CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Timeline

  1. 17.11.2025 21:19 1 articles · 23h ago

    Dutch police seizes 250 servers used by bulletproof hosting service

    The Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service. This service has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer. The hosting company advertised complete anonymity for users and no cooperation with law enforcement. The Dutch police carried out nine searches in Dutch datacentres and seized 83 servers and 20 domain names as part of Operation Endgame. CrazyRDP, a bulletproof hosting service, is suspected to be the service seized by the Dutch police.

    Show sources
    Open in new tab
  2. 13.11.2025 12:53 4 articles · 5d ago

    International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

    Between 10 and 13 November 2025, law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware. The action involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems. The main suspect behind Rhadamanthys had access to over 100,000 cryptocurrency wallets belonging to victims, potentially amounting to millions of euros. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

International Law Enforcement Dismantles Credit Card Fraud Networks

International authorities have dismantled three large-scale credit card fraud and money laundering networks in Operation Chargeback. The operation targeted 44 suspects, including American, Austrian, Canadian, Danish, Dutch, German, and Lithuanian nationals, and resulted in the arrest of 18 individuals. The fraud networks affected over 4.3 million cardholders across 193 countries, causing losses exceeding €300 million. The operation involved over 60 searches and the execution of 18 arrest warrants. The fraudsters created over 19 million fake online subscriptions for services like pornography, dating, and streaming. They disguised monthly charges of about €50 to avoid detection. The operation was led by the Cybercrime Department of the General Prosecutor’s Office in Koblenz and the German Federal Criminal Police Office, supported by Europol and Eurojust. Authorities seized assets worth over €35 million, including luxury vehicles, cryptocurrency, and electronic devices. The suspects face accusations of organized computer fraud, membership in a criminal group, and money laundering. The fraudsters abused four major German payment service providers to launder proceeds, with six employees allegedly helping the fraudsters in exchange for fees. The suspects concealed their activities through numerous shell companies obtained through crime-as-a-service providers, primarily registered in the UK and Cyprus. The estimated attempted damages from the fraud schemes surpass €750 million (~$865 million).

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab

Europol Conference Highlights Data Access Challenges in Cybercrime Investigations

Europol's 4th Annual Cybercrime Conference 2025 convened in The Hague, focusing on the critical challenge of balancing data access for investigations with privacy and digital rights. The event underscored the need for stronger data laws and international cooperation to combat cybercrime. The conference, attended by 500 participants, emphasized the rapid exploitation of encryption and anonymization technologies by criminals, outpacing regulatory and law enforcement adaptations. Key themes included the need for updated laws, improved cross-border data sharing, and enhanced cyber diplomacy. The event also highlighted successful operations like Operation Eastwood and Operation Ratatouille, demonstrating the impact of coordinated efforts in disrupting cybercrime activities.

Open in new tab

Rhadamanthys Stealer Adds Device Fingerprinting, PNG Steganography Payloads

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins. The Rhadamanthys infostealer operation has been disrupted, with numerous customers reporting that they no longer have access to their servers. Cybercriminals claim that law enforcement gained access to their web panels, requiring certificate-based logins instead of root passwords. The disruption is suspected to be related to Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Open in new tab

Increased Scanning for PAN-OS GlobalProtect Vulnerability

SANS Internet Storm Center has observed a significant rise in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). This flaw, disclosed last year, allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The scans involve attempts to upload and retrieve files, indicating potential pre-exploit staging activities. The vulnerability is a command injection flaw that can be exploited to gain unauthorized access and control over vulnerable firewalls. This development underscores the ongoing threat posed by unpatched systems and the importance of timely security updates. The scans are part of a broader trend of increased cyber activity targeting critical infrastructure and enterprise networks.

Open in new tab