Australian, global agencies cripple major cybercrime malware tools

Australian and international law enforcement agencies, working in collaboration with cybersecurity company Proofpoint, have disrupted two major malware families, Rhadamanthys and VenomRAT, that have been used by cybercriminals targeting organisations worldwide, including in Australia.

Malware disruption

Operation Endgame culminated in coordinated actions that dismantled infrastructure behind both Rhadamanthys and VenomRAT. The operation involved multiple law enforcement and private sector partners across global jurisdictions. Authorities targeted infrastructure supporting the distribution, advertising, and licensing of the malware, disabling the tools used to compromise private and enterprise systems for criminal gain.

Australian involvement

Australian judicial authorities participated actively in the international effort, reflecting the country's exposure to the cyber threats posed by these malware families. The collaborative action underlines the cross-border dimension of cybercrime and the role of Australian victims in globally-coordinated cyber-attacks.

Details on Rhadamanthys

Rhadamanthys has been present since 2022 and is associated with a range of cybercriminal actors. It is often delivered through email, malicious web injects, and online advertisement campaigns. The malware is modular and is sold with other hacking tools such as Elysium Proxy Bot and a Crypt Service. By disrupting infrastructure operated by its affiliates, authorities sought to reduce its use in targeting businesses and individuals internationally.

VenomRAT takedown

VenomRAT, a remote access trojan based on open-source code from Quasar RAT, has been in circulation since 2020. Proofpoint observed frequent use of VenomRAT by TA558, a threat group known for targeting hotel and hospitality sectors. The malware has functionality for information gathering, data exfiltration, lateral movement, and, in some variants, ransomware deployment. Law enforcement activities resulted in the arrest of the alleged creator in Greece and the takedown or disruption of more than 1,000 servers and 20 internet domains linked to its operation.

Collaboration impact

The disruption of Rhadamanthys and VenomRAT comes as part of Operation Endgame's broader ongoing actions against botnets and criminal cyber infrastructure. The international scope of the operation highlights the sharing of threat intelligence and technical expertise between law enforcement and private sector contributors. Authorities previously achieved significant results in combatting separate malware strains, including the 2025 takedown of DanaBot. Ongoing efforts aim to undermine the operational base of criminals deploying mass-scale malware.

Proofpoint's role

Proofpoint supported law enforcement agencies with what it described as advanced threat intelligence and unique insight into the malware's distribution and function. The company said the information and visibility it provided was key to assisting in the successful execution of law enforcement operations against entrenched cybercriminal capabilities.