Rhadamanthys 0.9.x - walk through the updates
Rhadamanthys, a complex multi-modular stealer, has released version 0.9.2 with significant updates. The malware now uses PNG files to deliver payloads, implements new evasion techniques, and introduces changes to its custom executable formats. Key modifications include a new message box mimicking Lumma stealer, updates to string encryption, and enhanced configurability. The malware continues to evolve, focusing on refinements and customization options while maintaining its core design. These changes aim to disrupt analysis tools and detection methods. The authors are professionalizing their operation, treating Rhadamanthys as a long-term business venture with tiered pricing and expanded product offerings.
AI Analysis
Technical Summary
Rhadamanthys is a sophisticated multi-modular information stealer malware that has recently updated to version 0.9.2, introducing several significant enhancements aimed at improving its stealth, evasion, and payload delivery mechanisms. Notably, the malware now uses PNG image files as a novel vector to deliver its payloads, a technique designed to bypass traditional signature-based detection and evade sandbox analysis environments. The update also includes new evasion techniques that complicate detection by security tools, such as advanced string encryption methods and modifications to its custom executable formats, making reverse engineering and static analysis more challenging. Additionally, Rhadamanthys has incorporated a new message box feature that mimics the Lumma stealer, potentially to mislead analysts or victims. The malware’s configurability has been enhanced, allowing operators to tailor its behavior dynamically, which increases its adaptability across different targets and environments. These changes reflect a professionalization of the malware’s development lifecycle, with the operators treating Rhadamanthys as a commercial product offering tiered pricing and expanded functionalities. The malware leverages multiple MITRE ATT&CK techniques including credential dumping (T1003), process injection (T1055), obfuscated files or information (T1027), and command and control communications (T1071.001), among others, indicating a comprehensive approach to stealth and persistence. Although no known exploits are currently reported in the wild, the ongoing evolution and modularity of Rhadamanthys suggest it remains a credible threat capable of targeted data theft and espionage activities.
Potential Impact
For European organizations, Rhadamanthys poses a significant risk primarily through its capability to steal sensitive information such as credentials, personal data, and potentially intellectual property. The use of PNG files for payload delivery and enhanced evasion techniques means traditional detection mechanisms may fail, increasing the likelihood of successful infiltration and prolonged undetected presence within networks. This can lead to data breaches, financial loss, reputational damage, and regulatory penalties under GDPR for mishandling personal data. The malware’s configurability allows attackers to customize campaigns targeting specific sectors or organizations, which could include critical infrastructure, financial institutions, or government entities in Europe. The professionalization of the malware’s development and its tiered pricing model indicate a scalable threat that could be leveraged by various threat actors, including cybercriminal groups and state-sponsored entities. The medium severity rating reflects the current absence of widespread exploitation but acknowledges the potential for significant impact if deployed effectively.
Mitigation Recommendations
European organizations should implement advanced detection and prevention strategies tailored to counter Rhadamanthys’ unique features. Specifically, security teams should deploy network and endpoint detection tools capable of analyzing and flagging anomalous PNG file behaviors, such as unusual decoding or execution attempts. Behavioral analysis and sandbox environments should be enhanced to detect evasion techniques, including monitoring for suspicious process injections and unusual message box appearances mimicking known stealers. Employing threat intelligence feeds to stay updated on Rhadamanthys variants and indicators of compromise is critical. Organizations should enforce strict application whitelisting and restrict execution of files from non-standard locations. Multi-factor authentication (MFA) must be mandatory to reduce the impact of credential theft. Regular audits of user privileges and network segmentation can limit lateral movement. Incident response plans should include scenarios involving stealer malware to ensure rapid containment and remediation. Finally, employee training on phishing and social engineering risks is essential, as initial infection vectors often involve user interaction.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland
Indicators of Compromise
- hash: 371b517a24fd546dd5a89ed386ec0f5d
- hash: 3c4f454e8441d9bb451cdbb67f43813d
- hash: c80aded7ccf49bbd533b6fd83e974d4d
- hash: e93d5b6993a757452bc5cac0975aeb6f
- hash: f292c0911456c1d9c40d5740c7d3997f
- hash: 22e00caeb566228aefc96a2a47dda6d52909adfa
- hash: 3460cbf2b67fa0e8e08af0614cabcbfdaf681432
- hash: 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
- hash: 648d36439c4adba0d6ec4c169860da175ab2ac9c
- hash: b27986eabc8a95cb619b5ab0cec661dcc9f11bee
- hash: 0500bd111464a1376e7efba2376eb1192cb4beb18278f62e460c8c8191f0cc5d
- hash: 090b0ef20633785d11096cda04d9764bd46c9f5d9d3c02183009d2bf165abb82
- hash: 0fc149c1ed4a1040b9cf68076c17c4d005a121aca0a22385458a1980f7d24589
- hash: 11aabefa4eac0c2f22d0b2efdb7facd242d52765fe5167523112b980f096d9d1
- hash: 1f7213a32bce28cb3272ef40a7d63196b2e85f176bcfe7a2d2cd7f88f4ff93fd
- hash: 23a57ba898b5e91a2ead4e93c97710fe91dc917a7d11dc44b41304778565905f
- hash: 24ce42c2fd4a95c1b86bbee9bce1e1cf255bd0022e19bab6bd591afd68b7efdb
- hash: 24ddfd61c05b2f772caf85b44e9e58363a0cf345c6a9294a8416617f0b5b03cf
- hash: 271452e1c5e79d159f79886a65d4180814a7329c092d617372f127b6311d60f1
- hash: 3419dc2a3fb5bdba7f5d51634109066b0ceaeeae898a6748ce9eeaeb63fd1fb0
- hash: 36dd78abc304bd2cfbfc188a0b47320e3a4393f03657d69796a5616e3dac50c8
- hash: 3ca87045da78292a6bba017138ff9ee42b4e626b64d0fee6d86a16cc3258c8c3
- hash: 41daeb92734388f9133a007cbc9c4d8058092b9d8192734be70b3106f0ca5d9f
- hash: 4ec1902e8cd21d2d5a65465111a1883920bb6c898189dac34d618766b1c4fa66
- hash: 4f88d5cb69d44144b02f7ffd3d45cd86aaee12c3410898ce83712287a6b27fe4
- hash: 59722b8869d17c5a805dd9febe70295b78afd53e4f3b0e26cd76ea1e772e6818
- hash: 59920d1fc7facb5b3b06b93da5b8ee3cbb15acb75f2bb36536e35b803a1f2222
- hash: 5a747f6d9d818fcfd90e0ff1ca393321ab7e10314f71e9db01cb1f451258f257
- hash: 6415c029d241255bffaf057a8f1390b626c8069ba9a1432f0e8372c7ab68778a
- hash: 67f00a03e76308a399f21498ebdd4accdb1879c908960e60f717e6d3cb9d05cf
- hash: 71ccf996f6ad9ac4ed001d3570de6754f7e26a846ed19b34e9b3b1b58abfe619
- hash: 7acae2490a0ff1ae3a31f89346fe4e0630259a344c2a6f38bf75f34f8fe9987e
- hash: 84bbe70b3089e578d69744bd8b030c3a6e724a6c3f4bdefda82fe5057f89c9ba
- hash: 8c12af846fc774e02dc5ec358f0a9fa7363538cef541e95ac65331ec18fbbe0b
- hash: 8f54612f441c4a18564e6badf5709544370715e4529518d04b402dcd7f11b0fb
- hash: 9d110b4e129be5d80253c4d890757f81c5135dcf6d1bbf0262fb554f0c885720
- hash: a451cbfe093830cd4d907d10bc0f27ea51da53ece5456af2fe6b3b24d3df163e
- hash: a905226a2486ccc158d44cf4c1728e103472825fb189e05c17d998b9f5534d63
- hash: a9932ada2cf6bfb2614080e9a0068af03ee919657f16ef50d256fccd74ee2d44
- hash: ad5ecfda322ac8fdde40f3ee57273abae35b5eb6ca96f2df0a91b8059e75d022
- hash: ae26068833a65197c5ff2440d8ca06db393823ee1b5130dbf00d90da2120bf01
- hash: aeba4ece8c4bf51d9761e49fad983967e76c705a06999c556c099f39853f737c
- hash: b25d958bd91f85c14ca451dd6dbcea58507c8e92466f48cd2d2e04cef9d371af
- hash: b41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d
- hash: b429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f
- hash: b43d35a26681c7f214ce3bd90af35bc3272008c169c5b1b4e7e6af7398e3e3c4
- hash: b8cbb2a7270ac21c3e895f1b4965b1a17d7a1a6ea54c2c8ef19df49a26442779
- hash: c19716b262e928d83252d75a1ff262786df6cbb221132a0ada08ef3293c091b7
- hash: cb0662d468b034530f88dee9204b3a1d3ff04d19345f417b2cce92a1940dc991
- hash: cb555f5cb3e40c4db0fba7953ffc56e978a599233f80512e019e4c94fd69892c
- hash: cbca01435be6348ce4c58cc86c2900f3d99dc806ea38dbdfbb8d6291af17fce4
