A 38-year-old Albanian national believed to be the creator and operator of the notorious VenomRAT malware has been arrested in Athens, Greek authorities confirmed on Thursday. The arrest formed part of Operation Endgame, a Europol-coordinated crackdown targeting one of the world’s biggest remote-access cybercrime networks.
The suspect was taken into custody at his residence in Nikaia, southwest Athens, during a coordinated international action carried out between November 10 and 13. Law-enforcement agencies from 11 countries — including Greece, the United States, France, Germany, and the United Kingdom — participated in the operation. FBI agents and French judicial officials traveled to Athens to assist.
Authorities executed searches across 11 locations in Germany, Greece and primarily the Netherlands, shutting down 1,025 servers and 20 websites. Europol reports that VenomRAT has infected hundreds of thousands of computers globally, allowing hackers to infiltrate devices without users’ knowledge. The suspect allegedly stole passwords and accessed digital wallets belonging to roughly 100,000 victims, causing damages in the millions of euros.
First detected in March 2020, VenomRAT spread through deceptive email links that deployed the malware once opened. The software enabled attackers to log keystrokes, access stored files and steal cryptocurrency.
Greek police played a crucial role in the investigation. In March 2022, foreign authorities alerted Greece that the malware’s creator was likely operating in the country, offering subscription access for €150 per month or €1,550 annually. Greece’s Cyber Crime Unit traced the suspect to Nikaia and tracked associated servers to Paris.
During a raid on November 3, officers seized €15,000 in cash, €8,000 in cryptocurrency, 11 debit cards, mobile phones, hard drives and USB devices. Investigators also uncovered a crypto-wallet app containing $140,000. On the suspect’s computer, police found multiple versions of the VenomRAT source code and evidence linking him to a website promoting the malware.
He was arrested under a European warrant issued by French authorities.
Features:
- Creating hidden Desktop
- Creating hidden Startup
- Launching hidden Explorer and PowerShell
- Launching hidden Browsers such as Chrome, Firefox, Edge, Internet Explorer, Pale Moon & Pale Waterfox
The malware also supported the following REMOTE SYSTEM features on the victim’s system:
- Remote Keylogger
- Collecting system information
- Controlling File manager, Task manager, and Registry editor
- Executing remote Shell commands
- Monitoring TCP connection
- Performing reverse proxy attacks and UAC exploits
- Disabling Windows Defender
- Utilizing the system’s Microphone to record
- Downloading and executing files into disk/memory
- Using an active scheduler to achieve multitasking
Additionally, the Venom RAT had the below REMOTE FUN capabilities in the victim’s machine.
- Switch On/Off the system monitor
- Show/Hide Taskbar, start button, explorer, clock, tray & mouse pointer
- Enable/Disable the task manager & registry editor
- Disable UAC (User Access control) etc.
The RAT could also perform operations such as Anti-kill (prevents termination of the RAT client), creating mutex, start-up entry for persistence, changing the RAT client icon, client name, and encrypted connection with its Command and Control (C&C) server.
