What is Rhadamanthys malware?
Rhadamanthys is an infostealer malware designed to covertly extract sensitive information from infected systems. Often used in financially motivated cyberattacks, this malware operates by stealing credentials, cryptocurrency wallets, and other valuable information. Known aliases include "Rhadamanthys Stealer." It is notable for its sophisticated capabilities and the threat it poses to enterprise and individual targets alike.
When was Rhadamanthys first discovered?
Rhadamanthys first emerged in late 2022, with researchers spotting its initial campaigns targeting organizations in Europe and North America. Cybersecurity vendors such as Cybereason and Check Point played a crucial role in identifying and analyzing early Rhadamanthys samples in the wild.
Who created Rhadamanthys?
The creators of Rhadamanthys remain unidentified. However, researchers speculate that it is the product of a financially motivated cybercriminal group, leveraging underground marketplaces to distribute this malicious software.
What does Rhadamanthys target?
Rhadamanthys primarily targets Windows systems, focusing on users who hold sensitive financial data, including businesses, cryptocurrency users, and individuals with high-value credentials. The malware operates across geographic regions, though initial data suggests more targeted attacks on organizations within Europe and North America.
Rhadamanthys distribution method
Rhadamanthys spreads through phishing emails, drive-by downloads, malicious ads, and exploit kits. Phishing emails often contain malicious attachments or links that trick users into executing the malware. Additionally, cybercriminals use malvertising campaigns to reach a broader audience of potential victims.
Technical analysis of Rhadamanthys malware
Rhadamanthys engages in multi-stage operations upon infection. After being executed via a malicious file, it quickly establishes persistence on the victim's device while employing evasion techniques to avoid detection by antivirus and endpoint security tools. It then steals sensitive data, including login credentials, session tokens, and cryptocurrency wallet information, which is exfiltrated to attacker-controlled servers.
Tactics, Techniques & Procedures (TTPs)
Common TTPs include phishing (MITRE ATT&CK T1566), exploitation of vulnerabilities (T1190), credential dumping (T1003), and obfuscation techniques such as code packing (T1027).
Indicators of Compromise (IoCs)
IoCs include suspicious processes (e.g., unrecognized PowerShell scripts), unusual outbound requests to unknown IPs, file hashes indicative of the malware, and the sudden disappearance of stored credentials or cryptocurrency funds.
How to know if you’re infected with Rhadamanthys?
Signs of Rhadamanthys infection include significant system slowdowns, unexpected logouts or credential failures, abnormal outbound traffic, and unusual activity within cryptocurrency wallets or financial accounts. Victims may also observe phishing emails that coincide with the infection timeframe.
Rhadamanthys removal instructions
To remove Rhadamanthys, disconnect the infected system from the network immediately. Use endpoint detection and response (EDR) tools, such as Huntress, to isolate and analyze the infection. Reinstall operating systems to eliminate deeply entrenched malware, followed by resetting all relevant credentials.
Is Rhadamanthys still active?
Yes, Rhadamanthys remains active in the wild as of 2023, with new variants emerging to enhance evasion tactics and capabilities. Continued vigilance and updated security measures are essential to mitigate ongoing risks.
Mitigation & prevention strategies
Preventive steps include implementing strong multi-factor authentication (MFA), ensuring timely OS and software updates, and conducting user awareness training regarding phishing attacks. Network monitoring and 24/7 managed detection—like the services offered by Huntress—are pivotal in identifying malicious activity early.
Related educational articles & videos
FAQs
Rhadamanthys is an infostealer malware that works by infiltrating systems through phishing emails, malicious downloads, or ads. It collects sensitive data such as credentials and cryptocurrency wallets and exfiltrates it to attacker-controlled servers.
Systems are infected through phishing campaigns, malicious ads (malvertising), and sometimes by exploiting vulnerabilities. Users unknowingly execute malicious files that embed the malware on their devices.
Yes, Rhadamanthys continues to evolve, with its operators introducing new variants and advanced evasive techniques, making it a persistent threat to users and enterprises.
Organizations can protect against Rhadamanthys by applying robust security measures, such as MFA, regular patching, phishing awareness training, and deploying managed detection and response tools like Huntress.
Protect What Matters
