Operation Endgame 3.0
November 14, 2025
•[ infostealer, remote access trojan, botnet ]
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers and provided 2 million impacted email addresses and 7.4 million passwords to HIBP.
Operation Endgame 3.0
November 13, 2025
•[ infostealer, remote access trojan, botnet ]
Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers and provided 2 million impacted email addresses and 7.4 million passwords to HIBP.
Government of Paraguay (employee workstation compromise)
June 7, 2025
•[ data leak, infostealer, credential theft ]
Infostealer malware installed on a Paraguayan government employees computer harvested credentials and tokens, enabling attackers to exfiltrate databases containing personal information on effectively the entire national population. Security researchers confirmed millions of identity recordsincluding names, national IDs, and contact detailswere leaked online in early June 2025. The Record verified the exposure and found no evidence of ransomware or system disruption.
Undisclosed U.S. government agency (reported as “Department of Government Efficiency”)
May 8, 2025
•[ infostealer, malware, credential leak ]
Ars Technica reports a government software engineers workstation was infected with info-stealing malware, with login credentials appearing in multiple stealer-log dumps since 2023; investigation centers on credential exposure rather than confirmed enterprise compromise.
HighWire Press Inc.
April 5, 2025
•[ infostealer, data leak ]
On April 5 2025, Hellcat claimed access to HighWire Press systems using credentials harvested by an infostealer. Data exfiltration was listed on the Hellcat leak site. No encryption or operational disruption has been confirmed.
LeoVegas Group
April 5, 2025
•[ data leak, infostealer, compromised credentials ]
On April 5 2025, Hellcat listed LeoVegas Group on its leak site, claiming exfiltration of internal data through compromised Jira credentials obtained from an infostealer. Hudson Rock verified the inclusion of LeoVegas in the same credential set. No encryption confirmed.
Asseco Poland S.A.
April 5, 2025
•[ data leak, infostealer ]
On April 5 2025, Hellcat listed Asseco Poland on its leak site, claiming data exfiltration using Jira credentials stolen through an infostealer. Hudson Rocks analysis confirmed separate credential sets and data exfiltration from Assecos Jira environment. No encryption was reported or confirmed.
Racami LLC
April 5, 2025
•[ data leak, stolen credentials, infostealer ]
On April 5 2025, Hellcat listed Racami on its leak site, stating it had accessed and exfiltrated internal Jira project data using stolen credentials gathered through an infostealer campaign. No encryption or operational disruption was reported.
Kosovo Central Election Commission (KQZ)
February 11, 2025
•[ malware, infostealer ]
Cybersecurity experts observed that the official CEC website was infected with Lumma stealer via fake CAPTCHA payloads, distributing unauthorized links and malware to visitors. The site was targeted during and after elections, with evidence of malware distribution. No actor attribution was confirmed.
Chemical, Food, and Pharmaceutical Enterprises in Russia
February 5, 2025
•[ infostealer, phishing, data leak ]
Nova Infostealer campaign led by Rezet, also known as Rare Wolf, targeted Russian chemical, food, and pharmaceutical firms, harvesting credentials and internal documents through phishing and malicious installers.
Russian Industrial Facilities
February 5, 2025
•[ infostealer, phishing, malware ]
Nova Infostealer was deployed by the threat group NGC4020 in Russian industrial facilities, stealing host credentials and files from infected endpoints through phishing and malicious installer packages.