- hash: cbdb3d2e0a845b134576fabcc2260aa5bd995b9f3b43483ab704c6787409012d
- hash: d14d10fdcd7a6f0c095e2bb525fe21d8970c508c0475913bd9bd1c96067bcb04
- hash: d8d2bae5ec1ade8770ad2d6fc323b2ccc459919643cbe8d67e6a5b11094a4d85
- hash: df24d62310c018ba8817f0b70788e6bec546f234bb56116f90bf5b7f19c87901
- hash: eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
- hash: fcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e
- ip: 192.30.242.210
- ip: 193.23.216.48
- ip: 193.233.126.43
- ip: 193.84.71.81
- domain: gbg1.ntp.se
- domain: ts1.aco.net
Rhadamanthys 0.9.x - walk through the updates
Description
Rhadamanthys, a complex multi-modular stealer, has released version 0.9.2 with significant updates. The malware now uses PNG files to deliver payloads, implements new evasion techniques, and introduces changes to its custom executable formats. Key modifications include a new message box mimicking Lumma stealer, updates to string encryption, and enhanced configurability. The malware continues to evolve, focusing on refinements and customization options while maintaining its core design. These changes aim to disrupt analysis tools and detection methods. The authors are professionalizing their operation, treating Rhadamanthys as a long-term business venture with tiered pricing and expanded product offerings.
AI-Powered Analysis
Technical Analysis
Rhadamanthys is a sophisticated multi-modular information stealer malware that has recently updated to version 0.9.2, introducing several significant enhancements aimed at improving its stealth, evasion, and payload delivery mechanisms. Notably, the malware now uses PNG image files as a novel vector to deliver its payloads, a technique designed to bypass traditional signature-based detection and evade sandbox analysis environments. The update also includes new evasion techniques that complicate detection by security tools, such as advanced string encryption methods and modifications to its custom executable formats, making reverse engineering and static analysis more challenging. Additionally, Rhadamanthys has incorporated a new message box feature that mimics the Lumma stealer, potentially to mislead analysts or victims. The malware’s configurability has been enhanced, allowing operators to tailor its behavior dynamically, which increases its adaptability across different targets and environments. These changes reflect a professionalization of the malware’s development lifecycle, with the operators treating Rhadamanthys as a commercial product offering tiered pricing and expanded functionalities. The malware leverages multiple MITRE ATT&CK techniques including credential dumping (T1003), process injection (T1055), obfuscated files or information (T1027), and command and control communications (T1071.001), among others, indicating a comprehensive approach to stealth and persistence. Although no known exploits are currently reported in the wild, the ongoing evolution and modularity of Rhadamanthys suggest it remains a credible threat capable of targeted data theft and espionage activities.
Potential Impact
For European organizations, Rhadamanthys poses a significant risk primarily through its capability to steal sensitive information such as credentials, personal data, and potentially intellectual property. The use of PNG files for payload delivery and enhanced evasion techniques means traditional detection mechanisms may fail, increasing the likelihood of successful infiltration and prolonged undetected presence within networks. This can lead to data breaches, financial loss, reputational damage, and regulatory penalties under GDPR for mishandling personal data. The malware’s configurability allows attackers to customize campaigns targeting specific sectors or organizations, which could include critical infrastructure, financial institutions, or government entities in Europe. The professionalization of the malware’s development and its tiered pricing model indicate a scalable threat that could be leveraged by various threat actors, including cybercriminal groups and state-sponsored entities. The medium severity rating reflects the current absence of widespread exploitation but acknowledges the potential for significant impact if deployed effectively.
