Mr. Titus Tech is correct. cpuid-dot-com is indeed delivering malware right now.
As I began poking this with I stick I discovered this is not your typical run-of-the-mill malware. This malware is deeply trojanized, distributes from a compromised domain (cpuid-dot-com), performs file masquerading, is multi-staged, operates (almost) entirely in-memory, and uses some interesting methods to evade EDRs and/or AVs such as proxying NTDLL functionality from a .NET assembly.
The C2 domain present in one of the binaries is a clear IoC. This is the same Threat Group who was masquerading FileZilla in early March, 2026. They've been busy.
This talk was a huge milestone for me as being my first keynote. I wanted the topic to be pertinent but also applicable to attendees and my area of expertise. It was a big lift prepping so many live demos but Iโm happy with how it turned out. Hope you enjoy it!
First thoughts about #Rhadamanthys Stealer "disruption" (?) and what to expect in the next days with the current information as of November 13th:
The same way I did with Lumma I want to share some words (https://t.co/dWAQNKnjv1)
Leaving to one side from the discussion anything related to VenomRAT, and focusing on Rhadamanthys (and indirectly on the Elysium Botnet, which is in fact allegedly a product developed and offered by the same people behind Rhadamanthys and a product which I don't have much knowledge with), talking about a complete disruption, dismantling and whatever synonym as for now, should be wrong.
Short answer - Was Rhadamanthys completely disrupted? As far as I understand, NO. It's maybe too soon to talk big words.
Is Rhadamanthys working as for now? a completely YES for yesterday, still not see clear evidence about today, need time. See photo 1.
What are we observing on major malware traffic networks (the first ones to respond to changes )? A shift towards other traditional malware solutions such as StealC or Vidar, also newer ones such as AURA.
This is probably provoked by the words of the Rhadamanthys administration after the operation endgame was noticed. Rhadamanthys advised customers to stop work for some days (see photo 2). Some customers related that were personally messaged by Rhadamanthys administration stating that "he need some days for opsec", currently he is not active since yesterday after leaving last messages.
These quick changes happened before, for just some little time to not stop installation networks while the main malware project is having issues. If the original malware provider is back, it will be changed back again following the patterns.
I observed that the last days direct message from LE to some customers, as well as Rhadamanthys advices provoked some panel owners to wipe servers and accounts, so the malware work at some point was stopped momentarily just to be replaced by these other solutions.
Is there a possibility that some customers of Rhadamanthys have not been affected by the last events? YES. Due the naturality of the stealer, that I think is clearly differentiated by two installation methods (to summarize, Rhadamanthys offer a local installation to their customers, where server is controlled by customer and other service where panel is given already ready-to-use), customers that have a local installation may have not been affected as much as other people. This is just my hypothesis over what I observe. Can the people who are not affected be identified any way? YES, as long as Rhadamanthys administration saved any records from their customers.
About the information on victims retrieved by LE and submitted to platforms such as HIBP (2 million impacted email addresses and 7.4 million passwords to HIBP). These numbers reaffirm the scope of the operation and the major probability that
customers data on the whole meaning has not been affected by recent LE operation. These numbers feel small for the complete threat of what Rhadamanthys has represented over these years. If we observe other malware families busted over these years, I took for example Raccoon Stealer, the news talked about 50 million unique credentials (https://t.co/B0OgDwHUIT) something more reasonable, and this happened in 2022 where I believe victim traffic numbers were not as high as the following years. So I estimate the 7 million credentials retrieved over Operation Endgame now (considering that all came from Rhadamanthys that is not clearly stated as they could be from VenomRAT too) under the 20% range volume of all Rhadamanthys operation so far, being optimistic. It has been verified very quickly how some credentials originated from Rhadamanthys victims from publicly available sources are not included in this dataset retrieved by LE, so although you can search yourself if you have been pwned and show no results, you still could have been a victim of Rhadamanthys because not all data (and sincerely not a considerable amount) from Rhadamanthys servers has been retrieved.
There is also a interesting point over the Rhadamanthys reputation on the malware community. He is a trusted individual, that has recovered from many reputation incidents in the past. It is one of the major infostealers that no provides geo-block to the CIS countries (probably the biggest one doing this) and this feature provoked being banned from promotion on all major Russian-speaking forums, and also being very appreciated ironically by other people just because this, also because of a higher development side than other MaaS solutions . Although reputation kickbacks, it hold a user base and in the last months it dominated the market massively.
What to expect on the next days?
There's two possibilities, as seen before with other people:
1. Rhadamanthys owner never returns from hold by external pressures, attacks against honor and reputation and if the "opsec issues" has any more deep meaning, customers left with no reply and project left to death.
2. Rhadamanthys reach customers again, fix problems, get to work promptly as usual, nothing happened. (Lumma Style)
Time will tell how things turn outโ๏ธ
Just built an MCP for Ghidra.
Now basically any LLM (Claude, Gemini, local...) can Reverse Engineer malware for you. With the right prompting, it automates a *ton* of tedious tasks.
One-shot markups of entire binaries with just a click.
Open source, on Github now.
CATCH MY FIGHT TOMORROW FOR @UFC LONDON.
MAIN CARD OPENER.
MY PLEASURE, THE LAST PIRATE. ๐ถ๐พโโ๏ธ๐ดโโ ๏ธ
DROP SAVAGE DISPONIBLE : https://t.co/H3ZpciThrw
WEBSITE OPEN โ
Happy Valentine's folks โค๏ธ
I am excited to share with you my recent research @TRACLabs_ on #SocGholish post-exploitation phase and delivery of #GhostWeaver backdoor.
Huge thanks to @ValidinLLC and @badsectorlabs for providing great tools and labs that helped in my research.
Link: https://t.co/kc7Ax2l3yZ
Love you all ๐ซถ
๐ข New Microsoft Threat Report: "ViewState Code Injection Attacks Using Publicly Disclosed https://t.co/QmvUaRN0KZ Machine Keys"
I wanted to understand deeper how works the attack so I created a detailed overview. Hope that helps ๐ค
๐ https://t.co/h5BHyR0XI6
Happy Friday, everyone! With recent changes in #LummaStealer - using ChaCha20 for C2 encryption, here is the new config extractor in C/C++. We will try a different approach this time ๐ฆ
Enjoy!
https://t.co/8hXyToCPGt
You can now manage your YARA rules for live hunting on #YARAify using the API ๐ฅณ๐
Deploy a YARA rule through the API:
https://t.co/g4zZGYJ8Ih
Sample script:
https://t.co/b1bBqom3Qx
Happy hunting! ๐ฏ
I have tested and added the #YARA rules by @sekoia_io to the YARA Forge project
YARA Forge automates the collection, standardization, and optimization of high-quality YARA rules from public repositories, providing security teams with reliable, ready-to-use rule packages
SEKOIA's blog post
https://t.co/5ZPlGPjVNO
Their YARA rules
https://t.co/0NCTuVrsB6
YARA Forge Project
https://t.co/WxT9qPQrTQ
Acting as digital detectives, we uncovered the sale of a bypass tool on underground forums. This investigation began when a bad actor tried to test an EDR bypass tool. Read what we learned from there: https://t.co/QiR8jM3zv8
Le Last Pirate est parรฉ ร l'abordage ๐ดโโ ๏ธ
@Morgan_Chapa โ๏ธ 66,2 kg (146 lb)
Regardez son combat contre Manolo Zecchini ร lโ#UFCParis samedi ร partir de 20h30 sur @RMCSport 2 et 22h30 sur @RMCDecouverte