The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others.
“Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a more ambitious plan to connect with potential customers and build visibility,” Check Point researcher Aleksandra “Hasherezade” Doniec said in a new report.
First advertised by a threat actor named kingcrete2022, Rhadamanthys has emerged as one of the most popular information stealers available under a malware-as-a-service (MaaS) model alongside Lumma, Vidar, StealC, and, more recently, Acreed. The current version of the stealer is 0.9.2.
Over the years, the stealer’s capabilities have extended far beyond simple data collection, representing a comprehensive threat to personal and corporate security. In an analysis of version 0.7.0 of the malware last October, Recorded Future detailed the addition of a new artificial intelligence (AI) feature for optical character recognition (OCR) to capture cryptocurrency wallet seed phrases.
The latest findings from Check Point show that the threat actors rebranded themselves as “RHAD security” and “Mythical Origin Labs,” marketing their offerings as “intelligent solutions for innovation and efficiency.”
Rhadamanthys is available in three tiered packages, starting from $299 per month for a self-hosted version to $499 per month that comes with additional benefits, including priority technical support, server, and advanced API access. Prospective customers can also purchase an Enterprise plan by directly contacting their sales team.
“The combination of the branding, product portfolio, and pricing structure suggest that the authors treat Rhadamanthys as a long-term business venture rather than a side project,” Hasherezade noted. “For defenders, this professionalization signals that Rhadamanthys with its growing customer base and an expanding ecosystem is likely here to stay, making it important to track not only its malware updates but also the business infrastructure that sustains it.”
Like Lumma version 4.0, Rhadamanthys version 0.9.2 includes a feature to avoid leaking unpacked artifacts by displaying to the user an alert that allows them to finish the execution of the malware without inflicting any harm to the machine on which it’s running.
This is done so in an attempt to prevent malware distributors from spreading the initial executable in its plain, unprotected form so as to curtail detection efforts, as well as getting their systems infected in the process. That said, while the alert message may be the same in both the stealers, the implementation is completely different, Check Point said, suggesting “surface-level mimicry.”
“In Lumma, opening and reading the file is implemented via raw syscalls, and the message box is executed via NtRaiseHardError,” it noted. “In Rhadamanthys, raw syscalls aren’t used, and the same message box is displayed by MessageBoxW. Both loaders are obfuscated, but the obfuscation patterns are different.”
Other updates to Rhadamanthys concern slight tweaks to the custom XS format used to ship the executable modules, the checks executed to confirm if the malware should continue its execution on the host, and the obfuscated configuration embedded into it. The modifications also extend to obfuscating the names of the modules to fly under the radar.
One of the modules, previously referred to as Strategy, is responsible for a series of environment checks to ensure that it’s not running in a sandboxed environment. Furthermore, it checks running processes against a list of forbidden ones, gets the current wallpaper, and verifies it against a hard-coded one that represents the Triage sandbox.
It also runs a check to confirm if the current username matches anything that resembles those used for sandboxes, and compares the machine’s HWID (hardware identifier) against a predefined list, once again to ascertain the presence of a sandbox. It’s only when all these checks are passed that the sample proceeds to establish a connection with a command-and-control (C2) server to fetch the core component of the stealer.
The payload is concealed using steganographic techniques, either as a WAV, JPEG, or PNG file, from where it’s extracted, decrypted, and launched. It’s worth noting that decrypting the package from the PNG requires a shared secret that’s agreed upon during the initial phase of the C2 communication.
The stealer module, for its part, is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting.
“The latest variant represents an evolution rather than a revolution. Analysts should update their config parsers, monitor PNG-based payload delivery, track changes in mutex and bot ID formats, and expect further churn in obfuscation as tooling catches up,” Check Point said.
“Currently, the development is slower and steadier: the core design remains intact, with changes focused on refinements – such as new stealer components, changes in obfuscation, and more advanced customization options.”
