November 19th – This Week’s Top Cybersecurity and Dark Web Stories

Operation Endgame’s Latest Action

In a major coordinated effort against international cybercrime, law enforcement authorities spanning three continents have successfully dismantled key elements of a global malware network, marking the latest phase of Operation Endgame. The action, coordinated from Europol’s headquarters in The Hague between November 10 and 13, 2025, targeted three significant cybercrime enablers: the powerful infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the Elysium botnet.

The coordinated actions led to immediate, sweeping results, including:

• 1 arrest in Greece, involving the main suspect behind VenomRAT.
• 1 location searched across Germany, Greece, and the Netherlands.
• Over 1,025 servers taken down or disrupted worldwide.
• 20 domains seized.

The infrastructure targeted was responsible for infecting hundreds of thousands of victims globally, resulting in the theft of several million credentials. Investigators also confirmed that the main infostealer suspect had access to over 100,000 victim crypto wallets, potentially worth millions of euros.

Operation Endgame is a joint effort spearheaded by Europol and Eurojust, bringing together law enforcement and judicial authorities from Australia, Belgium, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, the United Kingdom, and the United States. The operation was significantly bolstered by more than 30 national and international public and private partners, including key contributors like Cryptolaemus, Shadowserver, Proofpoint, and Bitdefender.

The message is clear: “Endgame doesn’t end here.” Authorities are continuing to target criminal services and users, with efforts to expose them via the Operation Endgame website and the associated Telegram channel.

New Phishing Wave Hits Hospitality Guests

A sophisticated, large-scale phishing campaign is currently underway, primarily targeting customers of the hospitality industry, particularly hotel guests with upcoming travel reservations. Behind the operation is a Russian-speaking threat group that has registered an astonishing over 4,300 malicious domain names since the start of the year, with the mass activity beginning in earnest around February 2025.

The scale of the attack is vast, with the threat actors aiming to impersonate all major travel and rental platforms. Of the 4,344 domains identified, a significant number contain the names of popular services:

• Booking: 685 domains
• Expedia: 18 domains
• Agoda: 13 domains
• Airbnb: 12 domains

The campaign begins with a spam email urging the recipient to click a link to confirm their reservation using a credit card within 24 hours. The link initiates a series of redirects, ultimately leading the victim to a highly convincing fake booking site.

These bogus sites are designed for an illusion of legitimacy, featuring domain names with phrases like confirmation, booking, guestcheck, cardverify, or reservation. They support 43 different languages, demonstrating the threat actors’ intent to cast a global net. The pages also include deceitful elements such as a fake Cloudflare CAPTCHA check.

On the fraudulent page, the victim is instructed to pay a deposit for their reservation by entering their card information. As soon as the victim enters the full card details the site attempts to process a transaction in the background. Concurrently, a support chat window appears, asking the victim to complete a supposed “3D Secure verification” to secure against fake bookings, an extra step designed to steal more verification data.

The identity of the threat group remains unknown, though the use of Russian in source code comments and debugger output suggests a Russian provenance or a targeted attempt to sell the customizable phishing kit to other Russian-speaking threat actors.

These findings highlight the increasing prevalence of Phishing-as-a-Service (PhaaS) offerings in the underground economy, which allow actors with minimal technical skill to launch large-scale attacks.

This campaign is part of a broader trend of large-scale phishing operations. In recent weeks, similar campaigns have targeted organizations across Central and Eastern Europe (particularly the Czech Republic, Slovakia, Hungary, and Germany) by impersonating major brands like Microsoft, Adobe, FedEx, and DHL. These attacks use email attachments containing HTML files that display a fake login page while JavaScript code harvests the victims’ credentials and transmits them to attacker-controlled Telegram bots.

RondoDox Botnet Exploits Critical XWiki Flaw

A dangerous new wave of attacks has been observed, with the RondoDox botnet actively targeting unpatched instances of the collaboration software XWiki. The attacks exploit a critical security vulnerability, CVE-2025-24893, which has been assigned a maximum CVSS score of 9.8, indicating an extreme threat level.

The flaw, an eval injection bug in the /bin/get/Main/SolrSearch endpoint, allows any guest user to achieve arbitrary remote code execution (RCE). While XWiki maintainers released patches in late February 2025 (versions 15.10.11, 16.4.1, and 16.5.0RC1), exploitation attempts have been detected in the wild since at least March.

Initially, the vulnerability was weaponized in late October as part of a two-stage attack chain designed to deploy a cryptocurrency miner. This prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-24893 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all federal agencies apply necessary mitigations by November 20.

More recently, a fresh report published Friday revealed a significant spike in exploitation attempts:

• Exploits hit a new high on November 7, 2025.
• A subsequent surge was noted on November 11, 2025.

This suggests a broader scanning and attack effort, likely involving multiple threat actors.

The RondoDox botnet is confirmed to be part of this increased activity, with its first exploit observed on November 3, 2025. RondoDox is known for rapidly integrating new exploitation vectors to rope susceptible devices into its network, which is then used to launch distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols.

Beyond RondoDox, threat actors are leveraging the flaw to deliver other malicious payloads, including:

• Cryptocurrency miners.
• Attempts to establish a reverse shell.
• General probing activity using a Nuclei template for CVE-2025-24893.

The persistence and variety of these attacks underscore the critical importance of adopting robust patch management practices immediately to secure optimal protection for all systems.