Rhadamanthys, a sophisticated multi-modular information stealer, first emerged in September 2022 and has since evolved into one of the most commercially advanced malware offerings on underground forums.
Originally advertised by the actor “kingcrete2022,” its initial design drew heavily on the earlier Hidden Bee project, enabling rapid feature growth and professional polish.
Over time, Rhadamanthys steadily gained traction through targeted campaigns such as ClickFix, attracting both novice affiliates and seasoned threat actors.
As of October 2025, the latest 0.9.2 release introduces incremental refinements to its loader architecture, custom executable formats, and evasion routines, reinforcing its position as a long-term business venture rather than a disposable side project.
Check Point analysts noted that Rhadamanthys is marketed under the “RHAD Security” and “Mythical Origin Labs” brands, complete with a revamped Tor storefront, Telegram support channel, and tiered licensing model.
The malware is offered at $299 per month for a self-hosted package and $499 per month for a rented server deployment, with enterprise pricing available through individual negotiation.
Pricing of Rhadamanthys (Source – Check Point)
This professionalization underscores the developers’ commitment to sustained feature development, robust support, and ongoing customization options.
Technically, Rhadamanthys is distributed via a polymorphic initial loader available in both .NET and native PE forms. The native 32- and 64-bit loaders unpack into shellcode that deploys a proprietary XS format package containing core modules.
Each module—ranging from environment checks to the stealer core—is obfuscated in a custom container, requiring specialized conversion tools to reconstruct into standard PE files for analysis.
Attackers’ website, main view (Source – Check Point)
The latest modifications in version 0.9.x introduce XS1B and XS2B headers, a streamlined import deobfuscation key, and updated configuration markers swapped from 0x59485221 to 0xBEEF.
Infection Mechanism
A key infection vector in Rhadamanthys 0.9.2 involves steganographic delivery of the Stage 3 payload via PNG images rather than the earlier WAV or JPG templates.
Upon establishing a WebSocket connection to its C2, the embedded Netclient module retrieves a seemingly innocuous PNG that encodes the next-stage package in pixel data.
The loader processes the image header to locate a shared secret, then applies ChaCha20 decryption followed by LZO decompression to extract the XS2B modules.
Core deobfuscation routines employ an RC4-based algorithm replacing the prior XOR scheme, ensuring existing IDA scripts fail until updated.
Example decryption pseudocode:-
void rc4_decrypt(uint8_t *data, size_t len, uint8_t *key, size_t keylen) {
uint8_t S[256], i = 0, j = 0, tmp;
for (int k = 0; k < 256; k++) S[k] = k;
for (int k = 0; k < 256; k++) {
j = (j + S[k] + key[k % keylen]) & 0xFF;
tmp = S[k]; S[k] = S[j]; S[j] = tmp;
}
i = j = 0;
for (size_t k = 0; k < len; k++) {
i = (i + 1) & 0xFF;
j = (j + S[i]) & 0xFF;
tmp = S[i]; S[i] = S[j]; S[j] = tmp;
data[k] ^= S[(S[i] + S[j]) & 0xFF];
}
}
This shift to PNG-based steganography reduces the need for complex media parsing and simplifies payload retrieval under the guise of ordinary web traffic.
Once unpacked, Stage 3 modules deploy into a suspended legitimate process chosen from a configurable list, then inject the stealer core to harvest credentials, browser profiles, crypto wallets, and system fingerprints.
Through this streamlined infection chain and flexible delivery options, Rhadamanthys continues to challenge defenders and underscores the importance of monitoring custom image-based payloads alongside traditional executable attachments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Source: cybersecuritynews.com
