What happened
The notorious Rhadamanthys infostealer-as-a-service has been disrupted, with many of its criminal subscribers suddenly losing access to their command-and-control servers. According to reports from BleepingComputer, cybercriminals attempting to log in were met with revoked SSH access and new certificate-based authentication, suggesting a possible law enforcement or counter-operation takeover.
Researchers and threat actors alike, including @g0njxa and @Gi7w0rm, noted unusual activity across the malware’s infrastructure, with its Tor and clearnet panels going dark. While no official seizure notice has been issued, many in the cybersecurity community suspect this could be tied to Operation Endgame, the multinational law enforcement campaign that previously dismantled major botnets and has teased another “major announcement” this week.
Who is affected
- Cybercriminal operators who paid for access to the Rhadamanthys service and lost their panels or had their data stolen.
- Enterprises and users whose credentials, cookies, and autofill data may have been stolen by Rhadamanthys-infected machines.
- Threat intelligence and DFIR teams who will need to reassess ongoing investigations tied to the malware’s activity and infrastructure.
Why CISOs should care
Infostealers like Rhadamanthys represent a persistent credential theft threat; even a single compromised browser cookie can provide attackers with corporate access without triggering MFA challenges. While this disruption is a win for defenders, malware-as-a-service ecosystems are resilient, and new variants often appear within days.
The possible link to Operation Endgame highlights a broader trend: law enforcement agencies are taking increasingly aggressive actions against cybercriminal infrastructure. For CISOs, that means more instability in attacker ecosystems, but also opportunities to collaborate and share intelligence before the next variant fills the gap.
3 Practical actions for CISOs
- Revoke and rotate exposed credentials: Conduct proactive credential hygiene by revoking tokens, resetting admin passwords, and auditing session cookies for suspicious reuse.
- Enhance endpoint visibility: Ensure EDR solutions detect infostealer-related behaviors, such as unauthorized access to browser data or unexpected outbound traffic to Tor nodes.
- Track Operation Endgame updates: Monitor official channels and security researchers for intelligence drops following the rumored announcement. Early awareness can help anticipate the ripple effects across related malware-as-a-service markets.