Police vs Malware: How Operation Endgame Took Down Rhadamanthys

Global law-enforcement agencies have launched one of the largest coordinated cybercrime crackdowns in recent years — and the Rhadamanthys information-stealing malware is now the latest target.

Proofpoint security researchers have warned that despite “Operation Endgame” taking down operators behind several major botnets earlier this year, follow-up activity shows that cybercriminals are still attempting to revive or repurpose the Rhadamanthys ecosystem. Attackers appear to be experimenting with fresh distribution tactics to rebuild access, expand their infrastructure, and continue credential-stealing activity around the world.

What Is Rhadamanthys?

Rhadamanthys is a sophisticated infostealer designed to collect sensitive data such as browser passwords, crypto-wallets, system information, and authentication cookies.

It is widely sold on underground markets and has historically been one of the top-used tools for account takeovers and financial fraud.

Operation Endgame previously disrupted multiple malware families — including IcedID, SystemBC, and PikaBot — by arresting operators and seizing servers across Europe and the US. Rhadamanthys was among the main targets.

New Campaigns Still Appearing

Despite the enforcement wave, Proofpoint observed new Rhadamanthys-linked campaigns resurfacing soon after the takedowns. Recent activity includes:

• New phishing chains designed to lure victims via invoice-themed emails and fake delivery notifications
• Obfuscated JavaScript loaders that deploy the infostealer silently
• Shifting hosting infrastructure, possibly from actors attempting to remain operational after losing earlier servers
• Reuse of old malware code, illustrating that multiple affiliates may still possess earlier versions

These campaigns suggest the ecosystem is fragmented but still active.

Why Rhadamanthys Remains Dangerous

Even with law-enforcement pressure, Rhadamanthys is still valuable to cybercriminals for several reasons:

• It steals high-value credentials that can be resold or used to bypass MFA
• It enables account takeovers, leading to further fraud or ransomware deployment
• It spreads via low-effort phishing, making it easy for new attackers to adopt
• Affiliates or copycats may still have access to older builds, keeping distribution alive

Proofpoint reinforces that malware disruptions do not equal permanent shutdowns — many cybercrime services regenerate quickly, especially when code is publicly leaked or widely shared.

How to Protect Your Environment

Security teams should take the following steps:

• Block suspicious file formats: JS, HTA, IMG, ISO, and ZIP archives
• Use robust email filtering for invoice-themed and notification-themed lures
• Monitor for browser password exports or unusual cookie-access patterns
• Hunt for known Rhadamanthys IOCs and loader behaviors
• Implement phishing-resistant MFA, especially for admin accounts

Operation Endgame dealt a major blow, but Rhadamanthys activity shows that the cybercrime market continues to evolve — and will exploit any gap left unprotected.

Sources:

• Proofpoint Threat Insight – “Operation Endgame Quakes Rhadamanthys”
• (https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys)