International law enforcement recently announced an update to the ongoing Operation Endgame. This newest phase, dubbed “Season 3,” targeted three major malware families that focused on credential theft and remote access: Rhadamanthys, VenomRAT, and Elysium. The coordinated action conducted by global law enforcement agencies dismantled over 1,000 servers, seized 20 domains, and led to the arrest of the primary VenomRAT operator in Greece. Conducted throughout November, the operation resulted in the identification of several million stolen credentials and was a significant blow to infostealer and botnet operations.
Operation Endgame (So Far):
- Season 1 (May 2024): The first phase of Operation Endgame focused on dismantling loader malware and their networks. Ransomware groups depend heavily on loaders for deploying ransomware payloads. The operation impacted malware groups IcedID, SystemBC, and Bumblebee through the takedown of 1,025 servers, 20 seized domains, and the arrest of key operators.
- Season 2 (October 2024): The second phase of Operation Endgame focused on botnets and initial access brokers, which provide ransomware groups with initial access into victim organizations. Domain seizures and raids against known initial access brokers and botnet operators impacted this key component in cybercriminal infrastructure.
- Season 3 (November 2025): This brings us to the most recent installment of Operation Endgame, with the targeting of information stealers and remote access trojans. Law enforcement continued their efforts to disrupt the cybercriminal supply chain by targeting major malware families that previously played a large part in the cyber threat ecosystem.
Analyst Comments
While it is not possible for law enforcement to notify each victim of compromised credentials, individuals can utilize sites like politie.nl/checkyourhack and haveibeenpwned.com to determine if they were impacted by the recently taken down malware infrastructure. Although this operation significantly hinders threat actors’ ability to obtain compromised credentials through information stealers, it does not appear to have slowed threat actors’ operational tempo, with threat groups such as Akira finding success in 2025 by exploiting vulnerabilities in VPN appliances over compromised credentials.
Sources
Related Resources
![]()
Ransomware Trends & Data Insights: November 2025
Get the latest Ransomware Trends Data Insights November 2025. November saw the dominance of Akira and Qilin, the rise of 18 unique groups, and AI-augmented attacks.
Read more![]()
Google Exposes AI-Powered Malware
Google has reported the first observed cases of AI-augmented malware used in real-world attacks, marking a new stage in adversarial AI.
Read more![]()
Ransomware Trends & Data Insights: October 2025
Akira led ransomware activity in October, followed by Qilin. Arete analysts identified key cybercrime trends behind these threat actors.
Read more
