Unveiling Rhadamanthys: A Deep Dive into the World of Fast-Evolving Multi-Layer Malware

3 min read
Unveiling Rhadamanthys: A Deep Dive into the World  of Fast-Evolving Multi-Layer Malware


In the ever-evolving landscape of cyber threats, threat actors constantly seek sophisticated tools to stay ahead in the game. One such formidable player is Rhadamanthys, a multi-layer malware that has recently made waves in the dark corners of the internet. This blog explores the intricate layers of Rhadamanthys, shedding light on its features, impact, and the latest developments in its malicious evolution.

Key Points: Unpacking the Complexity

  • Rhadamanthys, an information stealer, comprises two components: the loader and the main module, responsible for extracting collected credentials.
  • The malware employs sophisticated anti-analysis techniques, utilizing a public open-source library to complicate examination.
  • Capable of extracting credentials from various applications like Keepass and cryptocurrency wallets, Rhadamanthys targets sensitive data.
  • One identified loader uses a virtual machine, based on Quake III, to safeguard specific sections of its code.
  • Rhadamanthys adopts a variation of the Hidden Bee format, extensively detailed by Malwarebytes.
  • The malware features its file system, incorporating an additional set of embedded modules for added complexity.
  • A flaw in the code implementation renders both the loader and the main module's network communications susceptible to decryption.

Impact: Rhadamanthys in Action

  • Marketed on the Dark Web by "King Crete," Rhadamanthys gained attention for its rich features and polished design.
  • Version 0.5.0 showcases significant changes, solidifying its position as a major player in the malware market.

Latest Information: Rhadamanthys 0.5.0 Unveiled

  • The new release introduces TLS for temporary buffers, enhancing its ability to decode obfuscated strings.
  • Raw syscalls and the Heaven's Gate technique are employed for native API calls, evading detection and obfuscating API names.

Security Measures: Tactics of Rhadamanthys

Advanced Evasion Tactics: Rhadamanthys implements sophisticated anti-analysis techniques, including a virtual machine based on Quake III for code protection. It uses a public open-source library to complicate analysis, making it challenging for security researchers to uncover its inner workings.

Credential Extraction Capabilities: The malware targets various applications, including Keepass and cryptocurrency wallets, extracting sensitive data from infiltrated machines. Rhadamanthys employs its file system with embedded modules, enhancing its ability to hide and protect malicious components.

Network Communication Security: While Rhadamanthys uses raw syscalls for native API calls, it also employs encryption in its network communication to protect the integrity of its operations. Despite flaws in its code leading to decryption possibilities, the malware continually adapts to refine its communication security.


Rhadamanthys - A Formidable Player in Cyber Threats In conclusion, Rhadamanthys emerges as a sophisticated and adaptable information stealer, equipped with advanced features and tactics. Its continuous evolution and expansion into a multipurpose bot showcase the relentless efforts of threat actors in the cyber realm. As cybersecurity measures continue to advance, the battle against such fast-evolving multi-layer malware remains a dynamic challenge for researchers and defenders alike. Stay vigilant, stay secure.

Follow us on social media

Cyber Unfolded Light Logo
Copyright © 2024 CYUN. All rights reserved.