{ "id": "54f2ef91-fe41-425e-8a19-1de7772d6490", "created_at": "2026-04-06T00:18:50.133899Z", "updated_at": "2026-04-10T03:34:42.768321Z", "deleted_at": null, "sha1_hash": "59193c7ba27f575ec8708eadbb58b47f824be174", "title": "Rhadamanthys (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 139897, "plain_text": "Rhadamanthys (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-02 11:08:15 UTC\r\nAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract\r\ndata from infected machines.\r\nAt the time of writing, this malware is spread through malicious websites mirroring those of genuine software\r\nsuch as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus\r\ndiminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the\r\nlegitimate search results on the Google search engine.\r\n2026-03-10 ⋅ Check Point Research ⋅\r\nIranian MOIS Actors \u0026 the Cyber Crime Connection\r\nQilin Tsundere CASTLELOADER Rhadamanthys 2026-01-13 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2025\r\nCoper FluBot Joker Aisuru Mirai AsyncRAT BianLian Cobalt Strike DCRat Havoc Latrodectus PureLogs Stealer\r\nQuasar RAT Remcos Rhadamanthys Sliver ValleyRAT Venom RAT Vidar XWorm 2025-12-10 ⋅ SpyCloud ⋅ SpyCloud\r\nLabs Research Team\r\nAnalyzing the Impact of the Operation Endgame Takedown on Rhadamanthys \u0026 the MaaS Ecosystem\r\nRhadamanthys 2025-11-13 ⋅ Politie NL ⋅ Politie NL\r\nAgain criminal infrastructure dismantled in international ransomware operation\r\nRhadamanthys Venom RAT 2025-10-01 ⋅ Checkpoint ⋅ hasherezade\r\nRhadamanthys 0.9.x – walk through the updates\r\nRhadamanthys 2025-08-08 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team\r\nDistribution of SmartLoader Malware via Github Repository Disguised as a Legitimate Project\r\nRhadamanthys SmartLoader 2025-07-31 ⋅ Twitter (@Threatlabz) ⋅ Zscaler\r\nTweet about new variant with BEEF instead of !RHA as config magic bytes\r\nRhadamanthys 2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2025\r\nCoper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc\r\nLatrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm\r\n2025-06-03 ⋅ VMRay ⋅ Albert Zsigovits, VMRay\r\nRhadamanthys slips through in large installer files\r\nRhadamanthys 2025-05-22 ⋅ Elastic ⋅ Daniel Stepanic\r\nDe-obfuscating ALCATRAZ\r\nDOUBLELOADER Rhadamanthys 2025-03-28 ⋅ Trend Micro ⋅ Ahmed Mohamed Ibrahim, Aliakbar Zahravi\r\nA Deep Dive into Water Gamayun’s Arsenal and Infrastructure\r\nDarkWisp SilentPrism Kematian Stealer Rhadamanthys Stealc Water Gamayun 2025-03-14 ⋅ Twitter (@CERTCyberdef)\r\n⋅ Alexandre Matousek, Marine PICHON\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\r\nPage 1 of 4\n\nTweet on Emmenhtal v3\r\nEmmenhtal Lumma Stealer Rhadamanthys 2025-03-06 ⋅ Outpost24 ⋅ KrakenLabs\r\nUnveiling EncryptHub: Analysis of a multi-stage malware campaign\r\nRhadamanthys 2025-01-10 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update July to December 2024\r\nCoper FluBot Hook Mirai FAKEUPDATES AsyncRAT BianLian Brute Ratel C4 Cobalt Strike DanaBot DCRat\r\nHavoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver Stealc 2025-01-04 ⋅\r\nrevdiaries.com ⋅ heapoverflow\r\n\"Solara\" Roblox Executor Malware\r\nRhadamanthys 2024-11-06 ⋅ Check Point Research ⋅ Check Point Research\r\nCopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits\r\nRhadamanthys 2024-10-23 ⋅ Cisco Talos ⋅ Edmund Brumaghin, Holger Unterbrink, Jordyn Dunk, Nicole Hoffman\r\nHighlighting TA866/Asylum Ambuscade Activity Since 2021\r\nWasabiSeed Cobalt Strike csharp-streamer RAT Resident Rhadamanthys WarmCookie 2024-10-17 ⋅ Sekoia ⋅ Quentin\r\nBourgue, Sekoia TDR\r\nClickFix tactic: The Phantom Meet\r\nRhadamanthys Stealc 2024-09-26 ⋅ Recorded Future ⋅ Insikt Group\r\nRhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0\r\nRhadamanthys 2024-07-25 ⋅ Symantec ⋅ Symantec\r\nGrowing Number of Threats Leveraging AI\r\nBroomstick DBatLoader NetSupportManager RAT Rhadamanthys 2024-07-24 ⋅ Check Point Research ⋅ Antonis Terefos\r\nStargazers Ghost Network\r\nAtlantida Lumma Stealer RedLine Stealer Rhadamanthys RisePro Stargazer Goblin 2024-07-14 ⋅ Medium b.magnezi ⋅\r\n0xMrMagnezi\r\nMalware Analysis - Rhadamanthys\r\nRhadamanthys 2024-07-09 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update January to June 2024\r\nCoper FluBot Hook Bashlite Mirai FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc NjRAT\r\nQakBot Quasar RAT RedLine Stealer Remcos Rhadamanthys RisePro Sliver 2024-06-17 ⋅ Recorded Future ⋅ Insikt\r\nGroup\r\nThe Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive\r\nNetwork of Malicious macOS Applications\r\nAMOS Rhadamanthys Stealc Markopolo 2024-04-10 ⋅ Proofpoint ⋅ Selena Larson, Tommy Madjar\r\nSecurity Brief: TA547 Targets German Organizations with Rhadamanthys Stealer\r\nRhadamanthys 2024-01-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q4 2023\r\nFluBot Hook FAKEUPDATES AsyncRAT BianLian Cobalt Strike DCRat Havoc IcedID Lumma Stealer\r\nMeterpreter NjRAT Pikabot QakBot Quasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver\r\n2023-12-14 ⋅ Checkpoint ⋅ hasherezade\r\nRhadamanthys v0.5.0 – A Deep Dive into the Stealer’s Components\r\nRhadamanthys 2023-10-27 ⋅ Elastic ⋅ Joe Desimone, Salim Bitam\r\nGHOSTPULSE haunts victims using defense evasion bag o' tricks\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\r\nPage 2 of 4\n\nHijackLoader Lumma Stealer NetSupportManager RAT Rhadamanthys SectopRAT Vidar 2023-10-12 ⋅ Spamhaus ⋅\r\nSpamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q3 2023\r\nFluBot AsyncRAT Ave Maria Cobalt Strike DCRat Havoc IcedID ISFB Nanocore RAT NjRAT QakBot Quasar\r\nRAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Stealc Tofsee Vidar 2023-10-03 ⋅ Outpost24 ⋅\r\nDavid Catalan\r\nRhadamanthys malware analysis: How infostealers use VMs to avoid analysis\r\nRhadamanthys 2023-09-25 ⋅ EchoCTI ⋅ Bilal BAKARTEPE, bixploit\r\nRhdamanthys Technical Analysis Report\r\nRhadamanthys 2023-08-31 ⋅ Checkpoint ⋅ hasherezade\r\nFrom Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats\r\nHidden Bee Rhadamanthys 2023-07-11 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q2 2023\r\nHydra AsyncRAT Aurora Stealer Ave Maria BumbleBee Cobalt Strike DCRat Havoc IcedID ISFB NjRAT QakBot\r\nQuasar RAT RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee 2023-06-15 ⋅ eSentire ⋅\r\nRussianPanda\r\neSentire Threat Intelligence Malware Analysis: Resident Campaign\r\nCobalt Strike Resident Rhadamanthys WarmCookie 2023-05-16 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nThe Growing Threat from Infostealers\r\nGraphiron GraphSteel Raccoon RedLine Stealer Rhadamanthys Taurus Stealer Vidar 