Operation Endgame: Europol Disrupts Key Malware Infrastructure

Malware Platforms Involved

Rhadamanthys is a malware-as-a-service platform, allowing customers to rent or purchase access for spreading infections and collecting stolen data. The infostealer can extract login credentials, browser histories, cookies, autofill data, password manager entries, and cryptocurrency wallet information. Newer versions also collect detailed device and browser fingerprints and incorporate stealth features to evade antivirus programs and network monitoring tools. Analysts report that Rhadamanthys infections may have been further integrated into proxy networks like the Elysium botnet, extending its operational reach.

VenomRAT enables attackers to take full control of compromised devices, exfiltrating files, passwords, browser data, authentication cookies, and cryptocurrency wallets. The main suspect linked to VenomRAT was arrested in Greece on November 3, 2025. While precise figures are under investigation, reports indicate the malware provided access to tens of thousands of cryptocurrency wallets.

Elysium remains the least publicly documented of the three. Threat intelligence suggests it functioned as a proxy bot network, potentially leveraging devices infected with Rhadamanthys or VenomRAT to route traffic, obscure criminal activity, or facilitate additional malware distribution.

Seized Website after Operation Endgame

×Image of: Seized Website after Operation Endgame

Scope and Impact

The operation spanned 11 locations across Germany, Greece, and the Netherlands, targeting both malware operators and infrastructure. Authorities disrupted over 1,025 servers and seized 20 domains linked to the platforms. The takedown affected hundreds of thousands of computers worldwide, with millions of stolen credentials and thousands of compromised cryptocurrency wallets. Many victims were unaware that their systems had been infected.

Law enforcement also contacted users of the malware services to collect intelligence on operators and further trace financial flows. Public notices and guidance were issued, helping individuals and network operators check for infections and secure their accounts, including recommendations to change passwords and enable multi-factor authentication.

Participating Organizations

Operation Endgame brought together law enforcement agencies from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. Private cybersecurity firms, including Proofpoint, CrowdStrike, Bitdefender, Spycloud, and Shadowserver, provided technical support, threat intelligence, and forensic analysis. Europol coordinated operational actions, data analysis, and cryptocurrency tracing from its command center in The Hague, with Eurojust supporting legal instruments such as European Arrest Warrants and Investigation Orders.

Conclusion

Operation Endgame represents a major step in dismantling malware infrastructure used to steal sensitive data and cryptocurrency. Investigators continue to monitor active servers, analyze seized infrastructure, and map connections between malware operators and their customers. While some details on Elysium remain limited, evidence indicates devices infected with Rhadamanthys or VenomRAT may have been incorporated into the botnet, enhancing its reach. The operation underscores the importance of international cooperation in combating cybercrime and providing affected users with tools and guidance to secure their systems.