Rhadamanthys Historical Bot Infections Special Report.
Description
On the 12th Nov 2025, the Shadowserver Foundation released the following Special Report in respect of the jurisdiction.
| No. | Report Name | Severity | Date Released |
|---|---|---|---|
| 1. | Rhadamanthys Historical Bot Infections Special Report | .Critical | 12-Nov-2025 |
The information contained in this special report was provided to the Shadowserver Foundation by the Law enforcement agencies involved in the multinational coordinated cyber operation called Operation Endgame Season 2.0., with the objective of having the information disseminated to National CERTs/CSIRTs and network owners globally, in order to maximise remediation efforts.
This is the fourth Special Report released by the Shadowserver Foundation in relation to Operation Endgame. The report identifies IP addresses and computer systems within the jurisdiction believed to have been infected with the Rhadamanthys Malware during the period of the 14th Mar 2025 and the 11th Nov 2025.
Special Reports released by the Shadowserver Foundation are based upon a "high value dataset".
Problem
| No. | Malware | Description | Additional Information |
|---|---|---|---|
| 1. | Rhadamanthys. | Rhadamanthys is an information stealing malware. The malware was first report on the 24th Sep 2022 when it was offered for sale on the dark web. The emphasis of the intial version of the malware was on cracking cryptocurrency wallets and the exfilitration of the wallets. It targeted both wallet clients installed in the victim’s machine and browser extensions. The downloader component of the Rhadamanthys malware sets it apart from other simlar malware. The downloader is written in C++ and features a staged execution that use a variety of advanced anti-analysis techniques coupled with heavy obfuscation. The latest versions of the malware has evolved to steal credentials from web browsers, VPN clients, email clients and chat clients as well as cryptocurrency wallets. The malware is being distributed via malicious Google advertisements and phising emails. | malpedia - Rhadamanthys |
On the 26th Sep 2024, Recorded Future published a detail report on the Rhadamanthys Information Stealing Malware.
| No. | Report Name | Company Name | Date Released |
|---|---|---|---|
| 1. | Recorded Future by Insikt Group - Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0. | Recorded Future. | 26-Sep-2024 |
Operation Endgame
Between the 30th Nov 2024 and the 28th May 2024, Law enforcement agencies and judicial authorities, coordinated by Europol and Eurojust (European Union Agency for Criminal Justice Cooperation), launched the multinational coordinated cyber operation called Operation Endgame.
During Operation Engame, Over one hundred (100) servers and domains were seized or takendown.
Operation Endgame Season 2.0
Between the 19th May 2025 and the 22nd May 2025, Law enforcement agencies and judicial authorities, coordinated by Europol and Eurojust, launched the multinational coordinated cyber operation called Operation Endgame 2.0, building upon the success of Operation Endgame.
The operation sought to dismantled key infrastructure behind the malware used to launch ransomware attacks and it also targeted new malware variants and successor groups that re-emerged after Operation Endgame had concluded.
Law enforcement authorities took down some 300 servers worldwide, neutralised 650 domains, and issued international arrest warrants against 20 targets.
€3.5 million in cryptocurrency was seized during Operation Endgame Season 2.0, this brought the total amount seized during Operation Endgame to more than €21.2 million.
Recommendations
| No. | Action | Description |
|---|---|---|
| 1. | Full anti-virus scan of infected device. | A full anti-virus scan of the infected device, should be performed to ensure the successful removal of the Rhadamanthys malware. Malware definition updates are crucial for anti-malware software to detect new threats. Ensure Malware definitions are updated prior to the scan. |
| 2. | Monitor Infected Device. | A device from which the Rhadamanthys malware has been successfully removed should be monitored, for unusual or suspicious activity, to ensure the prevention of reinfection or attempted reinfection of the device. |
| 3. | Compromised Credentials. | Credentials reported to have been compromised should be changed after the successful removal of the Rhadamanthys malware from the victims infected device. |
| 4. | User Training & Awarness. | Regular training on phishing email awareness should be condcted for users. |
| 5. | Patch Management. | Patch management should be implemented to ensure that all computer systems and software are up-to-date, stable and secure. |
| 6. | Multi-Factor Authentication (MFA). | Multi-Factor Authentication (MFA) across all critical accounts and services should be implemented. However beaware that MFA can be bypassed with session cookies. |
| 7. | Endpoint Detection and Response (EDR). | An Endpoint Detection and Response (EDR) system that continously monitor all activity on all endpoint devices such as computers and mobile devices for threats should be implemented. EDR on detection of a threat, can automatically perform actions to contain it, preventing it from spreading to the rest of the network. |
| 8. | Extended Detection and Response (XDR). | An Extended Detection and Response (XDR) system that integrates and correlate security data across multiple layers, such as endpoints, cloud workloads, email, and networks should be implemented. XDR provides a unified and holistic approach to the dection of, the investigation and the response to cyber threats. |
| 9. | Email Security. | A robust email filtering and sandbox solution to mitigate the risk of malicious email attachments should be implemented. Attachment sandboxing automatically examine and analyse email attachments in an isolated environment to detect malicious activity without exposing the organisation's network. |
| 10. | Network Segmentation. | Network segmentation should be implemented to prevent or restrict lateral movement opportunities for attackers. |
| 11. | Regular Backup of Critical Data. | A system of regular backups of critical data should be implemented. Ensure the backups are stored off line. |
Additional Information
Shadowserver Foundation - Rhadamanthys Historical Bot Infections Special Report.Shadowserver Foundation - Rhadamanthys Historical Bot Infections Special Report.
EUROPOL - Largest ever operation against botnets hits dropper malware ecosystem.
EUROPOL - Operation ENDGAME strikes again: the ransomware kill chain broken at its source.
ENFAST - Operation Endgame.
Malpedia - Rhadamanthys.
Recorded Future by Insikt Group - Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0.
Check Point Research - Rhadamanthys: The “Everything Bagel” Infostealer.
Outpost24 - Rhadamanthys malware analysis: How infostealers use VMs to avoid analysis.