Rhadamanthys

Malware updated 25 days ago (2024-08-14T09:21:31.233Z)

Download STIX

Preview STIX

Rhadamanthys is a type of malware, specifically an information stealer, that has been used in cyber attacks against various organizations. It was initially disseminated through phishing and spam emails before the authors switched to using malicious advertisements as the primary infection vector. This approach, known as malvertising, involves embedding malware within online advertisements, which then infects users' computers when they interact with the ads. Despite this change in delivery method, Rhadamanthys maintains similar operational patterns to other campaigns utilizing malvertising, according to cybersecurity experts. The cybercriminal group TA547 has been notably active in deploying Rhadamanthys, targeting German organizations in particular. The malware has been observed in conjunction with another stealer-type malware, RedLine, both exploiting search engine promotion plans to deliver their malicious payloads to victims' machines. Moreover, Rhadamanthys has been made available as a malware-as-a-service option on a Russian language cybercriminal forum, broadening its potential use by other malicious actors. Since at least August 2022, the Stargazers Ghost Network, led by the Stargazer Goblin group, has been distributing various types of malware, including Rhadamanthys, via rogue GitHub accounts. These accounts mimic legitimate user activity, making them appear genuine and thereby enhancing their effectiveness in spreading malware. This new distribution method represents a shift in malware dissemination techniques, highlighting the constant evolution of cyber threats and the need for ongoing vigilance and adaptive security measures.

Description last updated: 2024-08-14T08:47:47.125Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Stealc	2	StealC is a prominent malware that specifically targets browser extensions and password managers. It rose to infamy following an attack on the Solana blockchain in 2023, which resulted in a $7 million heist. This heist was orchestrated using Luca Stealer, another malware that targets crypto wallets

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Infostealer

Malvertising

Phishing

Rat

Github

Macos

Payload

Windows

Spam

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Ghost	Unspecified	2	"Ghost" is a potent malware that has been plaguing the digital world. In 2020, the first signs of its impending threat emerged with the planning of a large bilateral CDU/MDANG Ex Cyber Ghost operation. However, it wasn't until Check Point Research (CPR) identified a network of GitHub accounts, dubbe
Redline	Unspecified	2	RedLine is a notorious malware that has been widely used by cybercriminals to steal sensitive information. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can cause significant damage by stealing personal data or disrupting operations. RedLine's conf
Lumma Stealer	Unspecified	2	Lumma Stealer is a potent and elusive malware that targets sensitive information on victims' devices, including cryptocurrency wallets and two-factor authentication browser extensions. This malicious software infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to th
Amos	Unspecified	2	AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect bot

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Stargazers Ghost Network	Unspecified	2	The Stargazers Ghost Network, identified by Check Point Research (CPR), is a malicious network of GitHub accounts that distribute malware and harmful links through phishing repositories. The network has been operating since at least August 2022, but its first public advertisement occurred in July 20

Source Document References

Information about the Rhadamanthys Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
Securelist	a year ago	Malvertising in Google search results delivering stealers
DARKReading	a year ago	New Mirai Variant Employs Uncommon Tactics to Distribute Malware
CERT-EU	a year ago	Asylum Ambuscade: crimeware or cyberespionage? \| WeLiveSecurity
DARKReading	a month ago	'Stargazer Goblin' Amasses Rogue GitHub Accounts to Spread Malware
Checkpoint	a month ago	Stargazers Ghost Network - Check Point Research
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
Recorded Future	2 months ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	3 months ago	'Vortax' Meeting App Builds Elaborate Branding, Spreads Infostealers
Recorded Future	3 months ago	The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications \| Recorded Future
Securityaffairs	3 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Sticky Werewolf targets the aviation industry in Russia and Belarus
DARKReading	3 months ago	'Sticky Werewolf' APT Stalks Aviation Sector
Securityaffairs	3 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION