Rhadamanthys

Malware updated a month ago (2024-11-29T14:12:49.335Z)
Download STIX
Preview STIX
Rhadamanthys is a sophisticated and notorious malware, known for its ability to steal sensitive information. It has been utilized by various threat actors, including nation-state entities such as Iran's Void Manticore and the pro-Palestine group "Handala." Its deployment often involves phishing tactics, with deceptive emails designed to trick victims into downloading the malicious software. The malware package typically includes a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer. The cybercrime group TA547 has recently targeted German organizations using Rhadamanthys. These attacks have raised concerns due to the malware's capabilities, which include stealing nation-state intelligence or cryptocurrency wallet passphrases. Despite previous associations with nation-state threat actors from Russia and Iran, the recent campaign targeting German organizations appears to be more likely the work of a cybercrime group rather than a state-sponsored operation. To defend against Rhadamanthys, organizations are advised to bolster their phishing protections. Interestingly, the Rhadamanthys campaign has a unique feature: the initial executable contains a hardcoded package from which further stages of the attack are unpacked. Recently, Check Point Software Technologies reported receiving phishing lures that imitate their brand, leading to the deployment of Rhadamanthys. Consequently, vigilance and robust cybersecurity measures are crucial in mitigating the risks posed by this malware.
Description last updated: 2024-11-11T14:44:00.466Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Rhadamanthys Stealer is a possible alias for Rhadamanthys. Rhadamanthys Stealer is a malicious software that has been extensively tracked by Check Point Research (CPR) since July 2024. The malware is part of an ongoing, large-scale and sophisticated phishing campaign that deploys the latest version of Rhadamanthys Stealer (0.7). This malware infects systems
4
Stealc is a possible alias for Rhadamanthys. StealC is a form of malware that specifically targets browser extensions and password managers. Its emergence was first reported in early 2023 and it quickly grew in popularity on the dark web due to its ability to bypass traditional security measures. The malware's modus operandi involves stealing
2
Lumma is a possible alias for Rhadamanthys. Lumma is a malicious software (malware) that has been causing significant security concerns due to its ability to steal sensitive information. The malware was delivered to victims primarily through websites hosting cracked games, specifically targeting gamers. In August and September, researchers re
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Malvertising
Infostealer
Phishing
Remcos
Rat
Github
Infostealers
Macos
Telegram
Exploit
Payload
Sandbox
Decoy
Windows
Spam
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ghost Malware is associated with Rhadamanthys. The "Ghost" malware, first discovered in 2020, is a sophisticated and successful malicious software that has been discreetly distributed via a network of GitHub accounts known as the Stargazers Ghost Network. This network utilizes open-source and legitimate software repositories to exploit trust andUnspecified
2
The Redline Malware is associated with Rhadamanthys. RedLine is a type of malware, or malicious software, designed to exploit and damage computer systems. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold data hostage forUnspecified
2
The Lumma Stealer Malware is associated with Rhadamanthys. Lumma Stealer is a potent malware designed to exfiltrate information from compromised systems, including system details, web browsers, and browser extensions. The malware was primarily delivered to victims through websites hosting cracked games, specifically targeting gamers. In July 2024, it was diUnspecified
2
The Vortax Malware is associated with Rhadamanthys. Vortax, initially perceived as a virtual meeting software, has been identified by Recorded Future's Insikt Group as a potent malware affecting macOS security. Orchestrated by the threat actor "markopolo," Vortax is part of a large-scale cyberattack campaign that disseminates three infostealers: RhadUnspecified
2
The Amos Malware is associated with Rhadamanthys. AMOS is a malicious software (malware) specifically designed to target macOS systems. First identified in early 2023, it has been associated with campaigns such as the ClearFake campaign, which spread the AMOS information stealer across macOS devices. This malware is particularly dangerous due to itUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Stargazers Ghost Network Threat Actor is associated with Rhadamanthys. The Stargazers Ghost Network, a malicious threat actor identified by Check Point Research, has been using GitHub accounts to distribute malware or malicious links through phishing repositories. This group operates and maintains the network, employing a novel technique that enhances the perceived legUnspecified
2
The Void Manticore Threat Actor is associated with Rhadamanthys. Void Manticore is a malicious software (malware) that has been associated with notable threat actors, including an Iranian actor operating in Israel and Albania. It's designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once installedUnspecified
2
Source Document References
Information about the Rhadamanthys Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
5 days ago
Unit42
5 days ago
Securelist
24 days ago
DARKReading
2 months ago
Checkpoint
2 months ago
DARKReading
2 months ago
DARKReading
a year ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Recorded Future
3 months ago
Recorded Future
3 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securelist
2 years ago
DARKReading
2 years ago
CERT-EU
2 years ago
DARKReading
5 months ago
Checkpoint
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago