Rhadamanthys Infostealer

Rhadamanthys: Advanced Infostealer Targeting Credentials, Crypto Wallets, and Sensitive Data

Rhadamanthys is a Windows infostealer first observed in 2022 and offered through a malware-as-a-service (MaaS) platform on cybercriminal forums. It is designed to harvest a wide range of valuable information, including browser credentials, authentication cookies, cryptocurrency wallet data, and files stored on compromised systems. Thanks to its modern architecture, active development, and support for multiple attack methods, Rhadamanthys has become one of the most prominent information stealers in the cybercrime ecosystem.

Introduction to Rhadamanthys

Named after Rhadamanthus, one of the judges of the dead in Greek mythology, the malware is designed to collect and organize large amounts of stolen information for its operators. It is frequently distributed through phishing campaigns, malicious advertisements, fake software installers, and malware loaders. Once active, it communicates with remote infrastructure to transmit stolen data and may receive updated instructions from its operators.

---

1. How Rhadamanthys Works

Infection Mechanism:
Rhadamanthys commonly spreads through:

• Phishing emails containing malicious attachments or links.
• Fake software installers disguised as legitimate applications.
• Malvertising campaigns that redirect users to malware-hosting websites.
• Deployment through malware loaders such as SmokeLoader, Amadey, or similar threats.
• Compromised websites offering cracked software, cheats, or pirated applications.

Payload Execution:
After execution, Rhadamanthys:

• Collects detailed information about the victim's system.
• Extracts saved passwords, cookies, and autofill data from browsers.
• Searches for cryptocurrency wallet applications and wallet files.
• Harvests authentication tokens and session information.
• Compresses stolen information and transmits it to a command-and-control (C2) server.

---

2. History and Notable Campaigns

Origin and Discovery:
Rhadamanthys emerged in underground forums during 2022 as a commercial malware offering. Security researchers quickly noted its professional design, subscription-based distribution model, and rapid development cycle.

Notable Campaigns:

• Large-scale phishing operations targeting individual users and businesses.
• Fake software download campaigns impersonating popular applications and browser updates.
• Malvertising attacks that redirected victims through search engine advertisements.
• Credential theft operations targeting cryptocurrency users and online service accounts.

---

3. Targets and Impact

Targeted Victims and Sectors:

• Individual users storing credentials in browsers.
• Cryptocurrency holders using desktop wallets and browser extensions.
• Businesses whose employees become infected through phishing or malicious downloads.
• Users of cloud services, email platforms, and online banking applications.

Consequences:

• Credential theft leading to account compromise.
• Loss of cryptocurrency assets through wallet theft.
• Unauthorized access to cloud services and business platforms.
• Sale of stolen information on underground marketplaces.
• Potential deployment of additional malware after initial compromise.

---

4. Technical Details

Payload Capabilities:

• Steals browser passwords, cookies, bookmarks, and browsing history.
• Targets cryptocurrency wallets and wallet-related browser extensions.
• Collects system information including hardware details and installed software.
• Can harvest files matching predefined extensions or keywords.
• Supports remote updates and configuration changes from its operators.

Evasion Techniques:

• Uses encryption and obfuscation to hide configuration data.
• Employs anti-analysis and anti-sandbox techniques.
• Regularly updates malware builds to bypass signature-based detection.
• Uses legitimate-looking installers and software packages to avoid suspicion.

---

5. Preventing Rhadamanthys Infections

Best Practices:

• Avoid downloading software from unofficial or untrusted sources.
• Be cautious when opening email attachments or clicking links from unknown senders.
• Enable multi-factor authentication (MFA) on important accounts.
• Keep operating systems, browsers, and security software updated.
• Use dedicated password managers instead of storing credentials directly in browsers.

Recommended Security Tools:

• Endpoint protection platforms with behavioral analysis capabilities.
• Anti-phishing email security solutions.
• Browser protection tools that detect malicious downloads.
• Network monitoring solutions capable of detecting suspicious outbound traffic.

---

6. Detecting and Removing Rhadamanthys

Indicators of Compromise (IoCs):

• Unexpected outbound connections to suspicious domains or IP addresses.
• Unauthorized access attempts involving online accounts.
• Unknown executables appearing in temporary or user directories.
• Unusual browser behavior or missing stored credentials.

Removal Steps:

1. Disconnect the affected system from the internet.
2. Perform a full scan using reputable anti-malware software.
3. Remove all detected malicious files and persistence mechanisms.
4. Reset passwords for accounts accessed from the infected system.
5. Review cryptocurrency wallets and financial accounts for unauthorized activity.

Professional Help:
If sensitive business data, cryptocurrency assets, or privileged credentials may have been compromised, consider engaging a professional incident response team.

---

7. Response to a Rhadamanthys Infection

Immediate Steps:

• Disconnect the affected device from all networks.
• Change passwords from a clean, uncompromised device.
• Revoke active sessions and authentication tokens where possible.
• Monitor financial and cryptocurrency accounts for suspicious activity.
• Investigate whether additional malware was installed.

---

8. Legal and Ethical Implications

Legal Considerations:
Organizations affected by Rhadamanthys may be required to comply with data breach notification laws if customer or employee information was exposed. Regulatory obligations can vary depending on jurisdiction and the type of compromised data.

Ethical Considerations:
The malware-as-a-service model lowers the barrier to entry for cybercrime by allowing individuals with limited technical skills to conduct sophisticated credential theft campaigns. This contributes to a growing ecosystem of financially motivated cybercrime.

---

9. Resources and References

• Microsoft Threat Intelligence reports on Rhadamanthys
• Rhadamanthys Historical Bot Infections Special Report
• Rhadamanthys Malware: Analysis, Detection, Removal
• MITRE ATT&CK techniques related to credential access and data exfiltration

---

10. FAQs about Rhadamanthys

Q: What is Rhadamanthys malware?
A: Rhadamanthys is a Windows-based infostealer that steals credentials, browser data, cryptocurrency wallets, and other sensitive information.

Q: How does Rhadamanthys spread?
A: It is commonly distributed through phishing emails, fake software downloads, malicious advertisements, and malware loaders.

Q: What information does it target?
A: Browser credentials, cookies, authentication tokens, cryptocurrency wallets, files, and system information.

Q: Can Rhadamanthys be removed?
A: Yes. Security software can remove the malware, but compromised credentials should be changed immediately and affected accounts reviewed.

---

11. Conclusion

Rhadamanthys has rapidly become one of the most significant information stealers operating in today's cybercrime landscape. Its broad data theft capabilities, active development, and malware-as-a-service distribution model make it a serious threat to both individuals and organizations. Strong security practices, user awareness, and modern endpoint protection remain essential for defending against this increasingly popular malware family.

 

 

« Back to the Virus Information Library

« Back to the Security Center