International Coalition Strikes at Cybercrime Infrastructure
The United States, in concert with eight allied Western nations, has effectively dismantled the digital architecture underpinning a range of well-known cybercriminal tools.
During a meticulously coordinated three-day operation, law enforcement agencies successfully disabled over 1,000 servers and seized 20 domains linked to the notorious Rhadamanthys infostealer, the VenomRAT remote-access Trojan, and the Elysium botnet. The Greek police apprehended an individual suspected of being the operator of VenomRAT.
Europol, which orchestrated the operation from its headquarters in The Hague, articulated that “the dismantled malware infrastructure encompassed hundreds of thousands of infected devices harboring millions of stolen credentials.”
The primary suspect associated with the Rhadamanthys infostealer purportedly had access to over 100,000 cryptocurrency wallets belonging to victims, potentially valued in the millions of euros.
Participating nations in this extensive operation included Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the U.S. These actions represent the latest echelon of Operation Endgame, a persistent multinational endeavor aimed at dismantling cybercriminal syndicates.
The operation received support from various cybersecurity entities, telecommunication companies, and independent research organizations, such as CrowdStrike, Lumen, and Shadowserver.
Europol noted that the infrastructure targeted was instrumental in the orchestration of international cybercrime.
The Rhadamanthys infostealer played a pivotal role in the operations of multiple hacking collectives, characterized by its tiered pricing model and diverse modules, indicative of a sophisticated development and commerce structure.
The creators of this infostealer implemented advanced obfuscation features and routinely enhanced its capabilities, enabling hackers to tailor its deployment according to specific targets.
VenomRAT has been recurrently implicated in assaults on the hospitality sector, notably prevalent in attacks by a threat group identified by Proofpoint as TA558.
This group is responsible for 58% of the observed VenomRAT deployments since 2022, with a primary focus on Latin American organizations, though incursions have also occurred in North America and Western Europe.
However, indications suggest that they may have transitioned to different malware, as Proofpoint noted the absence of observed VenomRAT activity in campaign data since September 2025.
Adam Meyers, the head of counter adversary operations at CrowdStrike, remarked that this recent operation “demonstrates the potential realized when law enforcement collaborates with the private sector.”
Meyers further asserted, “Disrupting the initial stages of the ransomware kill chain—specifically targeting access brokers, loaders, and infostealers—exerts a ripple effect throughout the entire eCrime ecosystem.”
Source link: Cybersecuritydive.com.
