Endgame 3.0
Operation Endgame 3.0 is here. A coalition of international law enforcement agencies formally announced its latest campaign against high-profile criminal infrastructure used for ransomware attacks, on Thursday, November 13th 2025. The latest operation is disrupting Rhadamanthys infostealer, VenomRAT, and the botnet Elysium, each a significant player in international cybercrime.
Infected machines identified from various parts of the Rhadamanthys infrastructure have been shared with Spamhaus, who will support with remediation.
Data
Use the access key that Spamhaus sent you by email to access the list of infected machines below.What is Operation Endgame?
Operation Endgame is a coordinated international law enforcement action targeting key cybercrime botnets. Launched in May 2024, it became the largest operation ever against botnets involved with ransomware, resulting in multiple detentions and interrogations, as well as server takedowns which disrupted the biggest malware droppers, including IcedID, Smokeloader, SystemBC, Pikabot, and Bumblebee.
In May 2025, Operation Endgame 2.0 expanded its efforts to target “initial access” malware families — including Bumblebee, Latrodectus, Qakbot, DanaBot, Trickbot, and WarmCookie — dismantling over 300 servers, neutralising around 650 domains, and issuing multiple arrest warrants.
The initiative entered its third major phase in November 2025, with Endgame 3.0, this time targeting the Rhadamanthys infostealer, VenomRAT, and the Elysium botnet. The dismantled infrastructure spanned hundreds of thousands of infected computers holding millions of stolen credentials, with access to more than 100,000 crypto wallets, potentially worth millions of euros.
A crucial aspect of operating cybercrime infrastructure, such as these botnets, relies on the use of stolen credentials. Law enforcement has shared data relating to Rhadamanthys-infected machines with Spamhaus, who will be helping with remediation.
How were these accounts involved?
Threat actors obtain credentials by using remote access tools (RATs) and infostealers, leveraging infected machines to spread malware further or gain initial access to targeted networks and organizations. The data that will be provided by Spamhaus reflects machines infected with Rhadamanthys as part of these breaches.
Since this information has been recovered from multiple components of criminal infrastructure, we are unable to individually verify every entry. Some accounts may be outdated or already secured. However, given the potential threat, we believe sharing the complete dataset remains valuable.
Please note: that the data we share covers roughly the last 8 months (from the end of March 2025 until November 10th 2025), the current situation may be different.
What should be done?
If you receive an access key from Spamhaus via email, run antivirus and malware removal tools on identified breached machines as soon as possible, and reset passwords for any online services you may have accessed from them. Your company should get in contact with any related customers to support remediation.
What should we as the ISP or service provider tell our customers?
Here is a handy template you will be able to use:
Dear Administrator,
Spamhaus, who is working in conjunction with international law enforcement, has notified us regarding machines infected with Rhadamanthys malware. This malicious software was being used by cybercriminals to steal login credentials for many online services.
We ask that you run antivirus and malware removal tools on these machines, and reset passwords for any online services you may have accessed from them.
The list of infected machines is as follows:
1.2.3.4 DESKTOP-EXAMPLE
......
We greatly appreciate any action you take in securing these machines and helping to ensure that that they are not further abused by miscreants to do any harm to other users on the internet.
Regards,
Example Trust and Safety Department
What do the various fields in the data mean?
Both the JSON and the CSV formats contain the same fields. Here is a CSV example:
ip,machine name,timestamp
192.0.2.1,DESKTOP-GFF1S23,2025-11-09T01:02:03Z
ip: IP Address used by the infected machine.
Computer name: Windows hostname of the infected machine.
Timestamp: Date and time malware was active.
A note on timing: this is information as-is from the malware infrastructure. We recommend running antivirus and malware-removal tools on these machines and resetting the passwords for any online services you accessed, particularly if you haven’t done so recently, as the dataset was actively used very recently and may have been shared with other bad actors.
Where can I find publications about Endgame and the takedown?
Official publications: Operation Endgame website
Europol: End of the game for cybercrime infrastructure: 1025 servers taken down
You contacted us at the incorrect/outdated address; can this be updated?
Yes! Please tell us what addresses we should use instead by emailing:
remediation-team@spamhaus.org.
I have a question that is not answered here
You can get in touch with the team via our contact form.