TL;DR: Rhadamanthys has evolved into a modular information stealer delivered through email, compromised websites, malvertising, and ClickFix social engineering, while law enforcement disruptions under Operation Endgame have also hit its infrastructure and affiliates, according to Proofpoint. The case reinforces that exposed credentials, user-triggered execution, and infrastructure reuse turn identity and delivery channels into a single attack surface.
At a glance
What this is: This is an analysis of Rhadamanthys malware and its shifting delivery model, including compromised websites, ClickFix lures, and law enforcement disruption.
Why it matters: It matters because identity teams must treat exposed access, user-mediated execution, and affiliate infrastructure as linked controls across NHI, endpoint, and human workflows.
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
👉 Read Proofpoint's analysis of Rhadamanthys delivery chains and Operation Endgame
Context
Rhadamanthys is a modular malware family that uses social engineering and delivery infrastructure to steal credentials, financial data, and system details. For identity teams, the relevant issue is not just malware execution, but how exposed credentials, compromised websites, and user-assisted payload delivery collapse the boundary between access control and infection.
The article shows a crimeware ecosystem built around reusable delivery paths and affiliate access. That matters to NHI governance because the same trust assumptions that allow scripts, loaders, tokens, and browser sessions to operate also make them attractive compromise points for follow-on malware.
Operation Endgame's disruption of infrastructure adds a second lesson: attackers depend on identity-like persistence in the form of malware services, affiliate access, and delivery accounts. That is typical of mature crimeware operations, not an isolated campaign pattern.
Key questions
A: Treat the browser, the clipboard, and the command shell as one attack path. Detect unusual paste-to-run behaviour, browser-launched script execution, and redirects to newly registered or compromised domains. Pair that with user awareness only after technical controls are in place, because ClickFix style lures succeed when execution is made to look routine.
A: They let multiple affiliates reuse the same delivery and exfiltration ecosystem with different payload combinations, targets, and timings. That means the same infrastructure can be used repeatedly against new victims, turning compromised access into a service model. For defenders, the practical issue is ecosystem disruption, not just one sample removal.
Q: What breaks when security teams focus only on attachment scanning and ignore staged delivery chains?
A: Attachment scanning misses the point when the lure merely starts a chain that later loads a stealer from external infrastructure. If redirects, scripts, browser prompts, or archive execution are not monitored, the malicious action happens after the initial inspection point. Defenders then see a clean first file and miss the actual compromise path.
A: Prioritise containment across the supporting infrastructure, not just the endpoint. Block known redirect and loader domains, review web injection paths, and monitor for reuse of hosting patterns across campaigns. Where business risk is high, map those controls to broader incident response playbooks so the same infrastructure cannot be repurposed quietly.
Technical breakdown
How Rhadamanthys uses multi-stage delivery to avoid detection
Rhadamanthys is distributed through email links, compromised websites, PDFs, and malvertising, but the common technical feature is staged execution. The first stage is usually a lure or redirect that gets the victim to a browser page, a script, or a file. The second stage then pulls down the loader or stealer from actor-controlled infrastructure. Multi-stage design matters because each step reduces the chance that static controls will see the full payload chain in one place.
Practical implication: inspect redirect chains, script downloads, and attachment handoffs as a single delivery path, not as separate events.
Why ClickFix works as a user-execution technique
ClickFix is social engineering that asks the user to copy, paste, and run a command, often through a fake verification or update page. Technically, the attacker relies on the browser and operating system to execute a command that the security stack may treat as user-initiated rather than malicious. That weakens controls that focus only on attachment scanning or web filtering because the harmful action occurs after the lure has passed initial inspection.
Practical implication: add controls that detect suspicious paste-to-run behavior and PowerShell launch patterns, not just malicious files.
Why modular malware-as-a-service changes the identity risk profile
Rhadamanthys is sold as a modular malware-as-a-service offering, which lets affiliates add plugins, change delivery methods, and tailor payloads to different targets. That modularity makes the threat harder to model because the same family can behave differently across campaigns while preserving a shared core loader and exfiltration capability. For defenders, the issue is not only the malware binary but the service ecosystem that supports repeatable credential theft and reuse.
Practical implication: treat repeat campaigns as ecosystem activity and correlate infrastructure, loaders, and affiliate reuse across incidents.
Threat narrative
Attacker objective: The attacker wants to harvest credentials and other sensitive data at scale while preserving flexible delivery infrastructure for repeated campaigns.
- Entry occurs when victims are driven through email, compromised websites, PDFs, or malvertising into a fake verification or update flow that prepares the download chain.
- Escalation occurs when the user executes a pasted command or launches a staged loader, giving Rhadamanthys a path to install its payload and pull additional modules.
- Impact occurs when the stealer captures credentials, browser data, and other sensitive information for reuse, resale, or follow-on compromise.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Rhadamanthys shows that identity exposure is now a delivery-layer problem, not just a credential problem. The article ties malware delivery to compromised websites, fake verification flows, and pasted commands, which means access pathways themselves are part of the attack surface. When a payload can ride through user trust and browser execution, the practical boundary between IAM, endpoint security, and NHI abuse narrows sharply. Practitioners should treat delivery trust as an identity control plane issue.
Compromised websites create identity-like persistence for malware operators. The campaign chain described here uses actor-controlled redirects, staged payloads, and reusable infrastructure in the same way legitimate identity systems rely on durable service relationships. That persistence lets affiliates reuse access patterns even when individual campaigns change. The implication is that defenders need to think in terms of service relationship teardown, not only malware signature replacement.
Ephemeral trust debt: user-mediated execution creates a short-lived but highly exploitable trust window that is difficult to govern with static controls. The article's ClickFix examples show that a user can be manipulated into executing code after initial inspection has already passed. That assumption was designed for workflows where human review interrupts execution, but it fails when the review step is itself the attack path. The implication is that practitioner programmes must recognise that trust can be borrowed and consumed within a single interaction.
Operation Endgame proves that crimeware ecosystems depend on removable infrastructure, not just removable binaries. The takedown disrupted management servers, affiliate infrastructure, and adjacent services such as proxy bots, which shows how much of the threat lives in the support layer. That is highly relevant to NHI governance because service accounts, download hosts, and operational domains behave like identities when they are reused to move payloads and money. Practitioners should widen control scope from endpoint events to the supporting access fabric.
Rhadamanthys is a reminder that credential theft is now productised. The malware's modularity, pricing, and affiliate model turn stolen access into a repeatable business service. That shifts the defender's job from detecting a single intrusion to interrupting a commercial pipeline that converts identity compromise into serial campaigns. Teams should therefore align detection, identity hygiene, and network blocking around the economics of reuse.
From our research:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
- For a broader threat pattern, review The 52 NHI breaches Report for case studies showing how exposed access becomes repeatable compromise.
What this signals
Ephemeral trust debt: campaigns like Rhadamanthys show that the trust window created by user-mediated execution is often shorter than the cadence of traditional review and response processes. That means identity and endpoint teams need to watch for execution signals at the moment trust is being spent, not after a file is classified.
The operational lesson is to treat delivery infrastructure, browser execution, and credential exposure as one governance surface. When malware operators can swap lures without changing the underlying abuse model, programmes built around isolated controls will keep seeing the same risk under different names.
For practitioners
- Harden user-execution choke points Monitor for copy-paste execution, PowerShell spawns from browsers, and fake verification pages that precede script launch. Correlate those signals with newly seen domains and downloads so the chain can be blocked before the loader stage completes.
- Correlate delivery infrastructure across campaigns Group incidents by redirect domains, intermediate hosts, and loader reuse instead of treating each lure as isolated. That helps you spot the same malware service being repackaged through email, PDFs, and compromised websites.
- Tighten controls around exposed credentials Assume stolen secrets will be tested almost immediately after exposure and prioritise rapid revocation, scope reduction, and reuse monitoring for any account or token that can reach external services.
- Add detection for staged payload chains Build detections that follow the transition from lure to redirect to loader to stealer, including browser-launched downloads and archive execution. This is where staged malware like Rhadamanthys often evades single-event inspection.
Key takeaways
- Rhadamanthys is a modular stealer ecosystem, so the real risk is the delivery model and affiliate reuse, not only the malware file.
- Its campaigns show how compromised websites, fake verification steps, and pasted commands turn user action into an execution path.
- Defenders need to correlate delivery infrastructure, staged payloads, and exposed credentials because that is where the repeatable compromise pattern lives.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | The article centres on stolen credentials and reusable access in malware campaigns. |
| MITRE ATT&CK | TA0001 , Initial Access; TA0006 , Credential Access; TA0011 , Command and Control | The campaigns combine lure-based entry, credential theft, and remote payload retrieval. |
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and access control are undermined by stolen secrets and staged malware delivery. |
| NIST SP 800-53 Rev 5 | IA-5 | Leaked credentials and token reuse are central to the abuse pattern described. |
| NIST Zero Trust (SP 800-207) | Zero Trust is relevant because the article shows trust being exploited across browser, domain, and identity layers. |
Track Rhadamanthys-like chains against initial access, credential access, and command-and-control techniques.
Key terms
- Modular Malware-as-a-Service: A malware business model where operators sell a base payload with optional modules, loaders, or plugins. The model lets affiliates change delivery methods and capabilities without rewriting the core malware, which increases scale, reduces barriers to entry, and complicates detection because campaigns can look different while sharing the same service layer.
- ClickFix: A browser-delivered social engineering technique that persuades a user to paste and execute a malicious command, usually through clipboard manipulation and a fake instruction sequence. The key risk is that the endpoint may see a normal user action even though the payload originated from a hostile webpage.
- Staged Payload Delivery: A delivery pattern where an initial lure or loader fetches later stages from external infrastructure instead of delivering the full malware at once. This reduces visibility for perimeter tools and allows the attacker to swap components, evade detection, and tailor the final payload to the target environment.
- Delivery Infrastructure Reuse: The repeated use of domains, redirect chains, loaders, and hosting assets across many campaigns. In practice, this creates a detectable support layer around malware operations, and it is often more durable than the payload itself, which makes infrastructure correlation a high-value defensive control.
What's in the full report
Proofpoint's full article covers the operational detail this post intentionally leaves for the source:
- Campaign-level examples of Rhadamanthys delivery through email, compromised websites, PDFs, and malvertising.
- Indicator sets and emerging threat signatures that can be used to tune detection and blocking.
- The operation-focused disruption context behind Operation Endgame and the infrastructure targets it affected.
- Campaign and loader observations that help teams map how affiliates reuse delivery chains across incidents.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org