Rhadamanthys

Rhadamanthys is an advanced information stealer that emerged in 2022. It steals sensitive data like browser credentials and cryptocurrency wallets using AI-powered image recognition to extract data from images. It is distributed through malicious websites that mimic legitimate software and promoted through Google Ads. It’s a threat to individuals and organizations.

Key Insights

Rhadamanthys uses multiple distribution methods to get inside the system. One of the methods is malicious websites that mimic legitimate software like Zoom, AnyDesk, and Notepad++. These websites are promoted through Google Ads and users are tricked into downloading the malware. It also spreads through spam emails with malicious attachments that deliver the payload when opened.

Evasion Techniques

Rhadamanthys uses multiple evasion techniques to avoid detection. It uses complex anti-analysis techniques including public open source libraries to hinder reverse engineering. Some variants use Quake III virtual machines to protect parts of their code making it harder for security researchers to analyze.

Data Exfiltration Capabilities

Once inside the system, Rhadamanthys can extract a wide range of sensitive data. It steals credentials from web browsers, cryptocurrency wallets, email clients, VPNs and instant messaging applications. The malware’s AI-powered image recognition can extract cryptocurrency wallet seed phrases from images making it a bigger threat to cryptocurrency users.

Known Variants

Rhadamanthys infostealer with modular capabilities for credentials and session data theft.

Mitigation Strategies

Block spam emails with malicious attachments.
Educate users to not download software from unofficial sources and not to click on ads promoting software.
Use advanced endpoint protection.
Patch regularly.

Targeted Industries or Sectors

Rhadamanthys targets individuals and organizations in the cryptocurrency sector since it can extract wallet seed phrases and other related information. But its data stealing capabilities makes it a threat to finance, technology and any sector where sensitive data is handled.

Associated Threat Actors

The malware is linked to Russian speaking cybercriminals and is sold as Malware-as-a-Service (MaaS) on underground forums. Specific threat actor groups involved in its distribution are TA547 also known as Scully Spider which has been involved in phishing attacks delivering Rhadamanthys to targets in Germany.