Rhadamanthys Stealer v0.9.2 Drops: New PNG Payloads and Anti-Analysis Tricks Make Malware Deadlier

The notorious Rhadamanthys stealer, first released in 2022, has returned with a powerful new update that underscores its persistence in the cybercrime ecosystem. According to Check Point Research (CPR), “Rhadamanthys is a popular, multi-modular stealer, released in 2022. Since then, it has been used in multiple campaigns by various actors. Most recently, it is being observed in the ClickFix campaigns.”

Unlike many malware strains that fizzle out quickly, Rhadamanthys is evolving into a professional cybercrime enterprise. The report notes how its operators have embraced full branding, with a polished Tor site and a new identity as “RHAD security” and “Mythical Origin Labs.” Beyond the flagship stealer, they advertise other products, including Elysium Proxy Bot and a Crypt Service, with subscription tiers starting at $299 per month and an Enterprise package available on request.

“The combination of the branding, product portfolio, and pricing structure suggest that the authors treat Rhadamanthys as a long-term business venture rather than a side project.”

The latest release, v0.9.2, introduces refinements across its core modules:

• New Anti-Analysis Tactics: The malware now displays a “Do you want to run a malware?” message box if executed in unpacked form—an anti-distribution trick borrowed from Lumma stealer.
• Custom Executable Format Updates: Rhadamanthys continues to use its proprietary XS formats for modules, now updated to break older research tools.
• Configuration Overhaul: The config blob now begins with 0xBEEF markers instead of the classic !RHY, and includes expanded options such as multiple C2 addresses and new flags.
• PNG Payload Delivery: In a departure from past steganographic WAV/JPG loaders, v0.9.2 embeds its next-stage modules in noisy PNG files. “It gives a noisy-looking image… but good enough to do its job,” CPR observed.

These changes make Rhadamanthys harder to analyze, detect, and block, reflecting what CPR describes as a pattern of “incremental churn aimed at slowing analysts down.”

The malware’s modular design remains intact, but its arsenal has expanded:

• Environment Evasion: New sandbox-detection checks analyze wallpaper hashes, usernames, and hardware IDs.
• Targeted Process Injection: A configurable list of Windows processes makes it easier to bypass defenses.
• Extended Lua Plugins: The malware now includes support for Ledger Live crypto wallet, adding to its long list of credential theft modules across VPNs, messengers, 2FA apps, and wallets.
• Browser Fingerprinting: A new fingerprint.js module gathers detailed browser and system telemetry, from WebGL to installed fonts.

The continuous investment in Rhadamanthys signals its staying power. “The latest variant represents an evolution rather than a revolution,” CPR concludes, “but if this trajectory continues, a future 1.0 release may emphasize stability and professionalization, further cementing Rhadamanthys as a long-term player in the stealer ecosystem.”

Related Posts:

• Noisy Bear: A New APT Group Is Spying on Kazakhstan’s Energy Sector
• New Cyber Threat: RHADAMANTHYS Infostealer Targets Israel
• Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
• Rhadamanthys Stealer Returns: Copyright Phishing Targets Europe
• Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy