Cybercriminals Lose Control: Rhadamanthys Infostealer Shut Down
▼ Summary
– The Rhadamanthys infostealer malware-as-a-service operation has been disrupted, with customers losing access to their servers and web panels.
– Rhadamanthys is a subscription-based malware that steals credentials and authentication cookies, often distributed via software cracks, YouTube videos, or malicious ads.
– Cybercriminals reported that law enforcement gained access to their web panels, changing SSH login to certificate-based and prompting them to erase traces and shut down servers.
– Researchers suspect German law enforcement is involved, as EU-hosted panels showed German IP logins, and the disruption may be linked to the upcoming Operation Endgame announcement.
– Operation Endgame is an ongoing law enforcement action that has previously disrupted multiple malware operations, with a new disclosure expected soon.
A significant disruption has hit the Rhadamanthys infostealer malware-as-a-service operation, leaving many of its criminal subscribers unable to access their data-collection servers. This sophisticated malware is designed to harvest sensitive information such as login credentials and authentication cookies from web browsers, email programs, and various applications. It typically spreads through deceptive methods, including fake software activation tools, compromised YouTube videos, and malicious advertisements in search results.
The Rhadamanthys service operates on a subscription basis, where threat actors pay a recurring fee to use the malware, receive technical support, and manage stolen data through a dedicated web panel. Cybersecurity researchers g0njxa and Gi7w0rm, who actively monitor such malicious activities, report that users of the service are claiming law enforcement agencies have seized control of these administrative panels.
On underground hacking forums, several customers described suddenly losing SSH access to their Rhadamanthys panels. Instead of their standard root passwords, the systems now demand certificate-based authentication. One user warned others on a forum, stating, “If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting.”
Another subscriber confirmed experiencing identical problems, noting that their server’s SSH access had been reconfigured to require certificates. They added, “I confirm that guests have visited my server and the password has been deleted. Server login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the ‘smart panel’ were hit hard.”
According to a message from the Rhadamanthys developer, the disruption is believed to be the work of German authorities. They pointed out that web panels hosted in European Union data centers showed logins from German IP addresses just before subscribers lost access.
While the Tor-based sites associated with the malware operation are currently offline, researcher g0njxa mentioned to BleepingComputer that no law enforcement seizure notice is displayed, leaving the exact identity of the responsible party unclear for now.
Multiple cybersecurity experts speculate that this incident could be connected to an impending announcement from Operation Endgame, a coordinated international law enforcement initiative focused on dismantling malware-as-a-service platforms. Since its launch, Operation Endgame has been credited with disrupting numerous cybercriminal infrastructures, including those supporting ransomware, as well as operations involving malware families like SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, and SystemBC.
The official Operation Endgame website currently features a countdown timer, indicating that new developments will be revealed on Thursday. BleepingComputer reached out to the German Federal Criminal Police Office (BKA), Europol, and the FBI for comments but has not yet received any official responses.
(Source: Bleeping Computer)