Operation Endgame Dismantles 1,025 Malware Servers

Europol and Eurojust, working with law enforcement agencies in eleven countries, executed a synchronized takedown of infrastructure tied to three staple cybercrime tools: the Rhadamanthys infostealer, the VenomRAT remote access trojan, and the Elysium botnet.

The coordinated effort resulted in 1,025 servers and 20 domains seized or disrupted, and the principal VenomRAT suspect arrested in Greece.

Authorities say the servers touched hundreds of thousands of infected systems and held several million stolen credentials.

By hitting crimeware platforms that sit upstream of ransomware and credential theft, the operation went after the supply chain, not just one crew.

This phase continues Operation Endgame, a multi-year push to break criminal infrastructure and block ransomware delivery channels.

It follows major actions in May 2025 that neutralized roughly 300 servers and 650 domains and seized €3.5 million, bringing total Endgame-linked seizures above €21.2 million.

What Happened

The November investigation zeroed in on command-and-control (C2) and hosting used to run infections at scale.

Police searched locations in Germany, Greece, and the Netherlands. At the same time, they seized domains and pulled servers out of criminal hands, a one-two that hit both the racks and the routing.

Malware Behavior and Capabilities

Rhadamanthys is a commercial-grade infostealer built to harvest browser-resident data and stored secrets at scale.

It can pull login credentials, browser data, autofill information, and cryptocurrency wallet artifacts from browsers, password managers, and crypto wallets.

Recent versions added device and browser fingerprinting to improve evasion and reconnaissance, a clear investment in staying hidden, while maximizing monetization.

VenomRAT was marketed for about $150 dollars per month and was typically delivered through malicious email attachments. Once in, operators had full remote control, could steal data, and stage follow-on attacks.

VenomRAT gives operators remote desktop style control and a backdoor on the victim system. That enables theft of files, browser data, cryptocurrency wallets, credit card details, account passwords, and authentication cookies.

The same remote control makes it a handy platform for lateral movement and for dropping secondary payloads, once the initial foothold is obtained.

Elysium operated as a botnet, aggregating large numbers of compromised hosts for data theft, payload delivery, or other tasks.

The combined footprint of these ecosystems produced millions of stolen credentials and widespread silent compromise. Many victims learned of infections only after notifications triggered by the takedown.

Taking Down the Supply Chain

This operation was aimed at crimeware-as-a-service (CaaS) ecosystems, not at a single actor or state unit.

Europol linked details indicate the principal suspect tied to Rhadamanthys maintained access to more than 100,000 cryptocurrency wallets belonging to victims, suggesting losses in the millions of euros.

Separately, the main VenomRAT suspect was arrested in Greece, a direct hit on the development and distribution side of a commodity RAT.

The action shows broad coordination.

Agencies from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States took part.

Private sector defenders contributed as well, including Shadowserver, Proofpoint, CrowdStrike, Bitdefender, and others.

Public reporting stops short of attributing the broader ecosystems to named groups beyond the arrested suspects.

Wider Campaign Impact

This takedown is notable for its size and for pulling operational headroom away from criminal customers.

Buyers of Rhadamanthys’ malware-as-a-service (MaaS) are already losing access to operational servers, a direct hit to monetization and to follow-on intrusion activity.

The seizure of 1,025 servers and twenty domains narrows the command, hosting, and distribution infrastructure that powered hundreds of thousands of infected devices.

Earlier Endgame phases named and disrupted families such as Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie, a sustained focus on tools that enable credential theft and initial access for extortion operations.

The joint footprint from law enforcement and industry also fuels victim notification and credential cleanup.

Given the volume of stolen credentials uncovered, organizations should expect outreach from national CSIRTs and service providers.

Defensive Measures

• Prioritize credential hygiene: Force password resets for enterprise accounts that may be stored in browsers, password managers, or synced profiles. Require multi-factor authentication (MFA) across all externally accessible services.
• Harden email security and user awareness: VenomRAT’s reliance on malicious attachments argues for layered email controls, attachment sandboxing, and routine phishing simulations. Watch for odd attachment types and macro enabled documents common in commodity malware delivery.
• Validate endpoint visibility: Ensure EDR coverage is complete, agents are current, and telemetry is retained for realistic dwell times. Hunt for unauthorized remote administration tools and for process to network patterns typical of RAT activity.
• Segment high risk assets: Use network segmentation and strict egress filtering to limit lateral movement and outbound C2. Where possible, restrict outbound traffic to known good destinations through allowlisting and proxy inspection.
• Monitor for reconstitution: Criminal operators routinely rehost after takedowns. Track advisories from national CSIRTs and trusted partners for fresh indicators and victim notification channels, and subscribe to provider breach notification services to speed credential resets.
• Protect crypto assets: If you manage cryptocurrency, assume potential wallet data exposure. Rotate wallet seeds where feasible, move funds to new wallets under secure operational practices, and audit endpoints used for key management.

The November phase of Operation Endgame shows that coordinated, intelligence driven infrastructure seizures can materially cut the capacity of cybercriminal markets.

By disrupting 1,025 servers and 20 domains and arresting a principal suspect tied to VenomRAT, authorities restricted access to tools that feed ransomware and credential theft pipelines.

The scale of compromised hosts and exposed credentials, often unknown to victims, calls for rapid credential rotation, endpoint hardening, and continuous monitoring.