 and $500 a month, with options for a higher price point for customized uses. The firm said it appears that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates.
"In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them," the firm pointed out.
According to the Shadowserver Foundation, which assisted in the operation, Rhadamanthys has grown to become one of the leading infostealers since Operation Endgame 2.0 disrupted the infostealer landscape earlier this year.
"It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts," the Shadowserver Foundation warned.
"These victim systems may also have been used in historic or recent intrusions and ransomware incidents."
VenomRAT, which first appeared in 2020, generally arrives through malicious email attachments or links, also using fake antivirus pages.
It gives its operators remote desktop-style control, allowing the theft of files, browser data, cryptocurrency wallets, credit card details, account passwords, and authentication cookies.
While it's mainly been used to target Latin American organizations, it has also claimed victims in North America and Western Europe.
The Elysium botnet meanwhile, carries out data theft, payload delivery and other tasks.
Operation Endgame, launched in 2024, has now led to total seizures of more than €21 million. This latest action follows an Operation Endgame raid in May that saw 300 servers taken down and 650 domains seized, along with €3.5 million.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Botnets are being sold on the dark web for as little as $99
- What is polymorphic malware?
- Everything you need to know about Malware as a Service
-
Google says AI is now being used to build zero-day exploitsNews Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Changes to EU AI Act implementation deadlines welcomed by industryNews New implementation deadlines for the EU AI Act could help remove “genuine friction” for European companies
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
Interpol teams up with tech firms to seize 45,000 malicious IPs, servers in global cyber crime crackdownNews Operation Synergia III saw 94 arrests - and counting - with malicious IP addresses used in phishing and fraud schemes seized
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool
