The (Praying) Rhadamanthys Stealer sucks the core of devices and browsers

A silent predator has evolved beneath the surface of cybercrime. The Rhadamanthys Stealer is back with new instincts. Its version 0.9.2 blends device and browser fingerprinting with steganographic payload delivery, hiding malicious executables inside innocent PNG, JPEG, or WAV files. What began as a small underground project is now a structured business: a polished Malware-as-a-Service (MaaS) operation sold under the “RHAD Security” and “Mythical Origin Labs” brands for $299 to $499 per month, complete with tiered support, enterprise packages, and marketing flair.

Once again, the mantis bows its head before striking — and this time, it hunts not just for passwords, but for the identity of every connected device.

Phase 1: The Resurrection of a Predator 

Rhadamanthys’ journey mirrors the evolution of modern cybercrime. Once another stealer competing with Lumma, StealC, Vidar, and RedLine, it has now matured into a corporate-grade threat platform. Early versions focused on simple credential extraction. Now, its capabilities reach deep into device fingerprinting, browser profiling, system telemetry, and hidden payload execution.

Version 0.9.2 introduces steganographic delivery — a rare technique for a commodity stealer. Instead of dropping a visible executable, the command-and-control (C2) server sends a PNG file that secretly contains an encrypted payload. Once decrypted with a shared session key, the binary is launched directly from memory. The result: zero detections during transmission and a near-perfect evasion rate.

Behind this technical polish lies a deliberate business strategy. The operators have rebranded themselves as “RHAD Security” and “Mythical Origin Labs”, adopting the tone and aesthetics of legitimate vendors. They publish updates, offer “priority support,” and maintain multiple subscription plans — signaling that Rhadamanthys is here to stay as a commercialized cybercrime brand.

Phase 2: The Prey 

The victims of this evolution are not random. They are the knowledge workers of the digital age — the people and devices that sit closest to valuable data.

• Corporate employees who store credentials in browsers for convenience.

• Finance teams managing ERP systems and online banking portals.

• Developers and IT admins with privileged access to servers and repositories.

• Crypto traders and investors whose wallets contain seed phrases and keys.

Rhadamanthys exploits the trust between users and their devices. Whether a home computer or a corporate endpoint, every infected system becomes a data collection node, silently exfiltrating everything from credentials and tokens to wallet phrases and browsing history.

In this new model, data theft scales like software distribution. As affiliates spread the stealer through cracked applications, phishing campaigns, or malvertising, both home and business environments become part of a global network of compromised endpoints.

Phase 3: The Hunt Begins — Stealth and Steganography 

Like a praying mantis waiting for its prey, Rhadamanthys proceeds with precision. Before launching any action, it performs multiple environmental checks to avoid exposure.

It analyzes hardware identifiers, usernames, and wallpapers to detect virtual environments or sandboxes, cross-referencing them against internal blacklists. It inspects active processes and registry values, hunting for anything tied to analysis tools or research environments.

Only once it confirms a legitimate target does it connect to its C2 infrastructure and download its core payload — disguised as an image file. Using steganography, the actual malware hides inside the pixels of a PNG, WAV, or JPEG. After decrypting it using a shared secret exchanged with the C2, Rhadamanthys deploys its modules.

At its core lies a Lua-based runner, capable of loading plugins dynamically. These modules handle everything from credential theft and session token hijacking to telemetry extraction and file enumeration. The stealer’s developers constantly alter obfuscation patterns and module names, ensuring that even when analysts catch up, their next build is already one step ahead.

This combination of evasion, modularity, and steganography places Rhadamanthys among the most technically advanced infostealers currently active in the wild.

Phase 4: The Business Behind the Bug 

Behind the polished code lies a business model that mirrors the software industry it exploits. Rhadamanthys operates under a subscription-based MaaS model, offering:

• $299/month self-hosted plan — for independent operators.

• $499/month premium plan — with managed infrastructure and API access.

• Custom enterprise licenses — negotiated privately, with support and customization.

Each subscription includes regular updates, customer support, and access to private communication channels. Check Point researchers describe it as a “professionalized criminal enterprise”, not a side hustle. The branding, tiered pricing, and marketing tone of “RHAD Security” position it closer to a cybersecurity startup than a hacker collective.

For defenders, this is a turning point: malware is no longer a transient underground product — it is an ecosystem with clients, roadmaps, and service-level agreements. Rhadamanthys’ persistence is not just technical but economic. It will not disappear because it has paying customers.

Phase 5: Measures to Fend Off the Mantis 

Defending against Rhadamanthys requires a balance between technical detection and strategic awareness:

• Update threat signatures and configuration parsers to keep pace with obfuscation changes.

• Inspect images (PNG, JPEG, WAV) for hidden steganographic payloads.

• Monitor outbound network traffic for encoded C2 communications, especially Base64-encoded strings or anomalous HTTP requests.

• Harden browsers and endpoints with advanced EDR and heuristic telemetry.

• Block suspicious multimedia downloads and scan attachments that masquerade as images.

• Audit endpoints for Lua-based modules and unrecognized script activity.

• Educate users and security teams about steganography-based delivery and new MaaS threats.

Modern defenders must think like product managers — tracking not only Rhadamanthys’ binaries but the business ecosystem that sustains it.

Rhadamanthys is no longer a mere stealer. It is a reflection of the industrialization of cybercrime — a fully branded, subscription-based service evolving in real time.

With each update, it sharpens its tools, hides deeper within digital ecosystems, and markets itself with the polish of a legitimate enterprise. Like the praying mantis, it folds its hands in stillness before striking with precision — silent, patient, and lethal.

For every organization, the lesson is clear: the next generation of malware doesn’t just attack — it sells.

The line between threat actor and service provider is gone, and Rhadamanthys sits right at the center, feeding on the trust between users, devices, and the systems meant to protect them.

The Hacker News

https://thehackernews.com/2025/10/rhadamanthys-stealer-evolves-adds.html?m=1