The developers of the Rhadamanthys information stealer have introduced advanced features to the malware, which now includes the use of artificial intelligence (AI) for optical character recognition (OCR) in a process known as “Seed Phrase Image Recognition.”
Recorded Future’s Insikt Group stated in an analysis of version 0.7.0 of the malware that this enhancement enables Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a significant threat for individuals involved in cryptocurrencies.
The malware is able to detect seed phrase images on the client side and transmit them to the command-and-control (C2) server for further exploitation.
Rhadamanthys, first detected in the wild in September 2022, has become a prominent information stealer available under the malware-as-a-service (MaaS) model, along with other threats like Lumma.
Despite facing bans from underground forums targeting Russian and former Soviet Union entities, the malware’s developer, known as “kingcrete,” has found ways to market new versions on communication platforms such as Telegram, Jabber, and TOX.
Recorded Future, a cybersecurity company soon to be acquired by Mastercard for $2.65 billion, revealed that Rhadamanthys is sold as a subscription service for $250 per month (or $550 for 90 days), allowing customers to harvest a wide array of sensitive information from compromised hosts.
This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various applications, while also implementing measures to complicate analysis efforts in sandboxed environments.
The most recent version of Rhadamanthys, version 0.7.0, released in June 2024, brings significant improvements compared to the previous version (0.6.0 from February 2024), incorporating new features like 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction.
Additionally, the malware now allows threat actors to run and install Microsoft Software Installer (MSI) files to evade detection by security solutions, as well as a setting to prevent re-execution within a customizable time frame.
| Rhadamanthys’s high-level infection chain |
Rhadamanthys’s plugin system allows for the addition of keylogger, cryptocurrency clipper, and reverse proxy functionalities to enhance the malware’s capabilities.
Recorded Future warned that Rhadamanthys, with its rapid development and innovative features, is a popular choice for cybercriminals and poses a significant threat that all organizations should be prepared for.
As part of ongoing developments, Google-owned Mandiant revealed Lumma Stealer’s use of control flow indirection to manipulate the execution of the malware, hindering reverse engineering processes and detection tooling.
Rhadamanthys, Lumma, and other information stealer families have been updating their capabilities to collect cookies from the Chrome web browser, bypassing security mechanisms like app-bound encryption.
Moreover, developers behind the WhiteSnake Stealer have added the ability to extract CVC codes from credit cards stored in Chrome, showcasing the continuous evolution of the malware landscape.
In addition to these developments, researchers have identified an Amadey malware campaign employing an AutoIt script to launch victims’ browsers in kiosk mode to capture Google account credentials.
These updates come in the wake of new drive-by download campaigns, distributing information stealers through deceptive CAPTCHA verification pages that trick users into executing PowerShell code.
Phishing and malvertising campaigns have also been observed distributing various information stealers, highlighting the evolving nature of the malware landscape and the constant threat posed by cybercriminals.
