Rhadamanthys Stealer Updates Enhance Fingerprinting, Offers Tiers

Rhadamanthys Stealer Expands Features with Fingerprinting, Steganographic Payloads, and Rebranding as MaaS under RHAD Security

  • The threat actor behind Rhadamanthys stealer also promotes two other tools: Elysium Proxy Bot and Crypt Service.
  • Rhadamanthys now collects device and web browser fingerprints, enhancing data theft capabilities.
  • It operates under a Malware-as-a-service model with tiered pricing from $299 to $499 per month.
  • New features include Sandbox detection, encrypted payload delivery via image and audio files, and a built-in Lua runner for plugin support.
  • The group rebranded as “RHAD security” and “Mythical Origin Labs,” marketing their products for innovation and efficiency.

The threat group responsible for the Rhadamanthys information stealer has expanded its offerings by advertising two additional tools named Elysium Proxy Bot and Crypt Service on its website. The latest update to Rhadamanthys adds the capability to gather device and web browser fingerprints among other data.

- Advertisement -

Originally promoted on cybercrime forums, Rhadamanthys was introduced by an actor known as kingcrete2022 and has grown into a widely used malware-as-a-service (MaaS) product. The current version, 0.9.2, is offered in three packages. Prices start at $299 per month for a self-hosted setup, with higher tiers, including $499 per month options offering priority support and advanced features.

Check Point researcher Aleksandra “Hasherezade” Doniec reported that the operators have rebranded as “RHAD security” and “Mythical Origin Labs,” presenting their tools as smart solutions designed to improve innovation and efficiency. Doniec emphasized that the professional approach suggests a long-term business model rather than a casual project.

The latest iteration of Rhadamanthys incorporates new protections to avoid exposing unpackaged malware by displaying a warning message that allows users to run the program harmlessly. This feature is designed to reduce the risk of the malware being detected and to protect distributors from infection. However, although similar to those used in other stealers like Lumma, the technical implementation differs.

Additional enhancements include refinements to the packaging format, improved obfuscation of module names to evade detection, and rigorous environment checks to avoid operation in sandboxed or forbidden environments. The malware performs these checks by comparing running processes, the current wallpaper, and usernames against known sandbox indicators. Only after passing these checks does it connect to a command-and-control (C2) server to download its main payload.

- Advertisement -

The payload is hidden using steganography in audio or image files such as WAV, JPEG, or PNG. To extract and decrypt this payload, a shared secret key agreed on during initial C2 communication is required. The stealer itself includes a Lua execution engine, which allows it to run additional plugins written in Lua to expand data theft and fingerprinting functions.

Check Point noted that the latest release is an evolution focused on refinement rather than drastic changes. They advised analysts to update their tools to detect these new features, including the PNG-based payload delivery and changing obfuscation methods. The developer appears to maintain a steady development pace, improving obfuscation, adding advanced options, and enhancing the malware’s stealth capabilities.

For more details, see Check Point’s report at their research page.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -

Latest News

US Treasury Plans $1 Coin Featuring Trump for 250th Anniversary

The US Treasury plans to release new $1 coins featuring President Donald Trump to...

Bitcoin Nears All-Time High as U.S. Shutdown Fuels Crypto Surge

Bitcoin surged more than 8% since the U.S. government shutdown began on Wednesday. The cryptocurrency...

Crypto Bros Fooled by Fake McRib News, BTC Still Rises 13%

Speculation about a McRib return in the UK reportedly fueled excitement among some Bitcoin...

Stellar’s XLM Reverses After Hitting Highs; Volume Spikes

XLM fell back to $0.4015 soon after, losing earlier gains due to heavy...

US Dollar Hits New Lows as Metals Surge to Record Highs Amid Turmoil

US markets face volatility from changing Federal Reserve policies and a US government shutdown. The...
- Advertisement -

Must Read

Best Metaverse Tokens to Buy on Binance for 10X Gains

Ever since Facebook renamed their company to Meta, as well as their plans to build a metaverse where we can travel into using Virtual...