{
	"id": "d8fad937-c05e-4c8c-8715-81896388c281",
	"created_at": "2026-04-06T00:15:47.680294Z",
	"updated_at": "2026-04-10T03:20:19.94403Z",
	"deleted_at": null,
	"sha1_hash": "b2005fb356245f8ef34d3ddc952b73f16859bcb5",
	"title": "Analyzing the Impact of the Operation Endgame Takedown on Rhadamanthys \u0026 the MaaS Ecosystem",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1836114,
	"plain_text": "Analyzing the Impact of the Operation Endgame Takedown on\r\nRhadamanthys \u0026 the MaaS Ecosystem\r\nBy SpyCloud Labs Research Team\r\nPublished: 2025-12-10 · Archived: 2026-04-05 22:50:44 UTC\r\nAfter a coordinated disruption of the Rhadamanthys Malware-as-a-Service (MaaS) platform by law enforcement\r\nand private industry, minor activity from Rhadamanthys and its developer, KingCrete, continues. However, the\r\ntakedown clearly did major damage to Rhadamanthys’ operations, and it looks like most users are moving away\r\nfrom the infostealer in favor of competitors like Vidar infostealer, leaving just a trickle of continued\r\nRhadamanthys activity.\r\nOn November 10, Europol led a coordinated law enforcement action to take down the Rhadamanthys infostealer\r\ninfrastructure as part of Operation Endgame. Our team at SpyCloud Labs supported this phase of Operation\r\nEndgame, which included disruptive actions for multiple different malware variants, including the Rhadamanthys\r\ninfostealer, Trojan VenomRAT, and a relatively unknown proxy bot called Elysium.\r\nThe coordinated action against these MaaS variants involved 1,025 server takedowns, 20 domains seized, 11\r\nphysical locations searched, and the arrest of the main suspect for VenomRAT in Greece.\r\nPrior to the takedown action, Rhadamanthys was one of the most popular infostealer malware variants on the\r\nmarket and was differentiated from other top infostealers due to the fact that it could infect users in\r\nCommonwealth of Independent States (CIS) countries.\r\nFrom our perspective one month later, the Rhadamanthys takedown appears to have been a relatively successful\r\noperation. Based on our dataset of millions of recaptured Rhadamanthys infostealer logs, we see a clear decline in\r\nnew infostealer malware infections in the days directly following the takedown.\r\nWhile we saw a small spike in mid-November suggesting there may have been a limited amount of Rhadamanthys\r\nactivity post-takedown, that activity appears to have dropped down to practically nothing in the last couple of\r\nweeks.\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 1 of 7\n\nNew Rhadamanthys logs recaptured by SpyCloud, graphed by malware infection time.\r\nAs the takedown was unfolding on November 10, researchers observed cautionary messages sent by the\r\nRhadamanthys developer(s) to their customers. They warned Rhadamanthys users to “pause their work” and\r\n“erase traces” as there was an active law enforcement action against the malware.\r\nScreenshots of messages from the Rhadamanthys developers to their customers about the takedown as it was in\r\nprogress, shared by independent security researcher g0njxa on X.\r\nGeshaRB, an account apparently belonging to a Rhadamanthys customer, also posted a detailed account of the\r\ntakedown to XSS, describing effects of the operation from their perspective as a Rhadamanthys user.\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 2 of 7\n\nXSS post describing the Rhadamanthys takedown. This is a response to a thread on the takedown titled “operation\r\nendgame отработала по rhadamanthys”.\r\nTranslation:\r\nI confirm the success of the special operation.\r\nOn 11/10/2025 my main server was affected as follows:\r\n1. The root password is disabled and authorization is strictly by certificate.\r\n2. The password for accessing the admin panel of Rhadamanthys itself changed.\r\nLuckily, I also bought the main server from reliable people, not from white hosting providers, so half an hour after\r\nthey had done everything, I wiped the server from the control panel and disconnected it from the network.\r\nWhat happened, thoughts out loud:\r\nThe guy banned here, the main coder of Rhadamanthys, developed a convenient web panel for installing shim\r\nservers, the main panel, and so on, into which you entered your login, password, IP, and port, and then performed\r\nthe necessary manipulations, such as a simple and convenient installation in just two clicks.\r\nThe special services successfully hacked this panel, and for an unknown amount of time they collected the\r\ncredentials of all the servers, white ones, and shims, and then, having reached the peak, in one blow they\r\ndestroyed everything.\r\nIn his post he refers to KingCrete, the Rhadamanthys developer, as “the guy banned here”. This is because\r\nKingCrete’s profiles were previously banned from both the XSS and Exploit criminal hacking forums – both of\r\nwhich cater specifically to Russian-language threat actors – because Rhadamanthys had no built-in protections to\r\nstop it from infecting users in CIS countries.\r\nThis made Rhadamanthys something of an outlier in the space, as most MaaS is specifically designed to perform\r\nlocation and/or language checks to avoid executing on a device which is located in, or operated by a user from, a\r\nCIS country.\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 3 of 7\n\nAbout three weeks after the takedown, KingCrete appears to have started attempting a comeback, creating some\r\nnew infrastructure including reviving the “RHAD Security” .onion site where he sells Rhadamanthys and other\r\ncriminal services.\r\nRHAD Security .onion site that appears to be selling Rhadamanthys, Elysium, and a crypter service.\r\nHowever, it will likely take more than that for him to truly return; a successful takedown is bad for business. In\r\nthis case, customers lost all of their data – and likely their confidence in KingCrete as well. That trust eroded even\r\nfurther when law enforcement alleged that he had been stealing data from his own customers and keeping the\r\nmost valuable, easily monetizable information for himself.\r\nAccording to the changelog on the RHAD Security site, no new updates have been published for Rhadamanthys\r\nsince May. This might indicate to potential customers that KingCrete hasn’t made any significant changes to his\r\noperation since the takedown – potentially leaving the same security gaps open that allowed law enforcement to\r\ngain access to the infostealer infrastructure during Operation Endgame.\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 4 of 7\n\nChangelog on the RHAD Security .onion site showing that no new Rhadamanthys updates have been published\r\nsince May 2025.\r\nFurthermore, criminals have no guarantee that this revived infrastructure is really KingCrete – when cybercriminal\r\ninfrastructure comes back after a successful law enforcement operation there are often swirling rumors that the\r\nrevived infrastructure is either a copycat or a law enforcement operated honeypot. This new RHAD Security\r\nwebsite is nearly identical to the old site except for one key component – all of the contact information at the\r\nbottom has been updated to totally new accounts.\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 5 of 7\n\nContact information section of the RHAD Security website captured prior to Operation Endgame.\r\nContact information section of the RHAD Security website captured in December 2025, after Operation Endgame.\r\nAfter the takedown of the Redline and META infostealers during Operation Magnus last October, SpyCloud\r\nresearchers observed an explosion of LummaC2 infections. Our hypothesis was then, and remains, that –\r\nfollowing a successful disruption of a MaaS family – a segment of the user base quickly transitions to the next\r\nmost capable infostealer.\r\nFollowing the Rhadamanthys takedown, we at SpyCloud Labs debated whether users of Rhadamanthys would\r\nmove to StealC, Vidar, or back to LummaC2 (unlikely given the apparent disdain of the latter following a\r\nsignificant doxxing campaign against its developers).\r\nNow that we have more data from after the Rhadamanthys takedown, we can see that Vidar seems to be emerging\r\nas the preferred MaaS platform of choice. We have observed an already-existing surge of Vidar infections that\r\nbegan around the middle of September continuing to rise following the Rhadamanthys disruption.\r\nNew infections per day for the five top malware variants throughout 2025, to date.\r\nWhile it is clear that the disruption of Rhadamanthys did not unilaterally destroy the entire ecosystem – and to be\r\nclear, no one thought it would – it is apparent that the takedown, helped by the prior self-immolation of\r\nLummaC2, has had a distinct impact on the total number of new infostealer infections.  \r\nSpyCloud recaptures malware-stolen data and enables your team to remediate exposures before cybercriminals\r\ncan launch follow-on attacks.\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 6 of 7\n\nSource: https://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nhttps://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/"
	],
	"report_names": [
		"impact-operation-endgame-takedown-on-rhadamanthys-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434547,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b2005fb356245f8ef34d3ddc952b73f16859bcb5.pdf",
		"text": "https://archive.orkl.eu/b2005fb356245f8ef34d3ddc952b73f16859bcb5.txt",
		"img": "https://archive.orkl.eu/b2005fb356245f8ef34d3ddc952b73f16859bcb5.jpg"
	}
}