2023-04-19 ⋅ Google ⋅ Billy\r\nLeonard, Google Threat Analysis Group\r\nUkraine remains Russia’s biggest cyber focus in 2023\r\nRhadamanthys 2023-04-12 ⋅ Spamhaus ⋅ Spamhaus Malware Labs\r\nSpamhaus Botnet Threat Update Q1 2023\r\nFluBot Amadey AsyncRAT Aurora Ave Maria BumbleBee Cobalt Strike DCRat Emotet IcedID ISFB NjRAT\r\nQakBot RecordBreaker RedLine Stealer Remcos Rhadamanthys Sliver Tofsee Vidar 2023-03-27 ⋅ Check Point\r\nResearch ⋅ Checkpoint Research\r\nRhadamanthys: The “Everything Bagel” Infostealer\r\nRhadamanthys 2023-02-21 ⋅ Zscaler ⋅ Nikolaos Pantazopoulos, Sarthak Misraa\r\nTechnical Analysis of Rhadamanthys Obfuscation Techniques\r\nRhadamanthys 2023-01-16 ⋅ Medium elis531989 ⋅ Eli Salem\r\nDancing With Shellcodes: Analyzing Rhadamanthys Stealer\r\nRhadamanthys 2023-01-12 ⋅ Cybleinc ⋅ Cyble\r\nRhadamanthys: New Stealer Spreading Through Google Ads\r\nRhadamanthys 2023-01-03 ⋅ Malware Traffic Analysis ⋅ Brad Duncan\r\n2023-01-03 (TUESDAY) - GOOGLE AD --\u003e FAKE NOTPAD++ PAGE --\u003e RHADAMANTHYS STEALER\r\nRhadamanthys 2022-12-05 ⋅ Accenture ⋅ Paul Mansfield, Thomas Willkan\r\nPopularity spikes for information stealer malware on the dark web\r\nMetaStealer Rhadamanthys 2022-10-06 ⋅ ThreatMon ⋅ ThreatMon Malware Research Team\r\nRhadamanthys Stealer Analysis\r\nRhadamanthys\r\n[TLP:WHITE] win_rhadamanthys_auto (20251219 | Detects win.rhadamanthys.)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\r\nPage 3 of 4\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys" ], "report_names": [ "win.rhadamanthys" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "4fad0171-9089-4bc8-83c5-727ee455f6fe", "created_at": "2024-06-25T02:00:05.035985Z", "updated_at": "2026-04-10T02:00:03.657798Z", "deleted_at": null, "main_name": "Markopolo", "aliases": [], "source_name": "MISPGALAXY:Markopolo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e70c7c6-264e-454d-865e-59eebd9c5253", "created_at": "2025-05-29T02:00:03.204306Z", "updated_at": "2026-04-10T02:00:03.859941Z", "deleted_at": null, "main_name": "Water Gamayun", "aliases": [], "source_name": "MISPGALAXY:Water Gamayun", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b", "created_at": "2025-03-07T02:00:03.797427Z", "updated_at": "2026-04-10T02:00:03.821929Z", "deleted_at": null, "main_name": "Larva-208", "aliases": [ "EncryptHub" ], "source_name": "MISPGALAXY:Larva-208", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e8dd54ac-a3fa-4496-8b17-a9360ad13927", "created_at": "2024-07-28T02:00:04.686094Z", "updated_at": "2026-04-10T02:00:03.680897Z", "deleted_at": null, "main_name": "Stargazer Goblin", "aliases": [], "source_name": "MISPGALAXY:Stargazer Goblin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59d91b6f-bccf-4ae4-a14c-028b198848b6", "created_at": "2023-03-10T02:01:52.119563Z", "updated_at": "2026-04-10T02:00:03.36177Z", "deleted_at": null, "main_name": "TA866", "aliases": [], "source_name": "MISPGALAXY:TA866", "tools": [ "Screenshotter", "AHK Bot", "WasabiSeed" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434730, "ts_updated_at": 1775792082, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59193c7ba27f575ec8708eadbb58b47f824be174.pdf", "text": "https://archive.orkl.eu/59193c7ba27f575ec8708eadbb58b47f824be174.txt", "img": "https://archive.orkl.eu/59193c7ba27f575ec8708eadbb58b47f824be174.jpg" } }