Threat Brief: The Professional Rise of Rhadamanthys Stealer

As a SOC analyst, you understand the constant threat landscape. Today, we focus on a particularly concerning evolution: the Rhadamanthys Information Stealer. This malware has rapidly transformed from a basic offering into a sophisticated, professionalized Malware-as-a-Service, or MaaS, solution. Its continuous development and advanced features demand your attention. Understanding its evolution helps you protect your organization effectively.

From Project to Professional: Business Evolution

Rhadamanthys began its journey in September 2022. The initial developer, known as “kingcrete2022” and “freeide”, quickly signaled ambitious plans. This malware was never a casual side project. The threat actors rebranded themselves as “RHAD security” and “Mythical Origin Labs”. They marketed their offerings as “intelligent solutions for innovation and efficiency”. This rebranding indicates a serious, long-term business venture in the cybercrime economy.

The pricing model reflects this professionalization. Initially, access cost $250 or $300 for 30 days. Now, Rhadamanthys offers tiered packages, starting at $299 per month for a self-hosted version. Plans up to $499 per month include priority technical support, server access, and advanced API access. An Enterprise plan is also available via direct contact. This structured pricing and support model mirrors legitimate software businesses. It shows a commitment to customer service for its illicit clientele.

Technical Milestones: A Version History

Rhadamanthys has undergone rapid technical development. At least ten different releases have emerged since its inception. Each version introduces significant improvements and new capabilities. Understanding these updates is crucial for effective defense.

Version 0.4.0 (December 2022): This update brought major changes. It was incompatible with prior versions. Users needed to export configuration backups before updating. This suggests a significant architectural rewrite.

Version 0.4.1 (January 2022): Critical fixes were implemented. This version prevented global download tasks from triggering with empty records. It also addressed a security vulnerability in panel session management. Customizable Telegram notification templates and enhanced support for third-party encryption services were added. It gained the capability for one-click summary export of CC ftp phrase mnemonic words. The anti-ETW function was also enhanced.

Version 0.4.5 (May 2023): Network capabilities and panel management received major focus. A dedicated shim server was added. The client and panel gained full TLS/SSL support, including self-signed certificates. This enhanced network breakthrough capabilities. The client was rebuilt, implementing all syscalls. A terminal operation function was added to the panel, allowing server operation without remote SSH tools. Client functionality expanded to include self-deletion after running and the ability to suppress repeated execution for a specified time.

Version 0.5.0 (October 2023): This version significantly expanded execution flexibility and introduced extensibility. The client execution process was completely rewritten, fixing a syscall unhook bug. Observer mode was added. Stub construction options diversified, including x86, x32 native Exe, Shellcode, Dotnet4, and Dotnet2. This better adapted the malware to various crypt services. Discord token acquisition improved. It broke through browser data acquisition when protected by third-party programs. Decryption for 360 Secure Browser login data was added. A new plug-in module was introduced to support user secondary development. Initial plug-ins included Keylogger and Data Spy. Wallet cracking capabilities expanded, fixing algorithms for several wallets and adding online real-time brute force cracking support.

Version 0.5.1 (November 2023): The Clippers plug-in was added. Google Account Cookie Recovery was introduced. Default build stub cleaning for Windows Defender, including cloud protection, became a feature.

Version 0.5.2 (December 2023): The Clippers Plugin was enhanced. It fixed a bug related to repeatedly uploading the same replacement result. Log viewing paging was enhanced. A full-text replacement function for various copy operations was added. A switch now restricts replacing the same address to only once. The reverse proxy plug-in now requires a separate Virtual Private Server for installation.

Version 0.7.0 (June 2024): This version represents a significant technical overhaul. Both client-side and server-side frameworks were completely rewritten. This improved program execution stability. Artificial Intelligence features were introduced. AI-powered optical character recognition, or OCR, extracts cryptocurrency wallet seed phrases from images and graphics, as well as PDF recognition. This extraction capability identifies multiple saved phrases inside text. The feature uses the imgdt.bin XS2 module and bip39.txt, an OCR dictionary. Client-side checks confirm file size bounds, valid extensions, and image resolution. A suspected seed phrase image must contain at least 12 total words processed and at least 9 consecutive BIP39 seed phrase words. The C2 server uses Tesseract, an open-source OCR engine, for accurate mnemonic phrase extraction from exfiltrated images. A new “Msi installer execution” task type was added. This allows threat actors to execute MSI files on the victim’s machine. This enables bypass of conventional detection mechanisms. The re-execution delay feature was made tamper-proof through ChaCha20 encryption and hashing. Previous versions stored the timestamp value in the registry key HKCU\SOFTWARE\SibCode\sn. Version 0.7.0 encrypts the timestamp and stores it in HKCU\SOFTWARE\SibCode\sn2. The extension delivery system was updated. Plugins are now packaged as ZIP files containing classes.dex and manifest.json. Other module rewrites included the Telegram module to support HTML formatting and multi-token polling. The synchronization module was rewritten to support remote FTP synchronization for log transfers. The search filter module was rewritten, and an API interface or open platform was added.

Version 0.9.2 (Latest Known Version): This variant focuses on refinement, not revolution. Stealer capabilities updated to support device and web browser fingerprint collection. The stealer module has a built-in Lua runner. This serves additional plugins written in Lua. This facilitates data theft and extensive device and browser fingerprinting. The payload is concealed using steganographic techniques. It hides as a WAV, JPEG, or PNG file. Decrypting the package from a PNG file requires a shared secret from the C2 communication initiation phase. Anti-detection and artifact leaking features were added. Similar to Lumma v4.0, it avoids leaking unpacked artifacts. It displays an alert to the user, allowing execution to finish without harming the machine. This prevents malware distributors from spreading the executable in an unprotected form. Obfuscation refinements include slight tweaks to the custom XS format. This ships executable modules. Modifications obfuscate module names. Changes also affect the obfuscated configuration embedded within the stealer.

Stealth and Persistence: Evasion Tactics

Rhadamanthys continuously refines its anti-analysis and defense evasion techniques. This makes detection a challenging task for your security tools.

• Sandbox Evasion: The strategy module performs environment checks. It compares running processes against a list of forbidden ones, like Wireshark, ProcessHacker, or IDA Pro. It checks the current username against sandbox profiles. It also compares the machine’s HWID against a predefined list. This occurs before C2 connection.
• Execution Evasion: It hijacks execution flow. It exploits legitimate Windows function calls. It leverages shared modules and scripting interpreters, like PowerShell, to execute malicious payloads.
• Payload Obfuscation: Executable code is obfuscated. Files are encrypted and encoded to obscure content. Module names are obfuscated, a refinement seen in v0.9.2.
• MSI Execution: Version 0.7.0 introduced a new task type for MSI file execution. These are often perceived as legitimate. They can bypass security scrutiny.
• Steganography: The core payload is concealed within common image or audio files. WAV, JPEG, or PNG files can hide the malicious code. This feature emerged in the v0.9.2 context.
• Re-Execution Delay Protection: This feature prevents multiple instances from running within a configurable time frame. Version 0.7.0 enhanced this protection. It is now tamper-proof using SHA1 hashing and ChaCha20 encryption. It writes binary data to a new registry key, HKCU\SOFTWARE\SibCode\sn2.

Maximizing Malice: Data Theft Expansion

Rhadamanthys supports collecting system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from a wide range of applications. Its evolution heavily focuses on cryptocurrency theft and extending data collection scope.

• Wallet Targeting: The stealer targets comprehensive lists of cryptocurrency wallets. This includes major wallets and less common software like Pale Moon browser and Auvitas Wallet.
• AI-Driven Seed Phrase Theft: Version 0.7.0 added AI-powered OCR capability. This automatically identifies and extracts cryptocurrency seed phrases saved within images or PDFs.
• Wallet Cracking Algorithms: Version 0.4.8 added multiple extension wallet interception, for example, UniSat Wallet. Version 0.7.0 added 30 wallet cracking algorithms.
• Plugin Expansion: New extension capabilities allow specialized data collection.
  • Keylogger (v0.5.0): Records keyboard input, active window details like title and process ID, and monitors the clipboard for sensitive data capture.
  • Data Spyer (v0.5.0): Currently targets Remote Desktop Protocol, or RDP, credentials.
  • Clipper (v0.5.1): Hijacks clipboard operations. It uses pattern matching and checksum algorithms. It replaces copied cryptocurrency wallet addresses with attacker-controlled addresses.
• Fingerprinting: Latest updates in v0.9.2 added capability to collect device and web browser fingerprints.

Protecting Your Assets: Actionable Defenses

The professionalization and technical sophistication of Rhadamanthys demand a robust defense strategy. Implement these actionable recommendations within your organization:

• Enhance Endpoint Detection and Response: Configure your EDR solutions to detect anomalous process behavior, unusual file modifications, and suspicious network connections. Focus on behaviors associated with information stealers, such as access to browser credential stores or cryptocurrency wallet files.
• Implement Strong Email and Web Filtering: Rhadamanthys often spreads via phishing campaigns. Block suspicious attachments and links. Educate users about identifying social engineering attempts.
• Apply Principle of Least Privilege: Restrict user permissions to only what is necessary for their roles. This limits the damage if a system becomes compromised.
• Regularly Update Software and Systems: Patch operating systems, web browsers, and all installed applications promptly. This mitigates vulnerabilities exploited by malware for initial access or privilege escalation.
• Monitor Registry Keys: Pay close attention to registry keys like HKCU\SOFTWARE\SibCode\sn2. Changes here indicate potential Rhadamanthys activity, especially related to its re-execution delay protection.
• Network Traffic Analysis: Monitor outbound network connections for suspicious C2 communications. Look for connections to uncommon ports or unusual domains. Be aware of TLS/SSL usage by the stealer.
• Behavioral Analysis for OCR: Implement behavioral detection for processes attempting to access and analyze images or PDFs in unusual ways. Especially watch for unexpected execution of OCR tools.
• Clipboard Monitoring: Deploy security solutions that monitor clipboard activity. This detects attempts by clipper malware to swap cryptocurrency wallet addresses.
• User Education: Regularly train your staff on the dangers of information stealers. Teach them about secure browsing habits, phishing awareness, and the risks associated with downloading untrusted files.

Stay Informed: Intelligence Sources

Continuous monitoring of threat intelligence is essential. Your organization benefits from up-to-date information on emerging threats. This analysis draws from the detailed OC Report: The Evolution of Rhadamanthys Stealer. Always consult reputable cybersecurity intelligence sources for the latest information on malware developments and mitigation strategies.