Rhadamanthys infostealer and VenomRAT remote access trojan operations have been severely disrupted by Europol’s latest Operation Endgame phase, which took down more than 1,000 servers and 20 domains used for malware distribution and command-and-control, impacting campaigns mapped to T1059 (Command and Scripting Interpreter), T1105 (Ingress Tool Transfer) and T1555 (Credentials from Password Stores). Law enforcement actions in Germany, Greece and the Netherlands seized infrastructure that had been silently harvesting credentials, browser data, autofill content and crypto wallet artifacts from hundreds of thousands of infected systems worldwide. Rhadamanthys alone reportedly gave its operator access to over 100,000 compromised cryptocurrency wallets, putting millions of euros at risk even before assets were moved. According to supporting research, Rhadamanthys is sold under a malware-as-a-service model for roughly 300 to 500 dollars per month, with higher tiers for customization, and can exfiltrate data from browsers, password managers and cryptocurrency extensions. Affiliates often bundle it with other malware or use it as an initial stealer in multi-stage intrusions. VenomRAT, active since 2020, typically arrives via malicious email attachments or links and provides full remote desktop style control, enabling operators to pull files, browser data, payment card information and authentication cookies, aligning with techniques such as T1078 (Valid Accounts) and T1021.001 (Remote Desktop Protocol). The Elysium botnet further extends this ecosystem with data theft and payload delivery capabilities. From a business standpoint, Operation Endgame’s latest wave temporarily degrades a major slice of the infostealer-as-a-service market and may reduce opportunistic credential theft, account takeovers and downstream ransomware and fraud incidents. However, the underlying problem persists: victims were largely unaware of infections, and harvested data and wallets may already be traded or staged elsewhere. Organizations that see Rhadamanthys, VenomRAT or Elysium in telemetry should assume that credentials, cookies and crypto keys could have been compromised at scale. Mitigation requires more than relying on law enforcement takedowns. Enterprises should aggressively rotate passwords, invalidate sessions and refresh MFA secrets where infostealer or RAT activity is suspected, and enforce phishing-resistant authentication to reduce the value of stolen credentials. Security teams should deploy behavioral detections for info-stealing and remote access tools mapped to techniques like T1059, T1105 and T1021.001, and monitor services like Have I Been Pwned and law enforcement victim check portals where available. Finally, they should treat this disruption as a window of opportunity to harden browser, wallet and credential management practices before the ecosystem inevitably reconstitutes.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: The Europol-led takedown of Rhadamanthys, VenomRAT and Elysium infrastructure will temporarily reduce active infostealer and RAT campaigns, but organizations that have been targeted remain at heightened risk of account takeover, fraud and ransomware due to previously harvested credentials and crypto wallet data. Enterprises with significant exposure to browser-based authentication and cryptocurrency workflows should treat this as a signal to assume prior compromise and reset critical access paths. Technical Context: Rhadamanthys operates as a subscription infostealer capable of harvesting credentials and wallet artifacts from browsers and password managers, while VenomRAT provides full remote desktop style access aligning with T1059 (Command and Scripting Interpreter), T1078 (Valid Accounts), T1105 (Ingress Tool Transfer) and T1021.001 (Remote Desktop Protocol). Operation Endgame dismantled over 1,000 servers and 20 domains supporting these botnets, but the malware families remain technically viable, and affiliates may quickly rebuild infrastructure or pivot to alternative stealers.
⚡Strategic Intelligence Guidance
- Identify any endpoints with historical or current Rhadamanthys, VenomRAT or similar stealer artifacts and trigger mandatory credential, cookie and token rotation for affected identities.
- Tighten detection around T1059, T1105 and T1021.001 by monitoring for unusual script interpreters, remote desktop sessions and outbound connections to previously associated C2 networks.
- Harden authentication by moving high-value applications to phishing-resistant MFA and conditional access, reducing the value of credentials already harvested by info-stealers.
- Use this disruption window to review vendor, partner and customer access patterns for signs of account takeover or automated abuse driven by stealer-derived credential dumps.
Vendors
EuropolShadowserver
Threats
RhadamanthysVenomRATElysium botnetOperation Endgame
Targets
global enterprise endpointscryptocurrency userssmall and midsize businesseshome users with unmanaged browsers and wallets
Impact
Data Volume:several million stolen credentials and over 100,000 crypto wallets at risk