First advertised by a threat actor named kingcrete2022, Rhadamanthys has become one of the most widely used information stealers available as a malware-as-a-service (MaaS) offering, competing with others like Lumma, Vidar, StealC, and Acreed. Initially promoted on cybercrime forums, the author soon transitioned to a more professional approach to attract and connect with potential customers. The current version of the malware is 0.9.2.
Over time, Rhadamanthys has evolved beyond basic data collection, becoming a sophisticated threat to both personal and corporate security. A previous analysis of an older version revealed a new optical character recognition (OCR) feature that uses artificial intelligence to capture cryptocurrency wallet seed phrases. The developers have now rebranded themselves as “RHAD security” and “Mythical Origin Labs,” marketing their products as “intelligent solutions for innovation and efficiency.” This new branding and business structure, which includes tiered pricing plans from $299 to $499 per month and an “Enterprise” option, suggest the authors see this as a long-term business rather than a temporary side project.
Like its competitor Lumma, the latest version of Rhadamanthys (0.9.2) includes a unique feature to prevent malware distributors from leaking unprotected copies. It displays an alert to the user that allows them to terminate the malware’s execution without causing any harm to their machine. This clever tactic is designed to thwart detection efforts. While the on-screen alert message is the same as Lumma’s, the underlying technical implementation is completely different, indicating that Rhadamanthys’ developers are mimicking the behavior for superficial purposes without copying the code.
The malware’s developers have also made a number of other updates, including minor changes to the custom format used for its executable modules and modifications to its anti-sandbox checks. One module, formerly called Strategy, performs a series of environment checks to ensure it is not running in a virtual or sandboxed environment. It checks for specific processes, usernames, and hardware identifiers associated with these environments. Only after passing all these checks does the malware connect to its command-and-control (C2) server to download its core components.
The core payload is hidden using steganography within a WAV, JPEG, or PNG file. It is then extracted, decrypted, and launched. Notably, decrypting the payload from a PNG file requires a shared secret that’s established during the initial C2 communication. Once launched, the stealer module uses a built-in Lua runner to execute additional plugins, which are responsible for data theft and extensive device and browser fingerprinting. Due to the ongoing evolution of the malware, security analysts are advised to continuously update their configuration parsers, monitor for PNG-based payload delivery, and track changes in obfuscation techniques. This professionalization of the Rhadamanthys operation signals that it’s likely here to stay and will continue to be a significant threat.
Reference: