Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Rhadamanthys

40
Global rank
11 infographic chevron month
Month rank
8 infographic chevron week
Week rank
0
IOCs

Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes.

Stealer
Type
Unknown
Origin
26 September, 2022
First seen
29 October, 2025
Last seen

How to analyze Rhadamanthys with ANY.RUN

Type
Unknown
Origin
26 September, 2022
First seen
29 October, 2025
Last seen

IOCs

IP addresses
95.111.233.125
189.245.155.48
81.17.28.78
189.245.97.177
138.36.3.134
187.156.109.2
187.224.55.97
142.11.236.5
187.233.22.167
185.246.220.89
37.254.198.8
66.79.104.155
172.67.173.51
104.21.30.154
140.82.121.4
195.96.151.46
213.136.80.67
195.96.151.42
176.61.150.108
23.106.124.133
Hashes
5db892a52fbebbf0298d3b5b2cf0c3ed7f9612a9d337c56bb168be336d28cadb
e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0
b9ad234abeb1490f2c2d28dd2387f0575ba5128ebb799741b1f3179622204175
7faeb3f847830a2c52322565d8e73e07000003ccb54310790e10756cd3b2ff6b
2a674a9a0acf0532c3816df01af80e8a95fd7530a30ca31664cf82d4ce639a56
4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd
8cd552392bb25546ba58e73d63c4b7c290188ca1060f96c8abf641ae9f5a8383
c7ca2f9065557a6d8fb0c02c75804d386b77ffca4466678b201c09e916afa096
b1c5d2eadbb2936f8b9644a5a4e24b5c54b163f0f2d6817c60edb3e5a73c6dc6
0e94e5712d93d43423f3fec2f3a7f2b859d749411034c839c13e428f651f11a6
087ab4fb9a7da5ae301b693818ae3a9e5844e1587cf6300f92c4d735c95b7c7c
11231a29dbb5f9af8e17732fa1afecb99ca2059e3d08a4119b81cb60dabec3ba
855858f60762102a7259fcf16b68fe84a2aecac91321ca82ed4bd433d61ca29e
b4c8fc082585c01b0ff64a7088e77ead33433f1a34251aef7f228d86b615b821
8661ed05a0580a8c9b06de1c6c9fccce98d910b17b95d66f1b3ff569831e3617
9ab214c4e8b022dbc5038ab32c5c00f8b351aecb39b8f63114a8d02b50c0b59b
f26749f8e2835fb875241cdc8fddc708016062256435ef42689a2a28465ecdf7
4d8030d543b659e5356873c365472e183f0dc3e71be3cdb3e1f16e546793081a
3b9d0e62c06caeaf4244ff2fb275a1919fd9e14243fb436dce313c8d9b89faa4
1682a7f8f229e62c379fca3c6c989c748aef985e51fc6bcf76d06bde9b0484cf
Domains
start.cleaning-room-device.shop
recaptcha-manual.shop
discover-travel-agency.pro
nbhg-v.iuksdfb-f.shop
browser-storage.com
hur.bweqlkjr.shop
ads.green-pickle-jo.shop
xxx.retweet.shop
rbk.scalingposturestrife.shop
recaptcha-verify-4h.pro
mnjk-jk.bsdfg-zmp-q-n.shop
keauniolas.org
sandbox.yunqof.shop
yob.yrwebsdf.shop
tumbl.design-x.xyz
berachain-community.com
note1.nz7bn.pro
kangla.klipxytozyi.shop
googleapis-n-cdn3s-server.willingcapablepatronage.shop
cilyseyann.org
URLs
http://perfecto.ac.ug/ggkanor/0mv8dc.bqmu
http://turkie.ac.ug/url/yk/rem.exe
http://amx155.xyz/a6ba5b1ae6dec5f7c/j5e4ok98.h44x9
http://amxt25.xyz/a6ba5b1ae6dec5f7c/8tkf22v9.ed2jd
http://179.43.142.201/img/favicon.png
http://79.137.195.45:8080/api/magic
http://176.113.115.86/curytr/ktch4h.leoi
http://179.43.154.216/img/favicon.ico
http://185.224.129.51:8080/modlib/p33cjt.7neq
http://179.43.154.216/img/logo.jpg
http://95.214.53.95/blob/LKK.ez
http://89.22.230.175/img/top.jpg
http://79.137.248.54/custbln/1riqv9.5k89
http://45.12.253.133/image/hoaujx.7hrr
http://162.33.178.106/gjntrrm/zznb2o.hgfq
http://45.9.74.71/abtimgaeg/5jqzra.tbxw
http://62.233.51.95/crang/ytbs.api
http://193.233.20.1/kpiapi/4apsc4.xdzx
http://79.137.248.54/custbln/pv3x38.61ip
http://185.250.205.73/ashinfo/x4boxo.mvt9
Last Seen at

Recent blog posts

post image
Major Cyber Attacks in October 2025: Phishing...
watchers 515
comments 0
post image
5 SOC Challenges and How Threat Intelligence...
watchers 330
comments 0
post image
ANY.RUN Recognized as Threat Intelligence Com...
watchers 585
comments 0

What is Rhadamanthys Stealer Malware

First observed in late 2022, Rhadamanthys is an advanced info-stealer that targets Windows platforms. It is distributed through the malware-as-a-service (MaaS) model. This, in conjunction with its extremely robust and diverse malicious capabilities contributes to the rising popularity of this malware.

Similar to threats like RedLine or Raccoon, utilizing this new strain, threat actors can extract user passwords and exfiltrate sensitive data from infiltrated systems. The info-stealer also presents a significant threat to various cryptocurrency platforms, where it's employed to seize user credentials and wallets.

Certain indicators suggest that Rhadamanthys stealer has the potential to evolve into a pervasive threat. Notably, the malware's initial launch demonstrated signs of meticulous planning. The individual who first introduced it on an underground forum, operating under the pseudonym "kingcrete2022", began building his account's reputation well in advance of the release announcement. This proactive strategy aimed to establish credibility and set the stage for the malware's introduction.

The tactic proved successful, as the debut post, which promoted Rhadamanthys as a "first-class" stealer, quickly gained momentum and attracted attention in the underground community.

As it stands, Rhadamanthys indiscriminately attacks targets worldwide, even reaching into the territories of the former USSR. The malware has been identified in several malicious spam and Google Ads campaigns, but more on this later in the article.

It should be noted, that Rhadamanthys stealer employs a design philosophy that aims to incorporate an expansive list of features. These features are not strategically targeted but rather prioritize extensive capability. For example, malware is, rather unnecessarily, equipped with capabilities to steal data from web browsers such as KMeleon and Pale Moon, and to steal cryptocurrency from obscure browser extensions like Firefox's Auvitas Wallet.

In terms of system information extraction, Rhadamanthys can capture a wide array of data. This includes:

-Computer name, username, RAM capacity, CPU cores, screen resolution

-Installed software, cookies, browsing history

-Saved credit cards and other sensitive information

Furthermore, Rhadamanthys targets credentials from a vast range of sources: FTP clients like Cyberduck and TotalCommander, mail clients such as Outlook and Thunderbird, and password managers like RoboForm and KeePass. It also has the capacity to extract information from VPN services, note-taking applications, messenger applications, and other services like Steam, TeamViewer, and SecureCRT.

Rhadamanthys shows a particular interest in cryptocurrency. One of its version updates had nearly half of its new features dedicated to exfiltrating and cracking cryptocurrency wallets. The list of targeted wallets is quite extensive and includes Auvitas, BitApp, Crocobit, Exodus, Finnie, ICONex, Metamask, and more.

In addition to the automatic actions, Rhadamanthys also allows for direct intervention by attackers. The malware offers a functionality to push new configurations to the “file grabbing” module, allowing specific files to be exfiltrated. For a more hands-on approach, attackers can execute hand-crafted PowerShell scripts on the victim machine. This added flexibility provides a high degree of control over the infected system.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Rhadamanthys Stealer Technical Details

Written in C++, Rhadamanthys employs a number of sophisticated techniques to ensure its stealth and efficacy. Its operational chain is usually divided into three components:

-the Dropper,

-the Rhadamanthys Loader (second shellcode)

-and the Rhadamanthys Stealer (Nsis module).

In one attack observed the wild, the Dropper initiated the process by executing the shellcode through a callback function. This bypassesed common security measures that track shellcode execution methods like CreateThread or CreateRemoteThread.

Next, the Rhadamanthys Loader, or the second shellcode, comes into play. This shellcode uses several evasion methods. It manipulates exception handling to maintain low visibility, creates a Mutex to simulate legitimate processes, and unhooks API calls to avoid detection. In addition to these, it is responsible for decrypting the malware configuration and managing its network functions.

Lastly, the Rhadamanthys Stealer, or the Nsis module, is activated. Some samples have the ability to manipulate AVAST’s AMSI-related modules to avoid detection. It is this component that ultimately executes the data theft.

Rhadamanthys Stealer Dynamic Analysis

Being a stealer, Rhadamanthys tries to operate as secretively as possible, remaining under the radar and avoiding detection. The malicious activity starts right after infection — Rhadamanthys extracts information from the system and tries to send it to the Command & Control servers.

The execution chain may vary a little — some versions of the Trojan have the ability to inject into system processes, while others simply execute themselves.

It also may delay execution and sleep for some time after infection or use utilities like PowerShell to run commands.

Rhadamanthys’s network traffic Rhadamanthys’s network traffic

Thanks to the network packets structure, Rhadamanthys can be detected by Suricata rules.

Rhadamanthys Stealer Distribution Methods

Rhadamanthys info-stealer employs a couple of key strategies to infiltrate systems. One of its infamous шstribution techniques involves hijacking Google ads, where it covertly replaces the original content with a link to the malware.

It also uses phishing webpages and malicious spam for propagation. In malspam campaigns, a PDF file triggers victims to download the malware. The PDF file was observed presenting a fake Adobe Acrobat DC software update prompt which, when clicked, initiates the execution of the malware.

In phishing-based distribution, the malware creators build fake webpages mimicking legitimate services like Zoom or AnyDesk. Links to these fraudulent sites are then spread via Google ads. These malicious sites facilitate the download of the Rhadamanthys infostealer disguised as a legitimate installer. Consequently, the target unknowingly downloads the malware without noticing the infection.

Conclusion

Boasting an extensive stealing feature set that may well be unmatched among similar types of malware, Rhadamanthys has the potential to emerge as a significant threat in the cybersecurity landscape. We strongly recommend analysts to delve into this threat while it's still relatively new on the scene.

Conveniently, dynamic analysis of Rhadamanthys can be easily carried out on platforms such as ANY.RUN — our cloud interactive sandbox allows for a deeper understanding of its execution process and facilitates the collection of valuable Indicators of Compromise (IOCs).

Investigating the nuances of Rhadamanthys not only aids in its containment but also prepares us for future threats that may adopt a similar design strategy.

HAVE A LOOK AT

Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Salvador Stealer screenshot
Salvador Stealer
salvador
Salvador Stealer is a powerful, information-stealing Android malware designed to silently infiltrate systems, extract sensitive data, and exfiltrate it to cybercriminals. Often sold on underground forums, it is part of the growing ecosystem of “stealers-as-a-service” (SaaS) tools that target individuals and organizations alike.
Read More
Play Ransomware screenshot
Play aka PlayCrypt ransomware group has been successfully targeting corporations, municipal entities, and infrastruction all over the world for about three years. It infiltrates networks via software vulnerabilities, phishing links and compromised websites. The ransomware abuses Windows system services to evade detection and maintain persistence. Play encrypts user files and steals sensitive data while demanding a ransom.
Read More
Crocodilus screenshot
Crocodilus
crocodilus
Crocodilus is a highly sophisticated Android banking Trojan that emerged in March 2025, designed for full device takeover. Disguised as legitimate apps, it steals banking credentials, cryptocurrency wallet data, and enables remote control, rapidly evolving into a global threat targeting financial users across Europe, South America, and Asia.
Read More
Latrodectus screenshot
Latrodectus
latrodectus
Latrodectus is a malicious loader that is used by threat actors to gain a foothold on compromised devices and deploy additional malware. It has been associated with the IcedID trojan and has been used by APT groups in targeted attacks. The malware can gather system information, launch executables, and detect sandbox environments. It uses encryption and obfuscation to evade detection and can establish persistence on the infected device.
Read More