Operation Endgame dismantled Rhadamanthys, VenomRAT, and Elysium

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Between November 10 and 15, the latest phase of Operation Endgame targeted one of the biggest infostealers, Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime.

Authorities took down these three significant cybercrime enablers. The main suspect for VenomRAT was also arrested in Greece on Nov. 3, 2025.

The infrastructure dismantled during the action days was responsible for infecting hundreds of thousands of victims worldwide with malware. Operation Endgame, coordinated by Europol and Eurojust, is a joint effort between law enforcement and judicial authorities of Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States to tackle ransomware enablers.

More than 30 national and international public and private parties are supporting the actions. Significant contributions were made by the following private partners: Cryptolaemus, Shadowserver and RoLR, Spycloud, Cymru, Proofpoint, CrowdStrike, Lumen, Abuse.ch, HaveIBeenPwned, Spamhaus, DIVD, and Bitdefender.

The coordinated actions led to one arrest in Greece, eleven locations searched (one in Germany, one in Greece, and nine in the Netherlands), over 1,025 servers taken down or disrupted worldwide, and twenty domains seized.

The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection in their systems.

The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros. Check if your computer has been infected and what to do if so at politie.nl/checkyourhack and haveibeenpwnd.com. (Europol)

Related: Operation Endgame, Databreaches.net, Have I Been Pwned, politie.nl, The Record, The Register, Shadowserver, Infosecurity, The Cyber Express, CyberInsider, Help Net Security, Cyber Security News,

US Attorney Jeanine Pirro, the top prosecutor in the District of Columbia, said that her office had launched the first investigative task force in the country focused on cryptocurrency scams to neutralize the overseas crime organizations draining billions of dollars from unsuspecting Americans.

The Scam Center Strike Force already has seized more than $401 million linked to crypto scams, and officials filed legal documents to recoup another $80 million for victims, Pirro said. Hundreds of those victims were targeted on dating apps, according to the US Secret Service, which is part of the task force along with officials from the FBI and the State and Treasury departments.

The scammers often have ties to organized crime in China or violent militarized groups in Myanmar, officials said.

Officials are working with US companies, such as internet service providers and social media services, to shut down the websites and user accounts associated with crypto scams, Pirro said. Facebook’s parent company, Meta, has told officials it will collaborate with the task force, and Microsoft and AARP also “want to work with us,” she said.

“We estimate that more than 400,000 people from more than 70 countries are forced to work in these scam compounds, primarily in Burma, Cambodia, and Laos,” Bradley Smith, the director of Treasury’s Office of Foreign Assets Control, said at a news conference.

Smith singled out the Tai Chang compound in Myanmar, which is also known as Burma. The new task force is seeking warrants to seize the satellite terminals it uses to access the internet. The compound is run by the Democratic Karen Benevolent Army, an armed group that has supported Myanmar’s military junta in that country’s civil conflict while collaborating with Chinese organized crime.

The group’s soldiers have been filmed beating handcuffed scam center workers, and rescued workers have reported being subjected to electric shocks and being hung by their arms inside dark rooms, according to Treasury officials. (Salvador Rizzo / Washington Post)

Related: Chainalysis, Treasury Department, New York Times, US Department of Justice, Bloomberg, Fox Business, KDBC, The Record, OCCRP

Amazon’s threat intelligence team reports that an advanced threat actor exploited the critical vulnerabilities Citrix Bleed 2 (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.

Analyzing “MadPot” honeypot data, the team found that hackers had leveraged the two security issues before the security issues were disclosed publicly, and patches became available.

“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) before public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.

“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”

Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.

Amazon says that two flaws, CVE-2025-20337 and CVE-2025-20337, were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.

The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.

The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group. (Bill Toulas / Bleeping Computer)

Related: CISA, Amazon, Security Week, The Record, The Register, CyberScoop, Security Affairs, Techzine

CISA warned US federal agencies to fully patch two actively exploited vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firepower devices.

Tracked as CVE-2025-20362 and CVE-2025-20333, these security flaws allow remote threat actors to access restricted URL endpoints without authentication and gain code execution on vulnerable Cisco firewall devices, respectively. If chained, they can enable unauthenticated attackers to gain complete control of unpatched devices remotely.

When it patched the two flaws in September, Cisco cautioned customers that they had been exploited as zero-days in attacks targeting 5500-X Series devices with VPN web services enabled. The company also linked these attacks to the ArcaneDoor campaign, which has exploited two other zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks since November 2023.

The same day, CISA issued Emergency Directive 25-03, ordering US federal agencies to secure their Cisco firewall devices within 24 hours against active exploitation of CVE-2025-20362 and CVE-2025-20333.

Internet monitoring platform Shadowserver currently tracks over 30,000 Cisco devices vulnerable to these attacks, down from more than 45,000 when it first began tracking the two vulnerabilities in early October. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, The Record

Erik Lee Madison, a 20-year-old Maryland man allegedly associated with violent extremist group 764, is in federal custody, facing charges for sexual exploitation of children, online coercement and enticement, and cyberstalking.

He is accused of victimizing at least five children this fall, including one as young as 13 at the time. His alleged criminality dates back to 2020, when he was a minor.

Madison’s alleged association with 764, an offshoot of The Com, and the crimes he’s accused of follow a common thread of nihilistic violent extremism. Members of the loose-knit collective and associated groups, which spans thousands of people, typically between 11 and 25 years old, commit financially motivated, sexual, and violent crimes, according to the FBI.

Prosecutors accuse Madison of targeting, stalking, and coercing his victims on Discord, Roblox, Instagram, Snapchat, and Telegram. Authorities have warned that 764 members use these services to target minors. Some of these platforms sent tips to authorities to report on Madison’s alleged crimes. (Matt Kapko / CyberScoop)

Related: WBAL, Baltimore Sun

Reports across social media suggest that users of Elon Musk’s X are getting stuck in endless loops and, in some cases, getting locked out of their X account, following a mandatory two-factor security change that seems to have gone wrong.

On October 24, X said in a post that it was asking users who rely on passkeys or hardware security keys (such as YubiKeys) as their method of two-factor authentication to re-enroll using the x.com domain. (Users who use an authenticator app are unaffected.)

X said this was part of an effort to retire the older twitter.com domain, which currently redirects to x.com. That change took effect in May 2024. The problem is that passkeys and security keys are digitally tied to the old twitter.com domain and can’t be transferred to x.com. That means users have to manually un-enroll and re-enroll using the new x.com domain.

As part of the switchover, X warned that after November 10, customers would have their accounts locked until they re-enroll or choose another method of two-factor authentication. 

Now that the deadline has passed, plenty of users are reporting that they’ve been locked out of their accounts and can’t re-enroll their passkey or security key, citing error messages or getting caught in an endless loop. (Zack Whittaker / TechCrunch)

Related: Storyboard 18

Democratic Senator Ron Wyden and 39 other Democratic lawmakers sent letters to blue states urging like-minded governors to ensure that their residents' data wasn't taken by US Immigration and Customs Enforcement, which has become the spear tip of President Donald Trump's mass deportation program.

"We urge you to block ICE’s access," the letters said. "This commonsense step will improve public safety and guard against Trump officials using your state’s data for unjustified, politicized actions, while still allowing continued collaboration on serious crimes."

Driver's license data is shared between state, local, and federal police forces through a nonprofit organization called Nlets. ICE and another Department of Homeland Security body, Homeland Security Investigations, also have access to the system, the letter said, and the two agencies together accounted for nearly 900,000 queries against the database in the year before Oct. 1. (Raphael Satter / Reuters)

Related: US Senator Ron Wyden, CyberScoop, FedScoop, KATU, Daily Beast

According to sources, a senior US military officer with no digital warfare experience, Lt. Gen. Joshua Rudd, the No. 2 at US Indo-Pacific Command, has emerged as a top contender to lead US Cyber Command and the National Security Agency.

The sources stressed that Rudd could easily fall out of contention, given the already drawn-out, chaotic process that has seen two candidates — including the current acting Cyber Command and NSA chief — ultimately not receive the nomination.

