Threat Landscape Shifts After the Disruption of Rhadamanthys MaaS

A month after the coordinated law enforcement action under Operation Endgame, the once-prominent Rhadamanthys Malware-as-a-Service (MaaS) platform has seen a near-total collapse in its operations.

Led by Europol and supported by cybersecurity partners including SpyCloud Labs, Operation Endgame targeted multiple malware families, Rhadamanthys, VenomRAT, and the Elysium proxy bot, resulting in the takedown of 1,025 servers, seizure of 20 domains, 11 searches across several countries, and the arrest of the primary VenomRAT suspect in Greece.

Before its disruption, Rhadamanthys was considered one of the most advanced infostealers on the black market, capable of targeting users in the Commonwealth of Independent States (CIS) a region typically excluded by most malware developers.

The infostealer could extract browser credentials, cryptocurrency wallet data, and system details for resale on dark web forums.

SpyCloud’s telemetry showed a sharp drop in Rhadamanthys infections immediately after the November 10 takedown, followed by only minor activity spikes in mid-November.

The data indicates that the takedown successfully crippled the malware’s infrastructure, leaving customers unable to access stolen data or manage compromised devices.

KingCrete’s Attempt at Revival and Market Response

The alleged creator of Rhadamanthys, known as KingCrete, reportedly attempted to rebuild his operations by restoring the RHAD Security Onion marketplace.

The site lists Rhadamanthys, Elysium, and other cybercriminal services, but researchers note that no software updates have been released since May 2025.

This stagnation and the suspiciously revised contact details fuel speculation that the site may be a clone or even a law-enforcement honeypot, casting doubt on its legitimacy.

Adding to KingCrete’s reputation damage are claims that he misused stolen logs from his own users, allegedly keeping the most profitable data for himself.

Histories of such internal fraud make rebuilding customer trust in the underground community nearly impossible, further reducing Rhadamanthys’ appeal.

The disruption has indirectly benefited competing MaaS operators. SpyCloud’s recent analysis indicates that threat actors migrating away from Rhadamanthys are adopting Vidar, a mature infostealer with established infrastructure.

Vidar’s infection rates began to rise in September and accelerated after the Rhadamanthys takedown, mirroring patterns observed after the 2024 Operation Magnus disruptions, which led to LummaC2 adoption surges.

While the infostealer ecosystem remains resilient, the coordinated dismantling of Rhadamanthys demonstrates how international cooperation and private-sector intelligence can significantly disrupt criminal networks.

The operation also highlights growing law enforcement capabilities to target not just individual malware samples but also the broader criminal infrastructure that sustains them.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Threat Landscape Shifts After the Disruption of Rhadamanthys MaaS appeared first on Cyber Security News.