Mitigation Recommendations
European organizations should implement advanced detection and prevention strategies tailored to counter Rhadamanthys’ unique features. Specifically, security teams should deploy network and endpoint detection tools capable of analyzing and flagging anomalous PNG file behaviors, such as unusual decoding or execution attempts. Behavioral analysis and sandbox environments should be enhanced to detect evasion techniques, including monitoring for suspicious process injections and unusual message box appearances mimicking known stealers. Employing threat intelligence feeds to stay updated on Rhadamanthys variants and indicators of compromise is critical. Organizations should enforce strict application whitelisting and restrict execution of files from non-standard locations. Multi-factor authentication (MFA) must be mandatory to reduce the impact of credential theft. Regular audits of user privileges and network segmentation can limit lateral movement. Incident response plans should include scenarios involving stealer malware to ensure rapid containment and remediation. Finally, employee training on phishing and social engineering risks is essential, as initial infection vectors often involve user interaction.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates"]
- Adversary
- null
- Pulse Id
- 68dd8edde79b4d282c08dc5f
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash371b517a24fd546dd5a89ed386ec0f5d | — | |
hash3c4f454e8441d9bb451cdbb67f43813d | — | |
hashc80aded7ccf49bbd533b6fd83e974d4d | — | |
hashe93d5b6993a757452bc5cac0975aeb6f | — | |
hashf292c0911456c1d9c40d5740c7d3997f | — | |
hash22e00caeb566228aefc96a2a47dda6d52909adfa | — | |
hash3460cbf2b67fa0e8e08af0614cabcbfdaf681432 | — | |
hash5b94362ac6a23c5aba706e8bfd11a5d8bab6097d | — | |
hash648d36439c4adba0d6ec4c169860da175ab2ac9c | — | |
hashb27986eabc8a95cb619b5ab0cec661dcc9f11bee | — | |
hash0500bd111464a1376e7efba2376eb1192cb4beb18278f62e460c8c8191f0cc5d | — | |
hash090b0ef20633785d11096cda04d9764bd46c9f5d9d3c02183009d2bf165abb82 | — | |
hash0fc149c1ed4a1040b9cf68076c17c4d005a121aca0a22385458a1980f7d24589 | — | |
hash11aabefa4eac0c2f22d0b2efdb7facd242d52765fe5167523112b980f096d9d1 | — | |
hash1f7213a32bce28cb3272ef40a7d63196b2e85f176bcfe7a2d2cd7f88f4ff93fd | — | |
hash23a57ba898b5e91a2ead4e93c97710fe91dc917a7d11dc44b41304778565905f | — | |
hash24ce42c2fd4a95c1b86bbee9bce1e1cf255bd0022e19bab6bd591afd68b7efdb | — | |
hash24ddfd61c05b2f772caf85b44e9e58363a0cf345c6a9294a8416617f0b5b03cf | — | |
hash271452e1c5e79d159f79886a65d4180814a7329c092d617372f127b6311d60f1 | — | |
hash3419dc2a3fb5bdba7f5d51634109066b0ceaeeae898a6748ce9eeaeb63fd1fb0 | — | |
hash36dd78abc304bd2cfbfc188a0b47320e3a4393f03657d69796a5616e3dac50c8 | — | |
hash3ca87045da78292a6bba017138ff9ee42b4e626b64d0fee6d86a16cc3258c8c3 | — | |
hash41daeb92734388f9133a007cbc9c4d8058092b9d8192734be70b3106f0ca5d9f | — | |
hash4ec1902e8cd21d2d5a65465111a1883920bb6c898189dac34d618766b1c4fa66 | — | |
hash4f88d5cb69d44144b02f7ffd3d45cd86aaee12c3410898ce83712287a6b27fe4 | — | |
hash59722b8869d17c5a805dd9febe70295b78afd53e4f3b0e26cd76ea1e772e6818 | — | |
