Rhadamanthys

This attack – known as ‘malvertising’ – is often aimed at users looking to download popular software applications.

Rhadamanthys is an infostealer distributed via malspam and malvertising. Google searches for popular software such as Notion return malicious ads. Threat actors are using decoy websites to trick users into downloading malware.

Commercial evasion framework SHELLTER acquired by threat groups... In mid-June, our research identified multiple financially motivated infostealer campaigns that have been using SHELLTER to package payloads beginning late April 2025.

Sharing malicious code or phishing panels via YouTube : They promote popular apps or cracked versions of apps as free downloads, and include download links or panels in the video description to entice users to download the malicious code.

During a wave of attacks occurring in April 2025, users were phished or otherwise lured into downloading a compressed archive... In July 2025, the large archive attached to the phishing lure contained...

Victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT. In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper.

We’ve been observing an initial access technique that tricks users into copying, pasting, and executing malicious PowerShell code... users are presented with the typical Verify You Are Human prompt... Clicking the button silently copies an obfuscated PowerShell command to the clipboard and presents the user with “Verification Steps” instructing them to: Press Windows Button + R... Press CTRL + V... Press Enter. | One technique we’ve recently seen lead to LummaC2 involves tricking users into copying a PowerShell script from a pop-up message, pasting it into the Windows Run dialogue box, and executing malicious PowerShell code.

These messages contained URLs leading to a download of a JavaScript file hosted on Microsoft Azure. The JavaScript called PowerShell to run a remote PowerShell script.

The shellcode execution will go as the following: The function sub_405728 is responsible to invoke the API call ImmEnumInputContext... ImmEnumInputContext will get the address of the shellcode in its second argument “lpfn” and will execute it.

When a user searches for a related term and clicks through to the malicious site, the attackers check the Referer header to confirm the user has come from a search engine, and then entice them into downloading malware disguised as a legitimate software application.

Web Filtering and Monitoring: Deploy web filtering solutions to block access to known malicious domains linked to Crazy Evil ... as well as suspicious downloads, especially those related to cracked “freemium” software.

the loader will use the API call SetErrorMode with 0x8003 as an argument... the loader doesn't want the system to display any error on the screen

it is just a small shellcode that unpacks and inject into the memory the Rhadamanthys stealer itself. | a call to VirtualAlloc will happen to create a newly allocated memory followed by memcpy to copy the shellcode from the heap to the new memory. Lastly, a VirtualProtect API call will be used to change the permission of the memory segment to RWX. | This function access the Process Environment Block to get the address of Kernel32.dll. This behavior is traditional and happens in many shellcodes. | After having a shellcode with EXECUTE permission, we need a way to execute it, in this case, the authors choose a cool trick in form of a Callback function.

This function access the Process Environment Block to get the address of Kernel32.dll... it iterates through the kernel32 export functions... hash the function name... Overall the functions will be “VirtualAlloc, LocalFree, LocalAlloc, VirtualFree”

They promote popular apps or cracked versions of apps as free downloads... Operate fake casinos or gambling sites through phishing panels that replicate the UI of legitimate casino sites.

it is just a small shellcode that unpacks and inject into the memory the Rhadamanthys stealer itself. | a call to VirtualAlloc will happen to create a newly allocated memory followed by memcpy to copy the shellcode from the heap to the new memory. Lastly, a VirtualProtect API call will be used to change the permission of the memory segment to RWX. | This function access the Process Environment Block to get the address of Kernel32.dll. This behavior is traditional and happens in many shellcodes. | After having a shellcode with EXECUTE permission, we need a way to execute it, in this case, the authors choose a cool trick in form of a Callback function.

The config decryption occurs in a function named sub_3DD4... sub_28AA This function is basically just an RC4 algorithm

An encoded PowerShell command then leverages Microsoft HTML Application Host (mshta.exe) to download and execute a malicious payload from a remote resource... Detection opportunity: mshta.exe utility making external network connections.

Spawn Rundll32 to execute the DLL with the export function “PrintUIEntry”

The loader continues with creating a Mutex with the name that starts with “Global\MSCTF.Asm.{digits}”.

Checks for specific users that could hint about a lab environment... Check for security-related DLLs | The Rhadamanthys loader contains large anti-analysis checks stolen from the al-khaser project... Some of the checks are checking for a virtual environment

the loader will use the API call SetErrorMode with 0x8003 as an argument... the loader doesn't want the system to display any error on the screen

The Windows binary is a signed file but its digital signature is not valid... This digital certificate is likely fake or was revoked, but it may evade detection in some cases.

The malware collects information from the discord directories, possibly to extract further data.

A stealer is malicious code that steals account information, passwords, financial data, and other sensitive personal information stored on a system.

The malware target the following browsers in their info-stealing activity: ... Opera Chrome ... Firefox Edge

Through the malware installed by the Traffer, victims’ credentials and other information are stolen, and the stolen data is sold on credential markets or Telegram.

The malware target sensitive registry keys of the WinSCP in order to collect information.

Checks for specific users that could hint about a lab environment... Check for security-related DLLs | The Rhadamanthys loader contains large anti-analysis checks stolen from the al-khaser project... Some of the checks are checking for a virtual environment

Rhadamanthys targets a broad range of sensitive information, including credentials from browsers, system information, cookies, cryptocurrency wallets, and application data.

In our case, we can see that the C2 will be http://185[.]209.160.99/blob/top.mp4

Once a Traffer joins the team, they request a build from the Telegram Bot and receive malicious code samples... user @amdfx6300 sent a file named “build.zip” along with a VirusTotal link and stated that it was “completely clean.”

Cryptocurrency theft : Generally, a drainer is used to change the coin address to the attacker’s address when the victim transfers coins to another address, thereby stealing the coins.

the loader gets the address of KiUserExceptionDispatcher and starts to iterate on it to search for a specific location where ZwQueryInformationProcess is called... the call was replaced to jump to a function in the loader

the same function appears to aim for the AVAST-related modules aswhook.dll & aswAMSI.dll... More amsi-related functions and DLLs that are being targeted by the stealer are: avamsicli.dll amsi.dll AmsiScanString AmsiScanBuffer EtwEventWrite | the loader gets a handle to ntdll.dll and loads it to virtual memory... They will be compared using memcmp, and if they will found different, the loader will change the protection of the real function of ntdll and will use memcpy to copy the data from the fake to the real one.