The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others.
“Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a more ambitious plan to connect with potential customers and build visibility,” Check Point researcher Aleksandra “Hasherezade” Doniec said in a new report.
First advertised by a threat actor named kingcrete2022, Rhadamanthys has emerged as one of the most popular information stealers available under a malware-as-a-service (MaaS) model alongside Lumma, Vidar, StealC, and, more recently, Acreed. The current version of the stealer is 0.9.2.
Over the years, the stealer’s capabilities have extended far beyond simple data collection, representing a comprehensive threat to personal and corporate security. In an analysis of version 0.7.0 of the malware last October, Recorded Future detailed the addition of a new artificial intelligence (AI) feature for optical character recognition (OCR) to capture cryptocurrency wallet seed phrases.
The latest findings from Check Point show that the threat actors rebranded themselves as “RHAD security” and “Mythical Origin Labs,” marketing their offerings as “intelligent solutions for innovation and efficiency.”
Rhadamanthys is available in three tiered packages, starting from $299 per month for a self-hosted version to $499 per month that comes with additional benefits, including priority technical support, server, and advanced API access. Prospective customers can also purchase an Enterprise plan by directly contacting their sales team.
“The combination of the branding, product portfolio, and pricing structure suggest that the authors treat Rhadamanthys as a long-term business venture rather than a side project,” Hasherezade noted. “For defenders, this professionalization signals that Rhadamanthys with its growing customer base and an expanding ecosystem is likely here to stay, making it important to track not only its malware updates but also the business infrastructure that sustains it.”
Like Lumma version 4.0, Rhadamanthys version 0.9.2 includes a feature to avoid leaking unpacked artifacts by displaying to the user an alert that allows them to finish the execution of the malware without inflicting any harm to the machine on which it’s running.
This is done so in an attempt to prevent malware distributors from spreading the initial executable in its plain, unprotected form so as to curtail detection efforts, as well as getting their systems infected in the process. That said, while the alert message may be the same in both the stealers, the implementation is completely different, Check Point said, suggesting “surface-level mimicry.”
“In Lumma, opening and reading the file is implemented via raw syscalls, and the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
