Over the last three days, three major malware strains have been taken down in a large-scale law enforcement operation called Operation Endgame 3.0.
The ongoing initiative was coordinated by Europol and spanned 11 countries including law enforcement agencies from six EU countries, Australia, Canada, the UK and the US, and over 30 private partners from the cybersecurity industry.
Impacted infrastructure is linked to notorious infostealer Rhadamanthys, a remote access trojan called VenomRAT, and the Elysium botnet.
The mission also resulted in:
- Over 1025 servers taken down or disrupted
- 20 domains seized
- 11 locations searched
- The arrest of the suspected main operator of VenomRAT in Greece
Rhadamanthys infostealer “had grown to become one of the leading infostealers since Operation Endgame ‘Season 2’ disrupted the infostealer landscape,” according to a UK government-funded non-profit Shadowserver Foundation statement published on November 13.
This latest operation is the third series of takedowns of cybercrime-enabling infrastructure after Operation Endgame 1.0 (May 2024) and Operation Endgame 2.0 (April 2025).
Phil Wylie, Senior Consultant & Evangelist, Suzu had this to say:
“This operation shows what’s possible when intelligence and collaboration align, but dismantling one infrastructure doesn’t end the threat. Threat actors adapt fast, and defenders must be faster.
“To help reduce such risks, practicing good security hygiene is imperative, as well as proactive security measures including security assessments including penetration tests, and security controls validation.”
Michael Bell, Founder & CEO, Suzu:
“It’s true that it’s cat and mouse, but impact isn’t measured by permanence. Impact is measured by disruption cost and defender advantage gained.
“Operation Endgame 3.0 is forcing adversaries to rebuild 1,025 servers and reconstitute infrastructure across three major malware families (Rhadamanthys, VenomRAT, Elysium) means they’re investing resources in recovery instead of new attacks, and every credential rotation or system hardening that happens during this window reduces future attack surface.
“The arrest of VenomRAT’s main operator and seizure of databases containing millions of stolen credentials also creates operational security paranoia within cybercrime networks because when your infrastructure gets seized, you don’t know what intelligence law enforcement now has about your customers, affiliates, and future plans.
“So yes, they’ll rebuild, but these operations buy defenders time, degrade adversary confidence, and validate the public-private collaboration model that’s the only way to sustainably disrupt the cybercrime ecosystem.”
John Carberry, CMO, Xcape, Inc.:
“Reports indicate that criminals are now locked out of Rhadamanthys control panels, causing significant operational challenges for those involved. Security teams should now scan endpoints for remaining threats, change tokens and credentials across their systems, and integrate new indicators of compromise (IOCs) from the takedown to identify any lingering infections. Expect subsequent phishing campaigns and criminals’ attempts to rebuild infrastructure as they adapt and try new methods.
“The only way to win the cyberwar is to persistently decapitate the criminal infrastructure that runs the world’s malware economy.”
I welcome this news as the only way to beat cybercriminals is to make the cost of operation so high and so difficult that they abandon ransomware as a means to make money. This is a step towards that goal. But only a step as more needs to be done.
Like this:
Like Loading...
Related
This entry was posted on November 13, 2025 at 1:46 pm and is filed under Commentary with tags Europol. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Three destructive malware networks taken down in Operation Endgame 3.0
Over the last three days, three major malware strains have been taken down in a large-scale law enforcement operation called Operation Endgame 3.0.
The ongoing initiative was coordinated by Europol and spanned 11 countries including law enforcement agencies from six EU countries, Australia, Canada, the UK and the US, and over 30 private partners from the cybersecurity industry.
Impacted infrastructure is linked to notorious infostealer Rhadamanthys, a remote access trojan called VenomRAT, and the Elysium botnet.
The mission also resulted in:
Rhadamanthys infostealer “had grown to become one of the leading infostealers since Operation Endgame ‘Season 2’ disrupted the infostealer landscape,” according to a UK government-funded non-profit Shadowserver Foundation statement published on November 13.
This latest operation is the third series of takedowns of cybercrime-enabling infrastructure after Operation Endgame 1.0 (May 2024) and Operation Endgame 2.0 (April 2025).
Phil Wylie, Senior Consultant & Evangelist, Suzu had this to say:
“This operation shows what’s possible when intelligence and collaboration align, but dismantling one infrastructure doesn’t end the threat. Threat actors adapt fast, and defenders must be faster.
“To help reduce such risks, practicing good security hygiene is imperative, as well as proactive security measures including security assessments including penetration tests, and security controls validation.”
Michael Bell, Founder & CEO, Suzu:
“It’s true that it’s cat and mouse, but impact isn’t measured by permanence. Impact is measured by disruption cost and defender advantage gained.
“Operation Endgame 3.0 is forcing adversaries to rebuild 1,025 servers and reconstitute infrastructure across three major malware families (Rhadamanthys, VenomRAT, Elysium) means they’re investing resources in recovery instead of new attacks, and every credential rotation or system hardening that happens during this window reduces future attack surface.
“The arrest of VenomRAT’s main operator and seizure of databases containing millions of stolen credentials also creates operational security paranoia within cybercrime networks because when your infrastructure gets seized, you don’t know what intelligence law enforcement now has about your customers, affiliates, and future plans.
“So yes, they’ll rebuild, but these operations buy defenders time, degrade adversary confidence, and validate the public-private collaboration model that’s the only way to sustainably disrupt the cybercrime ecosystem.”
John Carberry, CMO, Xcape, Inc.:
“Reports indicate that criminals are now locked out of Rhadamanthys control panels, causing significant operational challenges for those involved. Security teams should now scan endpoints for remaining threats, change tokens and credentials across their systems, and integrate new indicators of compromise (IOCs) from the takedown to identify any lingering infections. Expect subsequent phishing campaigns and criminals’ attempts to rebuild infrastructure as they adapt and try new methods.
“The only way to win the cyberwar is to persistently decapitate the criminal infrastructure that runs the world’s malware economy.”
I welcome this news as the only way to beat cybercriminals is to make the cost of operation so high and so difficult that they abandon ransomware as a means to make money. This is a step towards that goal. But only a step as more needs to be done.
Share this:
Like this:
Related
This entry was posted on November 13, 2025 at 1:46 pm and is filed under Commentary with tags Europol. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.