hash59920d1fc7facb5b3b06b93da5b8ee3cbb15acb75f2bb36536e35b803a1f2222 | — | |
hash5a747f6d9d818fcfd90e0ff1ca393321ab7e10314f71e9db01cb1f451258f257 | — | |
hash6415c029d241255bffaf057a8f1390b626c8069ba9a1432f0e8372c7ab68778a | — | |
hash67f00a03e76308a399f21498ebdd4accdb1879c908960e60f717e6d3cb9d05cf | — | |
hash71ccf996f6ad9ac4ed001d3570de6754f7e26a846ed19b34e9b3b1b58abfe619 | — | |
hash7acae2490a0ff1ae3a31f89346fe4e0630259a344c2a6f38bf75f34f8fe9987e | — | |
hash84bbe70b3089e578d69744bd8b030c3a6e724a6c3f4bdefda82fe5057f89c9ba | — | |
hash8c12af846fc774e02dc5ec358f0a9fa7363538cef541e95ac65331ec18fbbe0b | — | |
hash8f54612f441c4a18564e6badf5709544370715e4529518d04b402dcd7f11b0fb | — | |
hash9d110b4e129be5d80253c4d890757f81c5135dcf6d1bbf0262fb554f0c885720 | — | |
hasha451cbfe093830cd4d907d10bc0f27ea51da53ece5456af2fe6b3b24d3df163e | — | |
hasha905226a2486ccc158d44cf4c1728e103472825fb189e05c17d998b9f5534d63 | — | |
hasha9932ada2cf6bfb2614080e9a0068af03ee919657f16ef50d256fccd74ee2d44 | — | |
hashad5ecfda322ac8fdde40f3ee57273abae35b5eb6ca96f2df0a91b8059e75d022 | — | |
hashae26068833a65197c5ff2440d8ca06db393823ee1b5130dbf00d90da2120bf01 | — | |
hashaeba4ece8c4bf51d9761e49fad983967e76c705a06999c556c099f39853f737c | — | |
hashb25d958bd91f85c14ca451dd6dbcea58507c8e92466f48cd2d2e04cef9d371af | — | |
hashb41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d | — | |
hashb429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f | — | |
hashb43d35a26681c7f214ce3bd90af35bc3272008c169c5b1b4e7e6af7398e3e3c4 | — | |
hashb8cbb2a7270ac21c3e895f1b4965b1a17d7a1a6ea54c2c8ef19df49a26442779 | — | |
hashc19716b262e928d83252d75a1ff262786df6cbb221132a0ada08ef3293c091b7 | — | |
hashcb0662d468b034530f88dee9204b3a1d3ff04d19345f417b2cce92a1940dc991 | — | |
hashcb555f5cb3e40c4db0fba7953ffc56e978a599233f80512e019e4c94fd69892c | — | |
hashcbca01435be6348ce4c58cc86c2900f3d99dc806ea38dbdfbb8d6291af17fce4 | — | |
hashcbdb3d2e0a845b134576fabcc2260aa5bd995b9f3b43483ab704c6787409012d | — | |
hashd14d10fdcd7a6f0c095e2bb525fe21d8970c508c0475913bd9bd1c96067bcb04 | — | |
hashd8d2bae5ec1ade8770ad2d6fc323b2ccc459919643cbe8d67e6a5b11094a4d85 | — | |
hashdf24d62310c018ba8817f0b70788e6bec546f234bb56116f90bf5b7f19c87901 | — | |
hasheb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662 | — | |
hashfcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip192.30.242.210 | — | |
ip193.23.216.48 | — | |
ip193.233.126.43 | — | |
ip193.84.71.81 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaingbg1.ntp.se | — | |
domaints1.aco.net | — |
Threat ID: 68dda0a614065076695d09e5
Added to database: 10/1/2025, 9:44:06 PM
Last enriched: 10/1/2025, 9:44:19 PM
Last updated: 10/2/2025, 6:07:40 PM
Views: 11
Related Threats
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud
MediumWerewolf raids Russia's public sector with trusted relationship attacks
MediumThreat Actors Leverage SEO Poisoning and Malicious Ads to Distribute Backdoored Microsoft Teams Installers
MediumAnalysis: AI-powered Ransomware from APT Group
MediumGhostSocks: From Initial Access to Residential Proxy
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.