The military’s top cyberwarfare organization and the world’s most powerful electronic spying agency have been without a permanent leader for more than seven months now, since Trump fired Air Force Gen. Timothy Haugh, along with his top NSA deputy. 

The moves, for which far-right activist Laura Loomer later claimed credit, have shaken both Cyber Command and the NSA, though key leadership posts have begun to be filled at the spy agency. (Martin Matishak / The Record)

Deepwatch, a cybersecurity firm that makes an AI-powered detection and response platform, laid off dozens of employees on Wednesday, citing AI as one of the reasons.

John DiLullo, CEO at Deepwatch, said in an email that the company “is aligning our organization to accelerate our significant investments in AI and automation.”

A current Deepwatch employee said that the layoffs affected between 60 and 80 staffers, out of a workforce of around 250 employees. A post on LinkedIn by a person who said they were laid off mentioned 80 people as well.

“They’re doing something with AI and agentic AI, but it sounds like bullshit,” the current employee told TechCrunch. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Dataconomy

Following an announcement in August that Android will block users from installing apps made by unverified developers, Google announced a significant concession to appease these users, saying it is building a new “advanced flow” that will allow “experienced users to accept the risks of installing software that isn’t verified.

Google says this new advanced flow is intended for developers and power users who “have a higher risk tolerance and want the ability to download unverified apps.” The company says it is “designing this flow specifically to resist coercion” to ensure that “users aren’t tricked into bypassing these safety checks while under pressure from scammer.”

The flow will include “clear warnings” to ensure that users “fully understand the risks involved” with installing apps made by unverified developers, but ultimately, it puts the choice to do so in the user’s hands. Google says it is currently gathering early feedback on the design of this feature and will share more details in the coming months. (Mishaal Rahman / Android Authority)

Related: Android Developers Blog, The Verge, T9to5Google, Droid Life, The Register, SamMobile, WinBuzzer, SammyGuru, Android Police, r/GooglePixelr, r/AfterVanced, r/privacy, r/GooglePixel, r/Android, r/revancedapp, r/Android, r/androiddev, r/UpliftingNews

Cho Jwa-jin, CEO of Lotte Card, which suffered a customer data breach due to a hacking incident, will resign on the 1st of next month.

Cho assumed the role of CEO at Lotte Card in March 2020 and was reappointed three times over six years.

Cho's original term was set to end in March of next year. However, it is interpreted that he chose to resign early, as he had promised personnel reforms following the hacking incident.

According to Lotte Card on the 13th, Cho posted a message titled 'I Will Take Final Responsibility as CEO' on the company's internal bulletin board and stated that he would inform the board of his resignation as CEO at an extraordinary board meeting to be held on the 21st.

Cho's announcement follows the resignation of KT CEO Kim Young-shub, who resigned earlier this month, also following a major cyber breach. (You So-yeon / The Chosun Daily)

Related: Chosun Biz

Mt. Baker Imaging (MBI), a Whatcom County medical center in Washington state, has responded to a cyberattack involving personal information from hundreds of thousands of state residents.

MBI posted a notice on its website on Oct. 30 giving more details about the data breach that occurred roughly nine months earlier. The company also sent out letters with similar information to patients who were believed to have been affected by the breach.

MBI says the affected data included patients’ first and last names, social security numbers, driver’s license numbers, treatment and diagnosis information, and more.

It adds that it has no evidence that the compromised information was used maliciously, but it has still added extra security measures to prevent it from happening again.

According to a filing with the state Attorney General’s Office, over 348,000 Washington residents were impacted by the breach. (Jason Upton / My Bellingham Now)

Related: Washington State Attorney General, Mt. Baker Imaging, Bellingham Herald

Beijing has accused Australia’s domestic spy boss of “spreading disinformation” and “sowing division and confrontation” after he again warned that elite Chinese hackers were targeting this country’s critical infrastructure networks.

The unusually personal attack against ASIO Chief Mike Burgess followed a speech where the spy boss said China could bring down Australia’s financial, telecommunications and utilities systems in a “high-impact sabotage” attack.

