Operation Endgame 3.0 Takes Down 3 Major Global Malware Networks

A coordinated global law-enforcement campaign has hit hard at the infrastructure of three pervasive malware families, delivering what officials say is one of the largest blows yet to organised cyber-crime. Between 10 and 13 November, authorities from 11 countries dismantled server networks, seized domains and effected arrests as part of the latest phase of Operation Endgame — designated “3.0”.

Operation Endgame 3.0 extended across multiple continents, involving law-enforcement agencies from six European Union nations including Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the United Kingdom as well as Australia, Canada and the United States. The European operation centre was based in The Hague, Netherlands.

Key coordinating organisations included Europol, Eurojust, FBI and more than 30 private-sector cybersecurity firms. Some of these organisations included: Bitdefender, CrowdStrike, the Shadowserver Foundation, Cryptolaemus, Cymru, PRODAFT, Proofpoint, SEKOIA, Shadowserver Foundation – a non-profit partner, Zscaler, Abuse.ch, Computest, Spamhaus, Have I Been Pwned, Bitdefender, Fox‑IT, NFIR, Northwave Cybersecurity, CrowdStrike, Lumen Technologies, SpyCloud, Trellix, ESET, Microsoft, Eye Security, DataExpert, DIVD.

According to the official tally, more than 1,025 servers were taken down or disrupted, 20 domains were seized and 11 search warrants executed, including in Germany, Greece and nine sites in the Netherlands. In Greece, authorities arrested the suspected principal operator of the remote-access trojan (RAT) known as VenomRAT.

In a public statement, Europol characterised the dismantled infrastructure as “responsible for infecting hundreds of thousands of victims worldwide with malware.” Many of those victims were reportedly unaware their systems had been compromised.

At the heart of this operation were three well established threat platforms:

• The infostealer Rhadamanthys, which the Shadowserver Foundation describes as having become “one of the leading infostealers” since last year’s disruption under Operation Endgame Season 2. The group notified 201 national CERTs in 175 countries and over 10,000 network owners about infections between March and November 2025.
• VenomRAT, a modified fork of the well-known QuasarRAT remote-access tool, first discovered in 2020. It was marketed on underground forums at around USD 150/month, and typically deployed through malicious Office attachments and obfuscated PowerShell libraries.
• The botnet labelled Elysium, which served as a key enabler of distributed malware campaigns, credential harvesting and remote-access attacks.

A particularly alarming disclosure: the suspect behind Rhadamanthys reportedly controlled access to more than 100,000 cryptocurrency wallets belonging to victims—worth “potentially millions of euros,” according to Europol.

Below is a detailed breakdown of each malware family — Rhadamanthys, VenomRAT, and Elysium — explaining what they are, how they operate, why they became influential in the cyber-crime ecosystem, and why law enforcement targeted them during Operation Endgame 3.0.

Rhadamanthys is a highly sophisticated information-stealing malware (infostealer) first observed in circulation in 2022. It was sold on cyber-crime forums and dark-market platforms, typically as a subscription-based malware-as-a-service.

How It Operated

Rhadamanthys specialized in harvesting sensitive data, including:

• Passwords stored in browsers and system credential vaults
• Cookies, session tokens, and authentication keys
• Cryptocurrency wallet keys
• FTP/SSH credentials
• Autofill data and financial information

It used modular plug-ins, making it easy for attackers to tailor campaigns. Its creators also used aggressive obfuscation techniques to evade antivirus products and dynamic analysis tools.

Rhadamanthys was most often distributed via:

• Malicious email attachments
• Exploit kits
• False “software cracks” and download sites posing as legitimate utilities
• Malvertising campaigns

Once installed, it exfiltrated data to command-and-control (C2) servers, many of which were among the 1,025 servers taken down during Endgame 3.0.

Why It Was a Major Threat

• Its operators had access to more than 100,000 compromised cryptocurrency wallets—potentially worth millions of euros.
• Shadowserver tracked infections in over 175 countries, highlighting its global spread.
• It was a top-tier player in the infostealer ecosystem, alongside RedLine and Vidar.

Why Law Enforcement Targeted It

• Its massive scale of credential theft
• Its role in enabling ransomware affiliates
• Its infrastructure providing access to corporate networks
• The financial harm linked to crypto-theft at an unprecedented scale

Rhadamanthys’ infrastructure was the centerpiece of the Endgame 3.0 server takedown.

VenomRAT is a remote access trojan—a tool that allows attackers to take complete, real-time control of an infected machine. It is a modified fork of QuasarRAT, a long-standing open-source RAT commonly abused by cyber-criminals.

How It Operated

VenomRAT was sold for about $150 per month as a “professional” remote-access suite. Its capabilities included:

• Live remote desktop control
• Keystroke logging
• Password theft
• File manipulation and data exfiltration
• PowerShell command execution
• Persistence installation for long-term access

Infections usually began when users opened:

• Malicious email attachments (often disguised as invoices, HR documents, or shipping notes)
• Office documents containing obfuscated VBA macros
• Files that downloaded secondary payloads via PowerShell

The attacker could then remotely operate the computer as if sitting in front of it.

Why It Was a Major Threat

VenomRAT was heavily used by:

• Initial Access Brokers (IABs) selling access to ransomware gangs
• Low-skill cyber-criminals buying full access capabilities
• Actors deploying it at scale through botnets and phishing networks

Its low cost, ease of use, and robust functionality made it one of the most common RATs in phishing-driven intrusions.

Why Law Enforcement Targeted It

Authorities arrested the suspected main operator in Greece and dismantled the infrastructure to prevent:

• Further use in ransomware delivery
• Corporate network intrusions
• Large-scale data theft
• Access-for-sale to other criminal organisations

VenomRAT was a backbone tool for financially motivated cyber-criminal groups.

Elysium is a botnet — a network of compromised machines controlled remotely by a central operator. Botnets like Elysium typically infect devices quietly and then use the collective computing power for malicious activity.

How It Operated

Elysium was designed to maintain:

• Persistence on infected machines
• Covert communication with central servers
• Automated downloading of additional malware

Elysium-infected systems were often used as:

• Proxies to hide cyber-criminal traffic
• Delivery mechanisms for payloads such as infostealers and RATs
• Credential-harvesting nodes
• Components of fraud, spam, and phishing campaigns

Its architecture allowed attackers to manage large-scale operations with minimal visibility.

Why It Was a Major Threat

Because Elysium:

• Consisted of hundreds of thousands of compromised devices, according to Europol
• Enabled the distribution of malware like Rhadamanthys and VenomRAT
• Provided anonymity to criminals carrying out secondary attacks
• Allowed seamless automation of phishing or credential-theft campaigns

Botnets act as the “infrastructure layer” of cyber-crime, making them extremely valuable to threat actors.

Why Law Enforcement Targeted It

Elysium was key to:

• Malware distribution
• Credential theft pipelines
• Criminal anonymisation networks

By dismantling its servers, police essentially cut off the oxygen supply to multiple cyber-crime operations at once.

Operation Endgame 3.0 targeted these malware families because together they formed a complete criminal ecosystem:

• Elysium → infects devices, delivers malware
• VenomRAT → grants remote control over victims
• Rhadamanthys → steals valuable credentials and crypto assets

By hitting all three, law enforcement disrupted:

• Theft of financial assets
• Corporate network intrusions
• Global botnet-driven campaigns
• Access-broker operations that feed ransomware groups

This is why police describe the operation as one of the most impactful cyber-crime disruptions of the decade.

This latest action marks the third phase of Operation Endgame. The initiative began in May 2024 (Season 1) and continued with subsequent operations in April and May 2025, both aimed at dismantling malware-as-a-service infrastructures, botnets and initial-access tools.

Experts say this progression reflects a strategic shift by law enforcement: moving beyond individual arrests to targeting entire service-platform ecosystems that supply tools to cyber-criminals. One analysis notes that by disrupting these “supply-chain” components, authorities hope to raise the operational risk and cost for threat-actors.

On one level, the results are compelling: more than 1,000 servers disabled, thousands of network indicators of compromise (IOCs) exposed, and a principal suspect arrested. The campaign sends a strong message: the infrastructure enabling large-scale credential theft and remote-access compromise is no longer beyond the reach of coordinated international action.

However, analysts caution against seeing this as a final victory. Cyber-crime is resilient and adapts quickly. While the goodies (infostealers, RATs, botnets) hit in this wave are major, there remain other tools, new forks and emerging services ready to fill the gap. The operation’s own website warns: “Season 3 of Operation Endgame has begun … Some actors return. New ones emerge.”

Victims remain numerous: if a botnet of hundreds of thousands of machines — loaded with stolen credentials — can be taken down this way, the question becomes: how many more are still lurking? With the suspect’s access to over 100,000 crypto wallets, the ripple effects may be felt long after the takedown.

Authorities urge individuals and organisations to check whether their devices or networks had been compromised. Resources available include the Netherlands Police’s “Check Your Hack” portal and the publicly-available database at the site Have I Been Pwned.

It is also time for organisations to reassess their cyber-hygiene: ensuring that macro-enabled Office attachments are blocked, PowerShell is restricted, remote-access ports are monitored and credential theft protections (such as password-spray defences) are in place.

As Operation Endgame evolves, so too does the adversary. The shift from droppers and loaders, to infostealers and RATs, demonstrates how cyber-criminal ecosystems mature. Analysts expect further focus on laundering infrastructure, access-as-a-service platforms and other monetisation layers.

Moreover, the selective nature of enforcement — where some branches of the cyber-criminal supply chain are hit harder than others — may signal a deeper game: making parts of the ecosystem too risky to operate, while others may slip into the shadows.

In short: Operation Endgame 3.0 is a noteworthy success. But in the never-ending chess match of cyber-crime and cyber-defence, the position has shifted — not ended.