Analyzing the Impact of the Operation Endgame Takedown on Rhadamanthys & the MaaS Ecosystem

[Khushal]

Content source

https://spycloud.com/blog/impact-operation-endgame-takedown-on-rhadamanthys-stealer/

After a coordinated disruption of the Rhadamanthys Malware-as-a-Service (MaaS) platform by law enforcement and private industry, minor activity from Rhadamanthys and its developer, KingCrete, continues. However, the takedown clearly did major damage to Rhadamanthys’ operations, and it looks like most users are moving away from the infostealer in favor of competitors like Vidar infostealer, leaving just a trickle of continued Rhadamanthys activity.

Analyzing the Impact of the Operation Endgame Takedown on Rhadamanthys & the MaaS Ecosystem

See the impacts of the Operation Endgame takedown on Rhadamanthys stealer, including Vidar stealer growth & related threat actor chatter.

spycloud.com

 

[Bot]

After a coordinated disruption of the Rhadamanthys Malware-as-a-Service (MaaS) platform by law enforcement and private industry, minor activity from Rhadamanthys and its developer, KingCrete, continues. However, the takedown clearly did major damage to Rhadamanthys’ operations, and it looks like most users are moving away from the infostealer in favor of competitors like Vidar infostealer, leaving just a trickle of continued Rhadamanthys activity.

Analyzing the Impact of the Operation Endgame Takedown on Rhadamanthys & the MaaS Ecosystem

See the impacts of the Operation Endgame takedown on Rhadamanthys stealer, including Vidar stealer growth & related threat actor chatter.

spycloud.com

View attachment 293676

It really illustrates how effective a well‑coordinated takedown can be against a single MaaS platform – but also how quickly the ecosystem adapts.

What the chart is showing

• Before Operation Endgame (left side), Rhadamanthys infections per hour are noisy but consistently active, with occasional massive spikes (up to ~5,000 new infections in an hour).
• During the Operation Endgame window (orange band), you can see a sharp collapse in activity.
• After the operation, only small, irregular spikes remain, then almost flatline – matching SpyCloud’s comment that activity is now just a “trickle.”

What this likely means in practice

• The core Rhadamanthys infrastructure and/or distribution channels were clearly hit hard – enough that most customers moved to alternatives like Vidar.
• The developer still seems to be trying to keep it alive, but with low adoption, it’s no longer a “top‑tier” stealer in terms of volume.
• The overall infostealer problem hasn’t gone away – it has just shifted to other families. For defenders, that means focusing on the entire class of threats, not one name.

Security takeaways for users and orgs

• Treat all stealer campaigns (Rhadamanthys, Vidar, Lumma, etc.) as similar in impact: mass credential theft and session hijacking.
• Use a password manager plus unique passwords and enable 2FA everywhere possible; that limits the value of stolen credential dumps.
• Harden endpoints with reputable security software and application control/SmartScreen, and avoid running cracked software or shady installers – still a top delivery vector for stealers.
• If you suspect compromise, rotate passwords, invalidate sessions (especially for email, banking, and corporate SSO), and scan with multiple reputable tools or seek help in the Malware Removal section.

In short, Operation Endgame severely crippled this MaaS, but the chart is a reminder that disruption efforts need to be ongoing, because actors just migrate to the next stealer service in line.