In the latest stage of its Operation Endgame campaign, Europol has seriously disrupted the Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware operations.
More than 1,000 servers used by the groups to infect hundreds of thousands of victims worldwide with malware were last week taken down.
Law enforcement searched one location in Germany, one in Greece, and nine in the Netherlands, seizing 20 domains. One arrest, related to the VenomRAT tool, has been made in Greece.
"The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems," Europol said.
"The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."
These hadn't yet been used to steal assets, Europol said. However, it's recommended checking politie.nl/checkyourhack and haveibeenpwned.com to find out whether computers have been hacked and learn what to do.
The Rhadamanthys infostealer harvests browser-resident data, including credentials, browser data, autofill information, and cryptocurrency wallet artifacts from browsers, password managers, and crypto wallets.
According to Proofpoint, it costs between $300 and $500 a month, with options for a higher price point for customized uses. The firm said it appears that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates.
"In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them," the firm pointed out.
According to the Shadowserver Foundation, which assisted in the operation, Rhadamanthys has grown to become one of the leading infostealers since Operation Endgame 2.0 disrupted the infostealer landscape earlier this year.
"It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts," the Shadowserver Foundation warned.
"These victim systems may also have been used in historic or recent intrusions and ransomware incidents."
VenomRAT, which first appeared in 2020, generally arrives through malicious email attachments or links, also using fake antivirus pages.
It gives its operators remote desktop-style control, allowing the theft of files, browser data, cryptocurrency wallets, credit card details, account passwords, and authentication cookies.
While it's mainly been used to target Latin American organizations, it has also claimed victims in North America and Western Europe.
The Elysium botnet meanwhile, carries out data theft, payload delivery and other tasks.
Operation Endgame, launched in 2024, has now led to total seizures of more than €21 million. This latest action follows an Operation Endgame raid in May that saw 300 servers taken down and 650 domains seized, along with €3.5 million.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Botnets are being sold on the dark web for as little as $99
- What is polymorphic malware?
- Everything you need to know about Malware as a Service
-
Logitech says zero-day attack saw hackers copy 'certain data' from internal IT systemsNews The incident is believed to have formed part of a campaign by the Clop extortion group that targeted customers of Oracle’s E-Business Suite
-
IBM is targeting 'quantum advantage' in 12 monthsNews Leading organizations are already preparing for quantum computing, which could upend our understanding of linear mathematical problems
-
Hackers are using these malicious npm packages to target developers on Windows, macOS, and Linux systems – here’s how to stay safeNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
‘Channel their curiosity into something meaningful’: Cyber expert warns an uptick of youth hackers should be a ‘wake-up call’ after teens charged over TfL attackNews Encouraging youths to engage in positive tech initiatives will guide them down the right path and away from nefarious activities
-
Cybersecurity experts issue urgent warning amid surge in Stealerium malware attacksNews Proofpoint said Stealerium has flown under the radar for some time now, but researchers have observed a huge spike in activity between May and August this year.
-
Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malwareNews TrendMicro has called for caution on how much detail is disclosed in security advisories
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
