- The threat actor behind Rhadamanthys stealer also promotes two other tools: Elysium Proxy Bot and Crypt Service.
- Rhadamanthys now collects device and web browser fingerprints, enhancing data theft capabilities.
- It operates under a Malware-as-a-service model with tiered pricing from $299 to $499 per month.
- New features include Sandbox detection, encrypted payload delivery via image and audio files, and a built-in Lua runner for plugin support.
- The group rebranded as “RHAD security” and “Mythical Origin Labs,” marketing their products for innovation and efficiency.
The threat group responsible for the Rhadamanthys information stealer has expanded its offerings by advertising two additional tools named Elysium Proxy Bot and Crypt Service on its website. The latest update to Rhadamanthys adds the capability to gather device and web browser fingerprints among other data.
Originally promoted on cybercrime forums, Rhadamanthys was introduced by an actor known as kingcrete2022 and has grown into a widely used malware-as-a-service (MaaS) product. The current version, 0.9.2, is offered in three packages. Prices start at $299 per month for a self-hosted setup, with higher tiers, including $499 per month options offering priority support and advanced features.
Check Point researcher Aleksandra “Hasherezade” Doniec reported that the operators have rebranded as “RHAD security” and “Mythical Origin Labs,” presenting their tools as smart solutions designed to improve innovation and efficiency. Doniec emphasized that the professional approach suggests a long-term business model rather than a casual project.
The latest iteration of Rhadamanthys incorporates new protections to avoid exposing unpackaged malware by displaying a warning message that allows users to run the program harmlessly. This feature is designed to reduce the risk of the malware being detected and to protect distributors from infection. However, although similar to those used in other stealers like Lumma, the technical implementation differs.
Additional enhancements include refinements to the packaging format, improved obfuscation of module names to evade detection, and rigorous environment checks to avoid operation in sandboxed or forbidden environments. The malware performs these checks by comparing running processes, the current wallpaper, and usernames against known sandbox indicators. Only after passing these checks does it connect to a command-and-control (C2) server to download its main payload.
The payload is hidden using steganography in audio or image files such as WAV, JPEG, or PNG. To extract and decrypt this payload, a shared secret key agreed on during initial C2 communication is required. The stealer itself includes a Lua execution engine, which allows it to run additional plugins written in Lua to expand data theft and fingerprinting functions.
Check Point noted that the latest release is an evolution focused on refinement rather than drastic changes. They advised analysts to update their tools to detect these new features, including the PNG-based payload delivery and changing obfuscation methods. The developer appears to maintain a steady development pace, improving obfuscation, adding advanced options, and enhancing the malware’s stealth capabilities.
For more details, see Check Point’s report at their research page.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- US Dollar Hits New Lows as Metals Surge to Record Highs Amid Turmoil
- Stellantis Pushes for Tariff Relief on Mexico Rams; GM, Ford Resist
- Theta Ecosystem Expands with Sports, AI, and Academic Partnerships
- Lord Miles Accused of Rigging Polymarket Bet Before Saudi Arrest
- Bitcoin Nears All-Time High as Crypto Rally Gains Momentum