Rhadamanthys: The Rise of a New Malware-as-a-Service
Introduction to Rhadamanthys
A new entity in the world of malware has emerged, named Rhadamanthys. This sophisticated information-stealing tool has made its presence known on underground marketplaces, with subscriptions priced between $299 and $499 per month. Its refined branding and tiered pricing suggest it’s designed for seasoned cybercriminals rather than novices.
A Rapidly Evolving Threat
Since its introduction in September 2022 under the alias kingcrete2022, Rhadamanthys has quickly advanced from a basic experimental project into one of the most feature-packed stealers on the dark web. Initially built using code from an earlier malware known as Hidden Bee, the creators have made significant improvements. These include a modular architecture that delivers custom loaders, enhanced obfuscation techniques, and adaptable deployment methods.
Delivery Methods of Malware
In its early iterations, Rhadamanthys utilized WAV or JPEG formats to conceal its malware payloads. However, the most recent version, v0.9.2, has shifted to a more straightforward delivery mechanism. This version embeds encrypted modules within PNG images, making detection and interception more difficult.
The Sophistication of Rhadamanthys
Adopting a professional software house model, Rhadamanthys comes equipped with a dedicated Tor-hosted storefront, Telegram support channels, and distinct branding elements such as RHAD Security and Mythical Origin Labs. Its online presence is aimed at establishing a comprehensive cybercriminal ecosystem, offering not just the main stealer but supplementary tools like the Elysium Proxy Bot and Crypt Service.
Tiered Subscription Model
The operators of Rhadamanthys offer three distinct pricing tiers:
-
Self-Hosted Package: At $299 per month, this option allows users to deploy the malware on their existing infrastructure, appealing to those who prefer minimal reliance on external services.
-
Managed Server Subscription: Priced at $499 per month, this mid-tier package comes with rented servers managed by the developers, as well as automated updates and prioritized tech support.
-
Enterprise Package: Tailored to specific needs through negotiations, this package promises unique features, service-level agreements, and dedicated support.
This subscription-based model is quite rare among malware offerings, which often come as one-off purchases. Rhadamanthys blends cybersecurity sophistication with a software-as-a-service approach, indicating a professional aesthetic that may attract established cybercriminal organizations.
Technical Composition of Rhadamanthys
The technical underpinnings of Rhadamanthys add layers of complexity and security. It employs a 16-byte seed value to generate mutex names, ensuring streamlined operations.
Recent enhancements include:
- A user-friendly message box designed to imitate the renowned Lumma stealer interface, complicating analysis during malware unpacking.
- The introduction of custom executable formats (XS1B and XS2B), replacing standard structures to outsmart automation tools.
- New string deobfuscation methods using RC4 instead of traditional XOR routines.
Evasion Techniques
Rhadamanthys is equipped with a sophisticated “Strategy” module that can adapt to sandbox detection protocols, checking against various hardware and software configurations often associated with analysis environments. Additionally, its mutex collection utilizes a randomized seed to evade universal detection tools, while time synchronization with public Network Time Protocol (NTP) servers keeps its operations discreet.
The malware also collects essential data including credentials, browser cookies, wallet information, and more, all while operating hidden within legitimate processes, thereby complicating detection strategies significantly.
Conclusion: A Growing Trend in Cybercrime
With its subscription fees and continual updates, Rhadamanthys exemplifies a shift toward malware-as-a-service offerings that adopt features typical of legitimate businesses. Security teams are strongly urged to update their defense mechanisms to include detection tools tailored for PNG-based payloads and to remain alert to evolving obfuscation strategies.
As Rhadamanthys becomes a persistent revenue stream for its creators, there is a pressing need for vigilance and innovation in cybersecurity practices to counteract its advancing features in future releases.
