{ "id": "b53ee933-f106-40f7-b25c-a2c6bd8353f5", "created_at": "2026-04-06T00:16:03.413808Z", "updated_at": "2026-04-10T03:37:08.519729Z", "deleted_at": null, "sha1_hash": "88a69bd4cae55d4e3400a5f34fccc827fcc9c9da", "title": "RhadaManthys Stealer Spreading Via Google Ads: Key Insights", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1429260, "plain_text": "RhadaManthys Stealer Spreading Via Google Ads: Key Insights\r\nPublished: 2023-01-12 · Archived: 2026-04-05 14:14:12 UTC\r\nCRIL analyzes Rhadamanthys Stealer, a new strain of malware spread via Google Ads to steal users' sensitive\r\ninformation.\r\nEvasive Infostealer leveraging Phishing and Spam Campaigns for its Delivery\r\nThreat Actors (TAs) are increasingly using spam emails and phishing websites to trick users into downloading\r\nmalware such as Stealer and Remote Access Trojan (RAT) to infect users’ machines and steal sensitive information.\r\nCyble Research \u0026 Intelligence Labs (CRIL) is actively monitoring various stealer malware and publishing blogs\r\nabout them to inform and educate its readers.\r\nWorld's Best AI-Native Threat Intelligence\r\nRecently, we came across a new strain of malware called “Rhadamanthys Stealer.” This stealer variant is active, and\r\nthe TA behind the malware stealer is selling this under the Malware as a Service (MaaS) model.\r\nRhadamanthys stealer spreads by using Google Ads that redirect the user to phishing websites that mimic popular\r\nsoftware such as Zoom, AnyDesk, Notepad++, Bluestacks, etc. It can also spread via spam email containing an\r\nattachment for delivering the malicious payload.\r\nSpam Email\r\nThe Rhadamanthys stealer infection starts through spam emails containing a PDF attachment named “Statement.pdf”\r\nas shown in the figure below.\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 1 of 12\n\nFigure 1 – Spam Email with PDF Attachment\r\nWhen opening the attachment present in the spam email, it displays a message indicating it is an “Adobe Acrobat DC\r\nUpdater” and includes a download link labelled “Download Update,” as shown below.\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 2 of 12\n\nFigure 2 – PDF document with a download link\r\nWhen a user clicks the “Download Update” link, it downloads a malware executable from an URL\r\n“https[:]\\\\zolotayavitrina[.]com/Jan-statement[.]exe” into the Downloads folder.\r\nUpon execution of the “Jan-statement.exe” file, it runs the stealer and allows it to steal sensitive information from the\r\nvictim’s machine. The figure below illustrates the process tree of the Rhadamanthys stealer that was delivered via a\r\nspam email.\r\nFigure 3 – Process tree of spam email downloads Stealer\r\nPhishing Sites\r\nThe TAs behind this campaign also created a highly convincing phishing webpage impersonating legitimate websites\r\nto trick users into downloading the stealer malware, which carries out malicious activities. The link to these phishing\r\nwebsites spreads through Google ads. We have observed several phishing domains created to spread this malware.\r\nSome of the following:\r\nbluestacks-install[.]com\r\nzoomus-install[.]com\r\ninstall-zoom[.]com\r\ninstall-anydesk[.]com\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 3 of 12\n\ninstall-anydeslk[.]com\r\nzoom-meetings-install[.]com\r\nzoom-meetings-download[.]com\r\nanydleslk-download[.]com\r\nzoomvideo-install[.]com\r\nzoom-video-install[.]com\r\nistaller-zoom[.]com\r\nnoteepad.hasankahrimanoglu[.]com[.]tr\r\nThe phishing websites further downloads an installer file disguised as a legitimate installer downloading the\r\nrespective applications. When installing the respective application, it also silently installs the stealer malware without\r\nthe user’s knowledge. The below figure shows the process tree of the malicious AnyDesk installer deploying\r\nRhadamanthys stealer.\r\nFigure 4  – Process tree of malicious AnyDesk installing Stealer\r\n Payload Analysis\r\nUpon execution of the installer file, it creates a folder named “ST” in the %temp% location and drops two hidden\r\nbinary executable files. \r\nInitialize 4.exe\r\nRuntime Broker.exe\r\nThe loader “Runtime Broker.exe” is a 32-bit PyInstaller executable with SHA256:\r\ndb66fc58c07ba0ccbe1b9c2db770179d0d931e5bf73838da9c915581661d4c1a.\r\nThe additional information is shown in the figure below.\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 4 of 12\n\nFigure 5 – Static file details of “Runtime Broker.exe”\r\nUpon execution of “Runtime Broker.exe”, it drops multiple Python-supporting files in the %temp% folder.\r\nThese files include “.pyc”, “.pyd”, and “.dll” files, which were extracted from the PyInstaller executable as shown\r\nbelow.\r\nFigure 6 – Extracted files of PyInstaller executable\r\nThe “Binary_Stub_Replacer.pyc” is a python compiled file which contains obfuscated raw data that will be de-obfuscated using replace function and then converted into Binary and ASCII format for getting the second stage\r\nmalicious python code as shown below.\r\nFigure 7 – Decompiled python content of Binary_Stub_Replacer.pyc\r\nThe decoded python code contains an embedded base64-encoded content which is a shellcode. When executed, this\r\npython code decodes the base64-encoded stub, creating a new Portable Executable (PE) payload file. The PE file is\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 5 of 12\n\nthen injected into a new “Runtime Broker.exe” process using the CreateThread() API function, as shown in the image\r\nbelow.\r\nFigure 8 – Decoded payload from base64 stub\r\nThe below image shows the details of the shellcode, which is a 32-bit executable file compiled with Microsoft visual\r\nC/C++ compiler, as shown below.\r\nFigure 9 – Payload file details\r\nUpon execution, the shellcode begins by creating a mutex object to ensure that only one copy of the malware is\r\nrunning on the victim’s system at any given time. It then checks if it is running on a virtual machine, such as VMware\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 6 of 12\n\nor VirtualBox, by searching for strings associated with virtual machine environments, as shown in the figure below.\r\nFigure 10 – AntiVM related strings\r\nThis check is designed to prevent the malware from being detected and analyzed in a virtual environment. If the\r\nmalware detects that it is running in a controlled environment, it will terminate its execution. Otherwise, it will\r\ncontinue and perform the stealer activity as intended.\r\nAfter the check, the shellcode further drops a DLL file named “nsis_unsibcfb0.dll” in the %temp% folder and\r\nlaunches it using the “rundll32.exe” with specific parameters shown in the figure below.\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 7 of 12\n\nFigure 11 – Dropped DLL file execution\r\nWhile investigating this malware, we observed that a steganography image was downloaded from the remote server.\r\nWe suspect the shellcode decrypts the steganography image to get the actual Rhadamanthys payload. The memory of\r\nrundll32.exe contains all the malicious code responsible for stealer activities.\r\nThe Rhadamanthys stealer now starts collecting system information by executing a series of Windows Management\r\nInstrumentation (WMI) queries. The collected information includes the computer name, username, OS version,\r\nRAM, CPU information, HWID, time zone, user and keyboard language, and others.\r\nAfter gathering system details, the malware queries the directories of the installed browsers on the victim’s machine\r\nand searches for browser-related files such as browsing history, bookmarks, cookies, auto-fills, login credentials, etc.\r\nIt targets different browsers such as Brave, Edge, Chrome, Firefox, Opera Software, Sleipnir5, Pale Moon, CocCoc,\r\netc.\r\nCrypto Wallets\r\nThis stealer malware is also designed to target various crypto wallets and collects information from them. While the\r\nmalware can target a wide range of crypto wallets, the observed stealer samples were found to have specific\r\nfunctionality to target the following crypto wallets:\r\nArmory\r\nBinance\r\nBitcoin\r\nBytecoin\r\nElectron\r\nQtum-Electrum\r\nSolar wallet\r\nWalletWasabi\r\nZap\r\nZecwallet Lite\r\nZcash\r\nAlso, the Rhadamanthys stealer steals data from the following crypto wallet browser extensions, which are hard\r\ncoded in the stealer binary, as shown in the image below.\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 8 of 12\n\nFigure 12 – Targeted Crypto wallets with the extension ID\r\nThe stealer also targets various applications such as FTP clients (CoreFTP, WinSCP), email clients (Foxmail,\r\nThunderbird, Outlook, TrulyMail, GmailNotifierPro), File managers (Total commanders), password managers\r\n(RoboForm, KeePass), VPN services (NordVPN, ProtonVPN, Windscribe VPN, OpenVPN), messaging applications\r\n(Tox, Discord, Telegram) and others. Additionally, it captures screenshots of the victim’s machine using the BitBlt()\r\nAPI function. Finally, it sends all the collected stolen information to the attacker’s C\u0026C server.\r\nC\u0026C Panel\r\nThe below figure shows the Rhadamanthys stealer’s active C\u0026C panel.\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 9 of 12\n\nFigure 13 – Rhadamanthys stealer C\u0026C panel\r\nConclusion\r\nInformation stealers are malicious software used to gain unauthorized access to corporate networks, which has\r\nbecome a serious concern. Threat Actors use various techniques to deploy their malicious payloads into the victim’s\r\nsystem. In this case, we observed that the TAs used spam email and phishing websites to deliver the Rhadamanthys\r\nStealer, designed to steal sensitive information from the victim’s machine. Additionally, it was also noticed that the\r\nmalware spreads via Google Ads. It is crucial for users to exercise caution when receiving spam emails or to visit\r\nphishing websites and to verify the source before downloading any applications.\r\nCyble Research and Intelligence Labs will continue monitoring the new malware strains in the wild and update blogs\r\nwith actionable intelligence to protect users from such notorious attacks.\r\nOur Recommendations\r\nThe initial infection may happen via spam emails or phishing websites, so enterprises should use security\r\nproducts to detect phishing emails and websites.\r\nAvoid downloading pirated software from Warez/Torrent websites. The “Hack Tool” present on sites such as\r\nYouTube, Torrent sites, etc., contains such malware. \r\nUse strong passwords and enforce multi-factor authentication wherever possible.   \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices.  \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.  \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nEducate employees on protecting themselves from threats like phishing/untrusted URLs.  \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nMITRE ATT\u0026CK® Techniques\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 10 of 12\n\nTactic Technique ID Technique Name\r\nInitial Access T1598 Spearphishing Attachment\r\nExecution\r\nT1204\r\nT1059\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nPrivilege Escalation T1055 Process Injection\r\nDefense Evasion\r\nT1218\r\nT1027\r\nT1497\r\nRundll32\r\nObfuscated Files or Information\r\nVirtualization/Sandbox Evasion\r\nCredential Access\r\nT1003\r\nT1056\r\nT1552\r\nOS Credential Dumping\r\nInput Capture\r\nCredentials in Registry\r\nDiscovery\r\nT1082\r\nT1518\r\nT1083\r\nT1087\r\nSystem Information Discovery\r\nSecurity Software\r\nDiscovery File and Directory\r\nDiscovery Account Discovery\r\nCollection\r\nT1005\r\nT1114\r\nData from Local System\r\nEmail Collection\r\nCommand and Control\r\nT1071\r\nT1095\r\nT1105\r\nApplication Layer Protocol\r\nNon-Application Layer Protocol\r\nIngress Tool Transfer\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n046981c818bd26e7c28b12b998847038e6b64c44df6645438dae689d75fb0269 Sha256 Spam email\r\n4f4b5407d607ee32e00477a9f4294600ca86b67729ff4053b95744433117fccf Sha256 Spam email\r\n4a55c833abf08ecfe4fb3a7f40d34ae5aec5850bc2d79f977c8ee5e8a6f450d4 Sha256\r\nPDF\r\nattachment\r\n(Statement.pdf)\r\n093a58f36c075644d1dc8856acdefad7fd22332444b6aa07fee2ad615d50b743 Sha256 AnyDesk.msi\r\ndb66fc58c07ba0ccbe1b9c2db770179d0d931e5bf73838da9c915581661d4c1a Sha256\r\nRuntime\r\nBroker.exe\r\nfe99a49596fc6f841b7605021da6fce7f6c817d5247d880227f790388a7cabe4 Sha256 Shellcode exe\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 11 of 12\n\nSource: https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nhttps://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/" ], "report_names": [ "rhadamanthys-new-stealer-spreading-through-google-ads" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434563, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/88a69bd4cae55d4e3400a5f34fccc827fcc9c9da.pdf", "text": "https://archive.orkl.eu/88a69bd4cae55d4e3400a5f34fccc827fcc9c9da.txt", "img": "https://archive.orkl.eu/88a69bd4cae55d4e3400a5f34fccc827fcc9c9da.jpg" } }