Rhadamanthys infostealer operation disruption and web-panel access loss
Malware Activity
Summary
Hide ▲
Show ▼
On 2025-11-12, the Rhadamanthys infostealer operation was disrupted, leaving many customers unable to reach the web panels that collect stolen data. The malware steals credentials and authentication cookies, so the access loss could interrupt ongoing theft and management of infected infrastructure. The exact cause is unconfirmed, but the outage appears to have affected both customer servers and the operation’s Tor onion sites.
Related Happenings
SocGholish malware downloader hijacking WordPress sites
Malware Activity
H score57
First: 18.06.2026 16:25
Last: 18.06.2026 16:25
Sources 1
About this happening:
**SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...
SocGholish malware downloader hijacking WordPress sites
Malware ActivityAbout this happening: **SocGholish** is a long-running **JavaScript-based malware downloader** also tracked as **FakeUpdates** that hijacks **compromised WordPress sites** to push **fake browser update...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
Campaign
H score45
First: 07.04.2026 18:51
Last: 07.04.2026 18:51
Sources 1
About this happening:
A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 FrostArmada DNS hijacking and AitM credential theft campaign
CampaignAbout this happening: A multinational disruption effort has taken down **FrostArmada**, an **APT28** campaign that hijacked router DNS settings to steal **Microsoft account credentials** and OAuth toke...
APT28 SOHO router DNS hijacking and credential theft campaign
Campaign
H score41
First: 07.04.2026 18:30
Last: 07.04.2026 18:30
Sources 1
About this happening:
**APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
APT28 SOHO router DNS hijacking and credential theft campaign
CampaignAbout this happening: **APT28** is running **two malicious campaigns** that abuse **vulnerable SOHO routers** and attacker-controlled **DNS/VPS infrastructure** to reroute traffic and steal credentials...
Latest development: 08.04.2026 13:03
On April 7, 2026, the US Department of Justice and the FBI said they neutralized the US portion of APT28’s DNS hijacking network, which spanned more than 23 US states and used compromised SOHO routers, especially TP-Link routers, to redirect traffic through attacker-controlled DNS servers and steal credentials from targeted organizations. The FBI said it was working with ISPs to notify affected users, and court-authorized remediation steps can reset router DNS settings, remove APT28-installed resolvers, and prevent further abuse of the original access path.
DOJ and Europol takedown of SocksEscort proxy network
Law Enforcement
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
U.S. and European law enforcement **took down** **SocksEscort**, a long-running cybercrime proxy network that routed traffic through compromised edge devices. The action **seized...
DOJ and Europol takedown of SocksEscort proxy network
Law EnforcementAbout this happening: U.S. and European law enforcement **took down** **SocksEscort**, a long-running cybercrime proxy network that routed traffic through compromised edge devices. The action **seized...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
H score82
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
12.11.2025 02:14 2 articles · 7mo ago
Rhadamanthys operation disruption and access loss
Initial DisclosureCustomers of the Rhadamanthys infostealer operation report losing SSH access to their web panels, with logins changed from root password authentication to certificate-based access. The Rhadamanthys developer and malware researchers say German law enforcement may be involved, while the operation's Tor onion sites are also offline without a police seizure banner.
Show sources
- Rhadamanthys infostealer disrupted as cybercriminals lose server access — www.bleepingcomputer.com — 12.11.2025 02:14
- Rhadamanthys infostealer disrupted as cybercriminals lose server access — www.bleepingcomputer.com — 12.11.2025 02:14