Security experts have shed light on a novel malicious sample hiding in the malicious arena, an evasive stealer dubbed Rhadamanthys. The malware is commonly distributed via Google ads redirecting compromised users to phishing webpages disguised as widely-used legitimate software. 

Detect Rhadamanthys Malware

In view of the increasing popularity of Rhadamanthys stealer being broadly distributed in the cyberthreat arena under malware-as-a-service (MaaS) model, security professionals need a reliable source of detection content to identify possible attacks at the earliest stages. 

SOC Prime’s Detection as Code Platform serves a set of Sigma rules to spot the malicious activity associated with Rhadamanthys info-stealing malware attacks. All detection content is mapped to MITRE ATT&CK framework v12 and compatible with 25+ SIEM, EDR, and XDR platforms.

Hit the Explore Detection button below to check the list of relevant detection rules enriched with relevant metadata, CTI links, and ATT&CK references to accelerate cyber threat investigation and boost your cyber defense capabilities. 

Explore Detections

Rhadamanthys Malware Analysis

The new Rhadamanthys info-stealer, which came on the scene in late 2022, hijacks Google ads to gain initial access to the compromised system. Distributed via the malware-as-a-service (MaaS) model, Rhadamanthys is steadily gaining in popularity on the dark web. 

In addition to phishing webpages, Rhadamanthys can be spread via malspam. Threat actors leverage the new strain to steal user passwords and dump sensitive data from compromised hosts. Moreover, the evasive info-stealer targets popular cryptocurrency entities and wallets to steal the credentials.

According to inquiry by Cyble, in the case of malsapm campaigns, the attack kill chain starts with a PDF file that lures victims into downloading the malicious payload. Once opened, the attachment shows a notification with a download link masquerading as an Adobe Acrobat DC software update. By clicking the fake update URL, the threat launches an executable file that executes the stealer and enables adversasries to access sensitive data from the compromised environment.

When leveraging a phishing attack vector, adversaries create a fraudulent webpage impersonating Zoom, AnyDesk, or other trusted websites with a link to them disseminated via Google ads. These malicious sites download an executable file masquerading as a legitimate installer. As a result of the malicious campaign, the compromised user downloads Rhadamanthys infostealer without noticing the traces of infection. 

Over 250,000 detection algorythms for emerging threats are at hand! Explore more at and get those of your choice with On Demand at 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts