{
	"id": "f6314963-dfb4-48b8-837c-6321fa967cf9",
	"created_at": "2026-04-06T00:14:17.399169Z",
	"updated_at": "2026-04-10T03:21:22.556848Z",
	"deleted_at": null,
	"sha1_hash": "33a455748c6a80e27e4bbfaaca77566d5e05a59c",
	"title": "Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 308207,
	"plain_text": "Rhadamanthys Malware: Swiss Army Knife of Information\r\nStealers Emerges\r\nBy The Hacker News\r\nPublished: 2023-12-18 · Archived: 2026-04-05 15:09:06 UTC\r\nThe developers of the information stealer malware known as Rhadamanthys are actively iterating on its features,\r\nbroadening its information-gathering capabilities and also incorporating a plugin system to make it more\r\ncustomizable.\r\nThis approach not only transforms it into a threat capable of delivering \"specific distributor needs,\" but also makes\r\nit more potent, Check Point said in a technical deep dive published last week.\r\nRhadamanthys, first documented by ThreatMon in October 2022, has been sold under the malware-as-a-service\r\n(MaaS) model as early as September 2022 by an actor under the alias \"kingcrete2022.\"\r\nTypically distributed through malicious websites mirroring those of genuine software that are advertised through\r\nGoogle ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts,\r\nincluding from web browsers, crypto wallets, email clients, VPN, and instant messaging apps.\r\nhttps://thehackernews.com/2023/12/rhadamanthys-malware-swiss-army-knife.html\r\nPage 1 of 3\n\n\"Rhadamanthys represents a step in the emerging tradition of malware that tries to do as much as possible, and\r\nalso a demonstration that in the malware business, having a strong brand is everything,\" the Israeli cybersecurity\r\nfirm noted in March 2022.\r\nA subsequent investigation into the off-the-shelf malware in August revealed \"design and implementation\" overlap\r\nwith that of the Hidden Bee coin miner.\r\n\"The similarity is apparent at many levels: custom executable formats, the use of similar virtual filesystems,\r\nidentical paths to some of the components, reused functions, similar use of steganography, use of LUA scripts, and\r\noverall analogous design,\" the researchers said, describing the malware's development as \"fast-paced and\r\nongoing.\"\r\nAs of writing, the current working version of Rhadamanthys is 0.5.2, per the description on the threat actor's\r\nTelegram channel.\r\nCheck Point's analysis of versions 0.5.0 and 0.5.1 reveals a new plugin system that effectively makes it more of a\r\nSwiss Army knife, indicating a shift towards modularization and customization. This also allows the stealer\r\ncustomers to deploy additional tools tailored to their targets.\r\nThe stealer components are both active, capable of opening processes and injecting additional payloads designed\r\nto facilitate information theft, and passive, which are designed to search and parse specific files to retrieve saved\r\ncredentials.\r\nAnother noticeable aspect is the use of a Lua script runner that can load up to 100 Lua scripts to pilfer as much\r\ninformation as possible from cryptocurrency wallets, email agents, FTP services, note-taking apps, instant\r\nmessengers, VPNs, two-factor authentication apps, and password managers.\r\nVersion 0.5.1 goes a step further, adding clipper functionality to alter clipboard data matching wallet addresses to\r\ndivert cryptocurrency payments to an attacker-controlled wallet as well as an option to recover Google Account\r\ncookies, following the footsteps of Lumma Stealer.\r\n\"The author keeps enriching the set of available features, trying to make it not only a stealer but a multipurpose\r\nbot, by enabling it to load multiple extensions created by a distributor,\" security researcher Aleksandra\r\n\"Hasherezade\" Doniec said.\r\n\"The added features, such as a keylogger, and collecting information about the system, are also a step towards\r\nmaking it a general-purpose spyware.\"\r\nAsyncRAT's Code Injection into aspnet_compiler.exe\r\nhttps://thehackernews.com/2023/12/rhadamanthys-malware-swiss-army-knife.html\r\nPage 2 of 3\n\nThe findings come as Trend Micro detailed new AsyncRAT infection chains that leverage a legitimate Microsoft\r\nprocess called aspnet_compiler.exe, which is used for precompiling ASP.NET web applications, to stealthily\r\ndeploy the remote access trojan (RAT) via phishing attacks.\r\nSimilar to how Rhadamanthys carries out code injection into running processes, the multi-stage process\r\nculminates in the AsyncRAT payload being injected into a newly spawned aspnet_compiler.exe process to\r\nultimately establish contact with a command-and-control (C2) server.\r\n\"The AsyncRAT backdoor has other capabilities depending on the embedded configuration,\" security researchers\r\nBuddy Tancio, Fe Cureg, and Maria Emreen Viray said. \"This includes anti-debugging and analysis checks,\r\npersistence installation, and keylogging.\"\r\nIt's also designed to scan particular folders within the application directory, browser extensions, and user data to\r\ncheck for the presence of crypto wallets. On top of that, the threat actors have been observed relying on Dynamic\r\nDNS (DDNS) to deliberately obfuscate their activities.\r\n\"The use of dynamic host servers allows threat actors to seamlessly update their IP addresses, strengthening their\r\nability to remain undetected within the system,\" the researchers said.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2023/12/rhadamanthys-malware-swiss-army-knife.html\r\nhttps://thehackernews.com/2023/12/rhadamanthys-malware-swiss-army-knife.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://thehackernews.com/2023/12/rhadamanthys-malware-swiss-army-knife.html"
	],
	"report_names": [
		"rhadamanthys-malware-swiss-army-knife.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434457,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/33a455748c6a80e27e4bbfaaca77566d5e05a59c.pdf",
		"text": "https://archive.orkl.eu/33a455748c6a80e27e4bbfaaca77566d5e05a59c.txt",
		"img": "https://archive.orkl.eu/33a455748c6a80e27e4bbfaaca77566d5e05a59c.jpg"
	}
}