Rhadamanthys: The Evolution of a Stealthy Info Stealer
Introduction to Rhadamanthys
Rhadamanthys is a complex and innovative multi-modular information stealer that surfaced in September 2022. Within a short period, it has transformed into a notable malware solution on underground forums, showcasing its advanced capabilities.
Origins and Growth
Originally introduced by a threat actor known as “kingcrete2022,” Rhadamanthys drew inspiration from the earlier Hidden Bee project. This connection facilitated rapid development and refinement of features, helping it gain a reputation among cybercriminals. Through targeted initiatives like ClickFix, Rhadamanthys captured the interest of both inexperienced affiliates and more seasoned cybercriminals.
Latest Release and Pricing Model
As of October 2025, the release of version 0.9.2 has brought several enhancements, particularly in its loader architecture and evasion techniques. Analysts from Check Point have noted that Rhadamanthys isn’t simply a transient project; its development corresponds to a well-structured long-term business model. Currently, the product is marketed under the “RHAD Security” and “Mythical Origin Labs” brands, featuring a redesigned Tor storefront, a support channel on Telegram, and a tiered pricing system. The self-hosted version costs $299 per month, while a rented server deployment is priced at $499, with enterprise-level solutions available upon negotiation.
Professionalization of Malware Development
These developments highlight the commitment of its developers to creating a sustainable product with continuous feature updates and customer support. Technically, Rhadamanthys employs a polymorphic initial loader available in both .NET and native Portable Executable (PE) formats. These loaders can unpack into various modules encapsulated in a proprietary XS format, making analysis challenging.
Obfuscation Techniques
Each core module within Rhadamanthys, ranging from environmental checks to the core stealing functionalities, utilizes obfuscation techniques. This is accomplished through a custom container that requires specialized tools to convert back into standard PE files for any analytical assessments. The updates in the latest version include new XS1B and XS2B headers, an enhanced import deobfuscation key, and updated configuration markers, demonstrating ongoing evolution and sophistication.
Infection Mechanism
Rhadamanthys 0.9.2 has introduced a novel infection strategy: it now uses steganographic techniques to deliver the Stage 3 payload through PNG images, replacing prior methods that relied on WAV or JPG files. This approach allows the malware to evade detection by embedding malicious content within seemingly benign image files.
Upon establishing a connection to its Command and Control (C2) server, the malware can retrieve a PNG file that conceals its next-stage payload within its pixel data. The loader decodes the image header to find a shared secret and employs ChaCha20 for decryption, followed by LZO decompression to extract the XS2B modules.
Enhanced Decryption Processes
The updated version has improved its deobfuscation mechanisms, employing an RC4-based algorithm rather than the previous XOR methodology. This change ensures that existing analytical tools will be less effective unless they are updated to accommodate the new approach.
c
void rc4_decrypt(uint8_t data, size_t len, uint8_t key, size_t keylen) {
uint8_t S[256], i = 0, j = 0, tmp;
for (int k = 0; k < 256; k++) S[k] = k;
for (int k = 0; k < 256; k++) {
j = (j + S[k] + key[k % keylen]) & 0xFF;
tmp = S[k]; S[k] = S[j]; S[j] = tmp;
}
i = j = 0;
for (size_t k = 0; k < len; k++) {
i = (i + 1) & 0xFF;
j = (j + S[i]) & 0xFF;
tmp = S[i]; S[i] = S[j]; S[j] = tmp;
data[k] ^= S[(S[i] + S[j]) & 0xFF];
}
}
Final Delivery and Payload Execution
Once the payload is successfully unpacked, the Stage 3 modules are deployed into a legitimate and suspended process, selected from a list. This stealthy injection allows the malware to harvest sensitive information, including credentials, browser profiles, cryptocurrency wallets, and system fingerprints. The shifting infection strategies and flexible delivery mechanisms signify an ongoing evolution that poses significant challenges for cybersecurity defenders, emphasizing the need for vigilance in monitoring potentially malicious image files, alongside traditional executable attachments.
