Rhadamanthys

Malware Profile Updated 7 days ago
Download STIX
Preview STIX
Rhadamanthys is a type of malware that has been utilized by cybercriminal group TA547 in targeted attacks against German organizations. This malicious software, designed to exploit and damage computer systems, typically infiltrates systems via suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations, or even hold data for ransom. The Rhadamanthys malware was delivered through fake software on Windows platforms, while the Atomic stealer was loaded on macOS platforms. Vortax, which is presented as virtual meeting software for various platforms, serves as a delivery mechanism for three potent infostealers: Rhadamanthys, Stealc, and Atomic. Researchers from Recorded Future’s Insikt Group identified Vortax's role in spreading these three infostealers. Once downloaded and installed, Vortax delivers these harmful programs to the unsuspecting user's system, further emphasizing the need for robust cybersecurity measures when downloading and installing new software. In addition to its use by TA547, the Rhadamanthys Stealer has been deployed by another threat actor, Sticky Werewolf, in their campaigns. This malware often serves as a payload for commercial remote access Trojans (RATs), such as Ozone RAT, demonstrating its versatility and widespread use among cybercriminals. The increasing prevalence of Rhadamanthys highlights the evolving threat landscape and underscores the importance of continuous vigilance and updated security protocols.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Stealc
2
Stealc is a malicious software (malware) that specifically targets browser extensions and authenticators by password managers, growing in popularity on the dark web since its discovery in early 2023. It has been associated with significant cyber-attacks, such as the $7 million heist on the Solana bl
Atomic Stealer
1
The Atomic Stealer is a type of malware that is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Recently, a new version of the macOS Atomic Stealer has been distributed via a malvertising campaign, as reported on June 27, 20
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Infostealer
Payload
Malvertising
Rat
Macos
Windows
Crypter
Phishing
Chrome
Discord
Remcos
Sandbox
Dropper
Spam
Loader
Maas
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AmosUnspecified
2
AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect bot
RootsawUnspecified
1
Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which exec
SpicaUnspecified
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
Atomic Macos Stealer AmosUnspecified
1
In April 2023, Cyble Research and Intelligence Labs (CRIL) discovered a new malware named Atomic macOS Stealer (AMOS) being advertised for sale on a Telegram channel. The malware was found to be part of a larger operation involving several other variants such as Vidar, Lumma, and Octo. These threat
SmokeloaderUnspecified
1
Smokeloader is a notorious malware that has been utilized extensively by Phobos actors to carry out ransomware attacks. The malware, often delivered through suspicious downloads, emails, or websites, embeds itself into the victim's system as a hidden payload. Once inside, it enables threat actors to
RomComUnspecified
1
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Winter VivernUnspecified
1
Winter Vivern is a threat actor, or malicious entity, that has recently come to attention due to its exploitation of a zero-day vulnerability in the Roundcube webmail software. This advanced persistent threat (APT) group has been associated with several cyber-attacks and appears to be aligned with t
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
Apt44Unspecified
1
APT44, previously known as Sandworm, is a Russian military intelligence hacking team newly designated by Mandiant. The group has been active in conducting campaigns leveraging Sandworm malware since the start of 2023, primarily targeting Ukraine, Eastern Europe, and investigative journalists. APT44'
GamaredonUnspecified
1
Gamaredon, a threat actor or Advanced Persistent Threat (APT) believed to be of Russian origin, has been actively executing malicious activities primarily against Ukraine since 2013. The group is known for its deployment of home-brewed malware through malicious documents, with the European Union's C
APT29Unspecified
1
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
Gossamer BearUnspecified
1
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Atomic Macos Stealer (AmosUnspecified
1
None
Source Document References
Information about the Rhadamanthys Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Recorded Future
5 days ago
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future
Securityaffairs
7 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
14 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
21 days ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading
24 days ago
'Vortax' Meeting App Builds Elaborate Branding, Spreads Infostealers
Recorded Future
a month ago
The Travels of “markopolo”: Self-Proclaimed Meeting Software Vortax Spreads Infostealers, Unveils Expansive Network of Malicious macOS Applications | Recorded Future
Securityaffairs
a month ago
Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
a month ago
Sticky Werewolf targets the aviation industry in Russia and Belarus
DARKReading
a month ago
'Sticky Werewolf' APT Stalks Aviation Sector
Securityaffairs
2 months ago
Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Flashpoint
2 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
Securityaffairs
2 months ago
GitCaught campaign relies on Github and Filezilla to deliver multiple malware
InfoSecurity-magazine
3 months ago
Rhadamanthys Malware Deployed By TA547 Against German Targets
CERT-EU
5 months ago
One year later, Rhadamanthys is still dropped via malvertising | Malwarebytes
Checkpoint
10 months ago
From Hidden Bee to Rhadamanthys - The Evolution of Custom Executable Formats - Check Point Research
Malware-traffic-analysis.net
a year ago
Malware-Traffic-Analysis.net - 2023-01-03 - Google ad --> fake Notepad++ page --> Rhadamanthys Stealer
Checkpoint
a year ago
Rhadamanthys: The “Everything Bagel” Infostealer - Check Point Research
Securelist
a year ago
Kaspersky crimeware report: uncommon infection methods