Operation Endgame Quakes Rhadamanthys

    Friday, November 14, 2025 In: Threat Research Print

    Date: 11/14/2025

    Severity: High

    Summary

    Rhadamanthys malware has evolved considerably, showcasing continuous advancements in cybercriminal tactics. Initially discovered in 2022, it began as a sophisticated information stealer targeting credentials, financial data, and system details. Its rapid rise in underground forums was driven by its strong capabilities and high level of customization. Over time, updates enhanced its evasion techniques and improved adaptability against security controls. These updates introduced obfuscation, anti-analysis methods, and multi-stage payloads designed to evade detection. The malware also became increasingly modular, enabling threat actors to tailor its functions to specific campaigns or targets.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    https://84.200.80.8/gateway/53c06hop.fp0g1

    security.flacergurad.com

    security.flaegrudad.com

    security.flaezguerad.com

    security.flaezguered.com

    security.flavregurads.com

    security.flheregurend.com

    security.flqaergwaard.com

    security.flsaregursd.com

    security.gueradflwre.com

    theguardshield.com

    flheregurend.com

    flsaregursd.com

    flaezguerad.com

    flaezguered.com

    flcreagurade.com

    theguardshield.com

    flnaresgurard.com

    flaxergaurds.com

    cloudwardena.com

    flenieregurd.com

    Budparbanjarnegara.com

    https://google.strike-submit.com/DMCA_Notice.hta

    https://google.strike-submit.com/DMCA_Notice.hta

    https://google.strike-submit.com/agreeses.bin

    https://85.192.61.140/gateway/h2u7sp2d.ab87a

    https://policy.video

    https://support-review.org/

    https://appeal.strike-submit.com

    support-review.org

    trust-review.org

    compliance-review.org

    channel-review.org

    application-review.org

    strike-submit.com

    submit-appeal.com

    policy.video

    tdsworkout.com

    cashorix.xyz

    xpoalswwkjddsljsy.com

    galaxyswapper.pro 

    http://141.0x62.80.175/kick.dat

    http://xoiiasdpsdoasdpojas.com/

    xoiiasdpsdoasdpojas.com

    IP Address : 

    103.136.68.61

    193.24.211.233

    141.98.80.175

    193.221.200.93

    Hash : 

    13f0bf908679bea560806fd3c14ef581b3cadbab2ff07a6adf04d97995924707

    b0c9d619256fdf220fbb39945fac5a040b5e836f1eae0459b4fcbf2b451420a7

    bc2508708feb0ccc652494f8e28620bd871a8b6e1d26c7cdd61ab070f2594bbc

    ccdd8a6dc97eeba07e586f059eae7944dd767519f2c3b2233ff90d3dc4e8e3f0

    ff14b28408121ebe4a5d0c2f14b9dc99e987e89b56392dc214481197d4815456

    c9026ffc02f11204ac1eb1183376a5cee74f7897d948bdcd59c06f31de2671fa

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "flaezguered.com" or url like "flaezguered.com" or siteurl like "flaezguered.com" or domainname like "https://policy.video" or url like "https://policy.video" or siteurl like "https://policy.video" or domainname like "security.flaezguered.com" or url like "security.flaezguered.com" or siteurl like "security.flaezguered.com" or domainname like "https://84.200.80.8/gateway/53c06hop.fp0g1" or url like "https://84.200.80.8/gateway/53c06hop.fp0g1" or siteurl like "https://84.200.80.8/gateway/53c06hop.fp0g1" or domainname like "flnaresgurard.com" or url like "flnaresgurard.com" or siteurl like "flnaresgurard.com" or domainname like "flheregurend.com" or url like "flheregurend.com" or siteurl like "flheregurend.com" or domainname like "xoiiasdpsdoasdpojas.com" or url like "xoiiasdpsdoasdpojas.com" or siteurl like "xoiiasdpsdoasdpojas.com" or domainname like "security.flavregurads.com" or url like "security.flavregurads.com" or siteurl like "security.flavregurads.com" or domainname like "security.flaezguerad.com" or url like "security.flaezguerad.com" or siteurl like "security.flaezguerad.com" or domainname like "security.flacergurad.com" or url like "security.flacergurad.com" or siteurl like "security.flacergurad.com" or domainname like "tdsworkout.com" or url like "tdsworkout.com" or siteurl like "tdsworkout.com" or domainname like "http://xoiiasdpsdoasdpojas.com/" or url like "http://xoiiasdpsdoasdpojas.com/" or siteurl like "http://xoiiasdpsdoasdpojas.com/" or domainname like "galaxyswapper.pro" or url like "galaxyswapper.pro" or siteurl like "galaxyswapper.pro" or domainname like "https://google.strike-submit.com/DMCA_Notice.hta" or url like "https://google.strike-submit.com/DMCA_Notice.hta" or siteurl like "https://google.strike-submit.com/DMCA_Notice.hta" or domainname like "theguardshield.com" or url like "theguardshield.com" or siteurl like "theguardshield.com" or domainname like "security.gueradflwre.com" or url like "security.gueradflwre.com" or siteurl like "security.gueradflwre.com" or domainname like "security.flheregurend.com" or url like "security.flheregurend.com" or siteurl like "security.flheregurend.com" or domainname like "Budparbanjarnegara.com" or url like "Budparbanjarnegara.com" or siteurl like "Budparbanjarnegara.com" or domainname like "https://85.192.61.140/gateway/h2u7sp2d.ab87a" or url like "https://85.192.61.140/gateway/h2u7sp2d.ab87a" or siteurl like "https://85.192.61.140/gateway/h2u7sp2d.ab87a" or domainname like "flcreagurade.com" or url like "flcreagurade.com" or siteurl like "flcreagurade.com" or domainname like "submit-appeal.com" or url like "submit-appeal.com" or siteurl like "submit-app eal.com" or domainname like "flsaregursd.com" or url like "flsaregursd.com" or siteurl like "flsaregursd.com" or domainname like "flenieregurd.com" or url like "flenieregurd.com" or siteurl like "flenieregurd.com"

    Detection Query 2 :

    domainname like "security.flaegrudad.com" or url like "security.flaegrudad.com" or siteurl like "security.flaegrudad.com" or domainname like "security.flqaergwaard.com" or url like "security.flqaergwaard.com" or siteurl like "security.flqaergwaard.com" or domainname like "security.flsaregursd.com" or url like "security.flsaregursd.com" or siteurl like "security.flsaregursd.com" or domainname like "flaezguerad.com" or url like "flaezguerad.com" or siteurl like "flaezguerad.com" or domainname like "flaxergaurds.com" or url like "flaxergaurds.com" or siteurl like "flaxergaurds.com" or domainname like "cloudwardena.com" or url like "cloudwardena.com" or siteurl like "cloudwardena.com" or domainname like "https://google.strike-submit.com/agreeses.bin" or url like "https://google.strike-submit.com/agreeses.bin" or siteurl like "https://google.strike-submit.com/agreeses.bin" or domainname like "https://support-review.org/" or url like "https://support-review.org/" or siteurl like "https://support-review.org/" or domainname like "https://appeal.strike-submit.com" or url like "https://appeal.strike-submit.com" or siteurl like "https://appeal.strike-submit.com" or domainname like "support-review.org" or url like "support-review.org" or siteurl like "support-review.org" or domainname like "trust-review.org" or url like "trust-review.org" or siteurl like "trust-review.org" or domainname like "compliance-review.org" or url like "compliance-review.org" or siteurl like "compliance-review.org" or domainname like "channel-review.org" or url like "channel-review.org" or siteurl like "channel-review.org" or domainname like "application-review.org" or url like "application-review.org" or siteurl like "application-review.org" or domainname like "strike-submit.com" or url like "strike-submit.com" or siteurl like "strike-submit.com" or domainname like "policy.video" or url like "policy.video" or siteurl like "policy.video" or domainname like "cashorix.xyz" or url like "cashorix.xyz" or siteurl like "cashorix.xyz" or domainname like "xpoalswwkjddsljsy.com" or url like "xpoalswwkjddsljsy.com" or siteurl like "xpoalswwkjddsljsy.com" or domainname like "http://141.0x62.80.175/kick.dat" or url like "http://141.0x62.80.175/kick.dat" or siteurl like "http://141.0x62.80.175/kick.dat" 

    Detection Query 3 :

    dstipaddress IN ("141.98.80.175","103.136.68.61","193.24.211.233","193.221.200.93") or srcipaddress IN ("141.98.80.175","103.136.68.61","193.24.211.233","193.221.200.93")

    Detection Query 4 :

    sha256hash IN ("ccdd8a6dc97eeba07e586f059eae7944dd767519f2c3b2233ff90d3dc4e8e3f0","13f0bf908679bea560806fd3c14ef581b3cadbab2ff07a6adf04d97995924707","b0c9d619256fdf220fbb39945fac5a040b5e836f1eae0459b4fcbf2b451420a7","c9026ffc02f11204ac1eb1183376a5cee74f7897d948bdcd59c06f31de2671fa","bc2508708feb0ccc652494f8e28620bd871a8b6e1d26c7cdd61ab070f2594bbc","ff14b28408121ebe4a5d0c2f14b9dc99e987e89b56392dc214481197d4815456")

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys


    Tags

    MalwareRhadamanthysInfostealerFinancial Services

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.