Ethical Hacking News
Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads
A popular information stealer has updated its capabilities to include device fingerprinting and steganography payloads. The malware-as-a-service platform has emerged as a comprehensive threat to personal and corporate security, with experts warning of the need for continued vigilance.
Rhadamanthys is a malware-as-a-service (MaaS) platform that has become one of the most popular threats to personal and corporate security. The latest version, 0.9.2, adds device fingerprinting capabilities and PNG Steganography Payloads. Rhadamanthys is available in three tiered packages with prices ranging from $299 to $499 per month. Threat actors have been using surface-level mimicry to conceal their malware, making it difficult for defenders to detect. The malware has updated its configuration and obfuscation patterns, requiring cybersecurity experts to track changes and monitor updates.
The world of cybersecurity is constantly evolving, and one malware that has been making waves in recent times is Rhadamanthys. This information stealer, which was initially promoted on cybercrime forums, has now evolved to become one of the most popular malware-as-a-service (MaaS) platforms available. According to Check Point researcher Aleksandra "Hasherezade" Doniec, Rhadamanthys has emerged as a comprehensive threat to personal and corporate security, with its latest version, 0.9.2, adding device fingerprinting capabilities.
Rhadamanthys was initially advertised by a threat actor named kingcrete2022, but soon gained popularity after the author rebranded themselves as "RHAD security" and "Mythical Origin Labs." The malware is now available in three tiered packages, ranging from $299 per month for a self-hosted version to $499 per month that comes with additional benefits, including priority technical support, server access, and advanced API access. Prospective customers can also purchase an Enterprise plan by directly contacting their sales team.
The combination of Rhadamanthys' branding, product portfolio, and pricing structure suggests that the authors treat this malware as a long-term business venture rather than a side project. As such, defenders are advised to track not only its malware updates but also the business infrastructure that sustains it. The recent addition of PNG Steganography Payloads has left cybersecurity experts concerned about the potential for Rhadamanthys to be used in future attacks.
According to Check Point, the threat actors behind Rhadamanthys have been using surface-level mimicry to conceal their malware. This means that while the alert message may be the same in both Lumma and Rhadamanthys, the implementation is completely different. In Lumma, opening and reading a file is implemented via raw syscalls, whereas in Rhadamanthys, it is displayed via MessageBoxW. Both loaders are obfuscated, but the obfuscation patterns are different.
Other updates to Rhadamanthys concern slight tweaks to the custom XS format used to ship the executable modules, the checks executed to confirm if the malware should continue its execution on the host, and the obfuscated configuration embedded into it. The modifications also extend to obfuscating the names of the modules to fly under the radar.
One module in particular is responsible for a series of environment checks to ensure that it's not running in a sandboxed environment. It runs processes against a list of forbidden ones, gets the current wallpaper, and verifies it against a hard-coded one that represents the Triage sandbox. The malware also checks if the current username matches those used for sandboxes, comparing the machine's HWID against a predefined list to ascertain its presence.
It only when all these checks are passed that the sample proceeds to establish a connection with a command-and-control (C2) server to fetch the core component of the stealer. The payload is concealed using steganographic techniques, either as a WAV, JPEG, or PNG file, from where it's extracted, decrypted, and launched. Decrypting the package from the PNG requires a shared secret that's agreed upon during the initial phase of the C2 communication.
The stealer module itself is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting. The latest variant represents an evolution rather than a revolution, according to Check Point. Analysts should update their config parsers, monitor PNG-based payload delivery, track changes in mutex and bot ID formats, and expect further churn in obfuscation as tooling catches up.
Currently, the development is slower and steadier: the core design remains intact, with changes focused on refinements – such as new stealer components, changes in obfuscation, and more advanced customization options. As cybersecurity experts continue to monitor Rhadamanthys' evolution, it's clear that this malware-as-a-service platform will remain a significant concern for defenders of personal and corporate security.
Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads
A popular information stealer has updated its capabilities to include device fingerprinting and steganography payloads. The malware-as-a-service platform has emerged as a comprehensive threat to personal and corporate security, with experts warning of the need for continued vigilance.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-Rhadamanthys-A-Malware-as-a-Service-Platform-thats-Leaving-a-Trail-of-Cybersecurity-Concerns-ehn.shtml
https://thehackernews.com/2025/10/rhadamanthys-stealer-evolves-adds.html
Published: Fri Oct 3 12:37:23 2025 by llama3.2 3B Q4_K_M
