Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Rhadamanthys

40
Global rank
13 infographic chevron month
Month rank
13 infographic chevron week
Week rank
0
IOCs

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Stealer
Type
Unknown
Origin
26 September, 2022
First seen
8 October, 2025
Last seen

How to analyze Rhadamanthys with ANY.RUN

Type
Unknown
Origin
26 September, 2022
First seen
8 October, 2025
Last seen

IOCs

IP addresses
95.111.233.125
189.245.155.48
81.17.28.78
138.36.3.134
189.245.97.177
187.156.109.2
187.224.55.97
142.11.236.5
187.233.22.167
185.246.220.89
37.254.198.8
66.79.104.155
172.67.173.51
104.21.30.154
140.82.121.4
195.96.151.46
213.136.80.67
195.96.151.42
176.61.150.108
23.106.124.133
Hashes
5db892a52fbebbf0298d3b5b2cf0c3ed7f9612a9d337c56bb168be336d28cadb
e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0
b9ad234abeb1490f2c2d28dd2387f0575ba5128ebb799741b1f3179622204175
7faeb3f847830a2c52322565d8e73e07000003ccb54310790e10756cd3b2ff6b
2a674a9a0acf0532c3816df01af80e8a95fd7530a30ca31664cf82d4ce639a56
4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383
c7ca2f9065557a6d8fb0c02c75804d386b77ffca4466678b201c09e916afa096
b1c5d2eadbb2936f8b9644a5a4e24b5c54b163f0f2d6817c60edb3e5a73c6dc6
0e94e5712d93d43423f3fec2f3a7f2b859d749411034c839c13e428f651f11a6
087ab4fb9a7da5ae301b693818ae3a9e5844e1587cf6300f92c4d735c95b7c7c
11231a29dbb5f9af8e17732fa1afecb99ca2059e3d08a4119b81cb60dabec3ba
855858f60762102a7259fcf16b68fe84a2aecac91321ca82ed4bd433d61ca29e
b4c8fc082585c01b0ff64a7088e77ead33433f1a34251aef7f228d86b615b821
8661ed05a0580a8c9b06de1c6c9fccce98d910b17b95d66f1b3ff569831e3617
9ab214c4e8b022dbc5038ab32c5c00f8b351aecb39b8f63114a8d02b50c0b59b
f26749f8e2835fb875241cdc8fddc708016062256435ef42689a2a28465ecdf7
4d8030d543b659e5356873c365472e183f0dc3e71be3cdb3e1f16e546793081a
3b9d0e62c06caeaf4244ff2fb275a1919fd9e14243fb436dce313c8d9b89faa4
1682a7f8f229e62c379fca3c6c989c748aef985e51fc6bcf76d06bde9b0484cf
Domains
shim1.enrouteltd.com
fivadm.sbs
thretadm.sbs
shim1.umbandung.ac.id
aysuinsaat.com
onsevadm.sbs
tesshi.live
berachain-community.com
fouradm.sbs
soubtcevent.com
get-soft.xyz
whenthecodefinallyworks.com
roxplolts.net
textedit-notepad.com
owerneodonereo.xyz
obs-project.festcommerzblog.com
zoom-meetings-install.com
southfirstarea.com
holinswincetta.xyz
zoomvideo-install.com
URLs
http://perfecto.ac.ug/ggkanor/0mv8dc.bqmu
http://turkie.ac.ug/url/yk/rem.exe
http://amx155.xyz/a6ba5b1ae6dec5f7c/j5e4ok98.h44x9
http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd
http://179.43.142.201/img/favicon.png
http://79.137.195.45:8080/api/magic
http://176.113.115.86/curytr/ktch4h.leoi
http://179.43.154.216/img/favicon.ico
http://185.224.129.51:8080/modlib/p33cjt.7neq
http://179.43.154.216/img/logo.jpg
http://95.214.53.95/blob/LKK.ez
http://89.22.230.175/img/top.jpg
http://79.137.248.54/custbln/1riqv9.5k89
http://45.12.253.133/image/hoaujx.7hrr
http://162.33.178.106/gjntrrm/zznb2o.hgfq
http://45.9.74.71/abtimgaeg/5jqzra.tbxw
http://62.233.51.95/crang/ytbs.api
http://193.233.20.1/kpiapi/4apsc4.xdzx
http://79.137.248.54/custbln/pv3x38.61ip
http://185.250.205.73/ashinfo/x4boxo.mvt9
Last Seen at
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 68
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 430
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3319
comments 0

What is Rhadamanthys Stealer Malware

First observed in late 2022, Rhadamanthys is an advanced info-stealer that targets Windows platforms. It is distributed through the malware-as-a-service (MaaS) model. This, in conjunction with its extremely robust and diverse malicious capabilities contributes to the rising popularity of this malware.

Similar to threats like RedLine or Raccoon, utilizing this new strain, threat actors can extract user passwords and exfiltrate sensitive data from infiltrated systems. The info-stealer also presents a significant threat to various cryptocurrency platforms, where it's employed to seize user credentials and wallets.

Certain indicators suggest that Rhadamanthys stealer has the potential to evolve into a pervasive threat. Notably, the malware's initial launch demonstrated signs of meticulous planning. The individual who first introduced it on an underground forum, operating under the pseudonym "kingcrete2022", began building his account's reputation well in advance of the release announcement. This proactive strategy aimed to establish credibility and set the stage for the malware's introduction.

The tactic proved successful, as the debut post, which promoted Rhadamanthys as a "first-class" stealer, quickly gained momentum and attracted attention in the underground community.

As it stands, Rhadamanthys indiscriminately attacks targets worldwide, even reaching into the territories of the former USSR. The malware has been identified in several malicious spam and Google Ads campaigns, but more on this later in the article.

It should be noted, that Rhadamanthys stealer employs a design philosophy that aims to incorporate an expansive list of features. These features are not strategically targeted but rather prioritize extensive capability. For example, malware is, rather unnecessarily, equipped with capabilities to steal data from web browsers such as KMeleon and Pale Moon, and to steal cryptocurrency from obscure browser extensions like Firefox's Auvitas Wallet.

In terms of system information extraction, Rhadamanthys can capture a wide array of data. This includes:

-Computer name, username, RAM capacity, CPU cores, screen resolution

-Installed software, cookies, browsing history

-Saved credit cards and other sensitive information

Furthermore, Rhadamanthys targets credentials from a vast range of sources: FTP clients like Cyberduck and TotalCommander, mail clients such as Outlook and Thunderbird, and password managers like RoboForm and KeePass. It also has the capacity to extract information from VPN services, note-taking applications, messenger applications, and other services like Steam, TeamViewer, and SecureCRT.

Rhadamanthys shows a particular interest in cryptocurrency. One of its version updates had nearly half of its new features dedicated to exfiltrating and cracking cryptocurrency wallets. The list of targeted wallets is quite extensive and includes Auvitas, BitApp, Crocobit, Exodus, Finnie, ICONex, Metamask, and more.

In addition to the automatic actions, Rhadamanthys also allows for direct intervention by attackers. The malware offers a functionality to push new configurations to the “file grabbing” module, allowing specific files to be exfiltrated. For a more hands-on approach, attackers can execute hand-crafted PowerShell scripts on the victim machine. This added flexibility provides a high degree of control over the infected system.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Rhadamanthys Stealer Technical Details

Written in C++, Rhadamanthys employs a number of sophisticated techniques to ensure its stealth and efficacy. Its operational chain is usually divided into three components:

-the Dropper,

-the Rhadamanthys Loader (second shellcode)

-and the Rhadamanthys Stealer (Nsis module).

In one attack observed the wild, the Dropper initiated the process by executing the shellcode through a callback function. This bypassesed common security measures that track shellcode execution methods like CreateThread or CreateRemoteThread.

Next, the Rhadamanthys Loader, or the second shellcode, comes into play. This shellcode uses several evasion methods. It manipulates exception handling to maintain low visibility, creates a Mutex to simulate legitimate processes, and unhooks API calls to avoid detection. In addition to these, it is responsible for decrypting the malware configuration and managing its network functions.

Lastly, the Rhadamanthys Stealer, or the Nsis module, is activated. Some samples have the ability to manipulate AVAST’s AMSI-related modules to avoid detection. It is this component that ultimately executes the data theft.

Rhadamanthys Stealer Dynamic Analysis

Being a stealer, Rhadamanthys tries to operate as secretively as possible, remaining under the radar and avoiding detection. The malicious activity starts right after infection — Rhadamanthys extracts information from the system and tries to send it to the Command & Control servers.

The execution chain may vary a little — some versions of the Trojan have the ability to inject into system processes, while others simply execute themselves.

It also may delay execution and sleep for some time after infection or use utilities like PowerShell to run commands.

Rhadamanthys’s network traffic Rhadamanthys’s network traffic

Thanks to the network packets structure, Rhadamanthys can be detected by Suricata rules.

Rhadamanthys Stealer Distribution Methods

Rhadamanthys info-stealer employs a couple of key strategies to infiltrate systems. One of its infamous шstribution techniques involves hijacking Google ads, where it covertly replaces the original content with a link to the malware.

It also uses phishing webpages and malicious spam for propagation. In malspam campaigns, a PDF file triggers victims to download the malware. The PDF file was observed presenting a fake Adobe Acrobat DC software update prompt which, when clicked, initiates the execution of the malware.

In phishing-based distribution, the malware creators build fake webpages mimicking legitimate services like Zoom or AnyDesk. Links to these fraudulent sites are then spread via Google ads. These malicious sites facilitate the download of the Rhadamanthys infostealer disguised as a legitimate installer. Consequently, the target unknowingly downloads the malware without noticing the infection.

Conclusion

Boasting an extensive stealing feature set that may well be unmatched among similar types of malware, Rhadamanthys has the potential to emerge as a significant threat in the cybersecurity landscape. We strongly recommend analysts to delve into this threat while it's still relatively new on the scene.

Conveniently, dynamic analysis of Rhadamanthys can be easily carried out on platforms such as ANY.RUN — our cloud interactive sandbox allows for a deeper understanding of its execution process and facilitates the collection of valuable Indicators of Compromise (IOCs).

Investigating the nuances of Rhadamanthys not only aids in its containment but also prepares us for future threats that may adopt a similar design strategy.

HAVE A LOOK AT

INC Ransomware screenshot
INC Ransomware is a ransomware-as-a-service (RaaS) spotted in mid-2023. It targets industries like retail, real estate, finance, healthcare, and education, primarily in the U.S. and UK. It encrypts and exfiltrates data demanding a ransom. It employs advanced evasion techniques, destroys backup, and abuses legitimate system tools at all the stages of the kill chain.
Read More
Ransomware screenshot
Ransomware
ransomware
Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.
Read More
Spyware screenshot
Spyware
spyware
Spyware is a stealth form of malware whose primary objective is to gather sensitive information, such as personal data, login credentials, and financial details, by monitoring user activities and exploiting system vulnerabilities. Spyware operates secretly in the background, evading detection while transmitting collected data to cybercriminals, who can then use it for malicious purposes like identity theft, financial fraud, or espionage.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
Spynote screenshot
Spynote
spynote
SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.
Read More