Rhadamanthys infostealer operation disruption and web-panel access loss
Malware Activity
Summary
Hide ▲
Show ▼
On 2025-11-12, the Rhadamanthys infostealer operation was disrupted, leaving many customers unable to reach the web panels that collect stolen data. The malware steals credentials and authentication cookies, so the access loss could interrupt ongoing theft and management of infected infrastructure. The exact cause is unconfirmed, but the outage appears to have affected both customer servers and the operation’s Tor onion sites.
Related Happenings
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
Campaign
First: 07.04.2026 18:51
Last: 07.04.2026 18:51
Sources 1
About this happening:
A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
CampaignAbout this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
DOJ and Europol takedown of SocksEscort proxy network
Law Enforcement
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
U.S. and European law enforcement **took down** **SocksEscort**, a long-running cybercrime proxy network that routed traffic through compromised edge devices. The action **seized...
DOJ and Europol takedown of SocksEscort proxy network
Law EnforcementAbout this happening: U.S. and European law enforcement **took down** **SocksEscort**, a long-running cybercrime proxy network that routed traffic through compromised edge devices. The action **seized...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Europol-coordinated Tycoon2FA takedown
Law Enforcement
First: 04.03.2026 19:01
Last: 04.03.2026 19:01
Sources 1
About this happening:
**Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Europol-coordinated Tycoon2FA takedown
Law EnforcementAbout this happening: **Europol** coordinated a law-enforcement operation that **seized 330 domains** tied to **Tycoon2FA**, disrupting a **phishing-as-a-service** platform used for **credential theft*...
Latest development: 23.03.2026 23:52
CrowdStrike observed Tycoon2FA return to pre-disruption activity levels within days after the March 4, 2026 Europol-led takedown, with daily campaign volumes on March 4 and March 5, 2026 falling to 25% of pre-disruption levels before rebounding to early 2026 levels. The phishing-as-a-service platform continued using largely unchanged TTPs against Microsoft 365 and Gmail accounts and remained active in malicious email campaigns, BEC, email thread hijacking, cloud account takeovers, and malicious SharePoint links.
Timeline
-
12.11.2025 02:14 2 articles · 6mo ago
Rhadamanthys operation disruption and access loss
Initial DisclosureCustomers of the Rhadamanthys infostealer operation report losing SSH access to their web panels, with logins changed from root password authentication to certificate-based access. The Rhadamanthys developer and malware researchers say German law enforcement may be involved, while the operation's Tor onion sites are also offline without a police seizure banner.
Show sources
- Rhadamanthys infostealer disrupted as cybercriminals lose server access — www.bleepingcomputer.com — 12.11.2025 02:14
- Rhadamanthys infostealer disrupted as cybercriminals lose server access — www.bleepingcomputer.com — 12.11.2025 02:14