Reports of a possible law enforcement operation against Rhadamanthys Stealer infrastructure have created waves in the cybersecurity community.

The information stealer, which has been active in the threat landscape for several months, appears to have suffered a major disruption to its command and control servers.

Users of the malware-as-a-service platform have reported difficulties accessing their control panels, while the main onion domains associated with Rhadamanthys remain unavailable.

The situation came to light when the malware administrator issued an urgent message to customers, advising them to pause their operations and reinstall servers immediately.

This unusual directive suggests that the infrastructure may have been compromised or taken over by authorities.

The timing and nature of these events point to a coordinated takedown effort, though official confirmation from law enforcement agencies has not yet been released.

Threat intelligence analyst Gi7w0rm, who has been closely monitoring the situation, reported that Rhadamanthys domains appear to be under active law enforcement control.

The analyst also noted that customers were being advised to delete all servers. Security researcher g0njxa confirmed multiple reports of the infrastructure disruption, stating that users were experiencing login problems to their control panels.

Infrastructure Disruption and Operational Impact

The apparent seizure has created immediate problems for threat actors who rely on Rhadamanthys for their malicious operations.

The stealer, known for its ability to extract sensitive data including credentials, cryptocurrency wallets, and browser information, operates through a network of command and control servers.

When these servers go offline or fall under law enforcement control, the entire operation becomes ineffective. Stolen data cannot be transmitted back to the attackers, and new infections cannot receive updated instructions or configurations.

The admin’s instruction to reinstall servers indicates an attempt to rebuild the infrastructure on new, uncompromised systems.

However, this process requires significant effort and may leave the operation vulnerable during the transition period.

For organizations previously targeted by Rhadamanthys, this disruption provides a window of opportunity to strengthen their defenses before the threat actors can fully reestablish their operations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Rhadamanthys Stealer Servers Possibly Seized – Admin Urges to Reinstall Servers appeared first on Cyber Security News.

The English-speaking cybercriminal ecosystem, commonly known as “The COM,” has transformed from a niche community of social media account traders into a sophisticated, organized operation fueling some of the world’s most damaging cyberattacks.

What started as simple forums for trading rare social media handles has evolved into a professional, service-driven criminal marketplace targeting multinational corporations, government agencies, and critical infrastructure across the globe.

The COM’s growth accelerated during the cryptocurrency boom between 2020 and 2021, when cybercriminals shifted their focus from stealing social media accounts to draining digital wallets containing millions of dollars.

This shift introduced new attack methods and monetization strategies that fundamentally changed the landscape of cybercrime.

The ecosystem now operates as a comprehensive supply chain where specialized roles work together seamlessly to execute coordinated attacks.

CloudSEK security analysts identified that The COM’s operational structure mirrors legitimate business models.

Different threat actors specialize in specific roles—some handle social engineering through vishing calls, others manage credential theft, and specialized teams handle data exfiltration and money laundering.

This specialization allows criminal operations to scale rapidly while distributing risk across multiple independent actors.

The emergence of groups like Lapsus$ and ShinyHunters demonstrated The COM’s evolution into theatrical, publicity-driven operations.

Lapsus$ became infamous for breaching major tech companies, including NVIDIA, Samsung, and Microsoft, by manipulating customer support staff through social engineering.

The group pioneered a “leak-and-brag” approach, publicly taunting victims and law enforcement while threatening data releases to accelerate ransom payments.

The Attack Mechanism: Targeting the Human Perimeter

CloudSEK security researchers noted that The COM’s most effective weapon is social engineering rather than technical exploits.

The primary infection vector involves human manipulation through vishing crews who impersonate IT support staff, telecom providers, or corporate help desk personnel.

These operators deceive employees into revealing credentials, approving remote access, or executing system commands that grant attackers entry to corporate networks.

The technique operates through a simple principle: compromising a person is easier than compromising a device. Attackers use detailed victim profiling gathered through open-source intelligence and breached data, enabling highly targeted campaigns.

Once inside networks, attackers leverage legitimate tools like Remote Desktop Protocol and cloud services to move laterally, avoiding detection by blending with regular administrative traffic.

This approach has proven devastatingly effective against even organizations with advanced security infrastructure, making human-focused security measures increasingly critical for enterprise defense strategies moving forward.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post English-Speaking Cybercriminal Ecosystem ‘The COM’ Drives a Wide Spectrum of Cyberattacks appeared first on Cyber Security News.