“I have previously said we’re getting closer to the threshold for high-impact sabotage — well, I regret to inform you — we’re there now,” Mr Burgess told business leaders at the ASIC conference in Melbourne.

The ASIO boss also referenced the activities of two Beijing-controlled hacking units known as Salt Typhoon and Volt Typhoon, which he said were “working for the Chinese government and their military." (Anthony Greene / The Nightly)

Related: Financial Review, China Daily

Cybernews confirmed a post on a popular hacker forum, likely made by the alleged perpetrators, claiming 353 gigabytes of data were stolen during a breach of Doctor Alliance’s network, a health IT platform that provides automated billing services. 

For now, the data has not been leaked, with the user going by the alias “Kazu” threatening to either post or sell the information on November 21, 2025, assuming a ransom of $200,000 is not paid. 

Kazu, who could represent a group of individuals, released a small 200 MB sample to prove they have the goods. Cybernews said the revealed files include “various medical records, riddled with sensitive personal data,” specifically details on patient prescriptions, treatment plans, names, health insurance numbers, phone numbers, home addresses, hospital orders, and more.

Such data access would constitute a reportable breach under the terms of the Health Insurance Portability and Privacy Act (HIPAA). (Chad Van Alstin / HealthExec)

Related: HealthExec, SC Media, TechRadar, Databreaches.net

Synnovis, a leading UK pathology services provider, is notifying healthcare providers that a data breach occurred following a ransomware attack in June 2024, which resulted in the theft of some patients' data.

Synnovis is now reaching out to affected organizations, including NHS hospitals and clinics, but will not contact patients directly. Patient notifications will be handled by the impacted NHS organizations, as required by UK data protection law.

"We have now begun notifying the organisations whose data was affected and expect to conclude this process by 21 November 2025. This marks the latest stage of investigation that has taken a large team of forensic experts and data specialists over a year to complete," Synnovis said in a Monday press release.

"The stolen data was unstructured, incomplete, and fragmented, requiring the use of highly specialised platforms and bespoke processes to piece it together – factors which heavily influenced the duration of the investigation." (Sergiu Gatlan / Bleeping Computer)

Related: ComputerWeekly, BankInfoSecurity, The Record, Security Week, The Register, UKAuthority

In its first-quarter earnings report, business services and technology company Conduent said it did not experience any material impacts to its operating environment or costs from a January 2025 cyberattack itself, but said it incurred $25 million in non-recurring expenses from direct response costs.

Those losses have continued to increase, with a further $9 million added to that total for breach notifications through the end of September, according to its third-quarter earnings report.

Conduent also anticipates incurring a further $16 million in costs related to breach notifications by the first quarter of 2026, but said it holds a cyber insurance policy and expects that any additional notification costs will be covered by the insurance policy.

Further costs may be incurred due to the impacted data, reputational harm, litigation, and regulatory actions, which could affect the company’s financial position. As reported below, several lawsuits have already been filed in response to the data breach, and Conduent is certain to be investigated by the HHS’s Office for Civil Rights and state attorneys general. Regulatory fines may be imposed if Conduent is found to have violated state or federal regulations. (Steve Alder / The HIPAA Journal)

Related: TechTarget, Austin-American-Statesman

Sweet Security, a Tel Aviv-based startup founded by the Israeli army’s former chief information security officer, has raised $75 million in a Series B venture funding round.

Evolution Equity Partners led the round, with additional support from Glilot Capital Partners, Key1 Capital, and Munich Re Ventures. (Marissa Newman / Bloomberg)

Related: Globes, SiliconANGLE, Pulse 2.0, Channel E2E, Israel Defense, AIThority, Security Week

Best Thing of the Day: Evergreen Advice

As if any of our readers need reminding, the Verge's Gaby Del Valle spells out the reasons why it's never a good idea to hand your phone to a cop.

Worst Thing of the Day: Don't Trust DHS to Delete Data

The Department of Homeland Security collected data on Chicago residents accused of gang ties to test if police files could feed an FBI watchlist, and months passed before anyone noticed the data wasn't deleted.

Closing Thought