Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Rhadamanthys malware, compromised NHIs, and what IAM teams should watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Rhadamanthys has evolved into a modular information stealer delivered through email, compromised websites, malvertising, and ClickFix social engineering, while law enforcement disruptions under Operation Endgame have also hit its infrastructure and affiliates, according to Proofpoint. The case reinforces that exposed credentials, user-triggered execution, and infrastructure reuse turn identity and delivery channels into a single attack surface.

NHIMG editorial — based on content published by Proofpoint: Rhadamanthys malware analysis and the impact of Operation Endgame

By the numbers:

Questions worth separating out

Q: How should security teams defend against malware campaigns that rely on fake verification pages and pasted commands?

A: Treat the browser, the clipboard, and the command shell as one attack path.

Q: Why do modular malware-as-a-service campaigns create a broader identity risk than a single stealer binary?

A: They let multiple affiliates reuse the same delivery and exfiltration ecosystem with different payload combinations, targets, and timings.

Q: What breaks when security teams focus only on attachment scanning and ignore staged delivery chains?

A: Attachment scanning misses the point when the lure merely starts a chain that later loads a stealer from external infrastructure.

Practitioner guidance

  • Harden user-execution choke points Monitor for copy-paste execution, PowerShell spawns from browsers, and fake verification pages that precede script launch.
  • Correlate delivery infrastructure across campaigns Group incidents by redirect domains, intermediate hosts, and loader reuse instead of treating each lure as isolated.
  • Tighten controls around exposed credentials Assume stolen secrets will be tested almost immediately after exposure and prioritise rapid revocation, scope reduction, and reuse monitoring for any account or token that can reach external services.

What's in the full report

Proofpoint's full article covers the operational detail this post intentionally leaves for the source:

  • Campaign-level examples of Rhadamanthys delivery through email, compromised websites, PDFs, and malvertising.
  • Indicator sets and emerging threat signatures that can be used to tune detection and blocking.
  • The operation-focused disruption context behind Operation Endgame and the infrastructure targets it affected.
  • Campaign and loader observations that help teams map how affiliates reuse delivery chains across incidents.

👉 Read Proofpoint's analysis of Rhadamanthys delivery chains and Operation Endgame →

Rhadamanthys malware, compromised NHIs, and what IAM teams should watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Rhadamanthys shows that identity exposure is now a delivery-layer problem, not just a credential problem. The article ties malware delivery to compromised websites, fake verification flows, and pasted commands, which means access pathways themselves are part of the attack surface. When a payload can ride through user trust and browser execution, the practical boundary between IAM, endpoint security, and NHI abuse narrows sharply. Practitioners should treat delivery trust as an identity control plane issue.

A few things that frame the scale:

  • When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.

A question worth separating out:

Q: What should teams do when malware distribution depends on compromised websites and affiliate infrastructure?

A: Prioritise containment across the supporting infrastructure, not just the endpoint. Block known redirect and loader domains, review web injection paths, and monitor for reuse of hosting patterns across campaigns. Where business risk is high, map those controls to broader incident response playbooks so the same infrastructure cannot be repurposed quietly.

👉 Read our full editorial: Rhadamanthys and compromised NHIs reshape malware delivery risk



   
ReplyQuote
Share: