Rhadamanthys Malware Updates: New Features and Evasion Tactics

The Rhadamanthys malware, a multi-modular stealer active since September 2022, has introduced significant updates in its latest release, version 0.9.2. Recent observations indicate its increasing deployment within the ClickFix campaigns, raising concerns among cybersecurity experts. The new version features enhancements that may complicate detection efforts and necessitate updates to existing research tools.

According to Check Point Research (CPR), the updates include multiple scripts designed to assist cybersecurity defenders in adapting to the evolving threat landscape. These scripts comprise a converter for a new custom executable format, a deobfuscator for strings, and an unpacker for the packaged modules. This report delves into the latest changes in Rhadamanthys, outlining their implications within the broader context of malware development.

Overview of Rhadamanthys

Initially promoted through cybercrime forums, Rhadamanthys quickly gained traction due to its sophisticated design and modular architecture. The malware was first marketed by an actor known as kingcrete2022 and has since evolved into a leading player in the cybercrime ecosystem, attracting interest from advanced threat actors.

The malware’s architecture remains largely intact since its earlier iterations, but significant enhancements were introduced in version 0.9.x. These changes disrupted previously established tools, signaling a pivotal update in its lifecycle. The first loader of Rhadamanthys appears in multiple formats; it can be either a .NET executable or a native Windows executable, with our analysis focusing on the native version.

Website and Marketing Enhancements

To bolster its visibility, the operators of Rhadamanthys have revamped their online presence. The website now features a polished design, rebranding themselves as RHAD Security and Mythical Origin Labs. This new platform showcases their product offerings, including the flagship stealer, along with pricing tiers that range from $299 per month for a self-hosted version to $499 per month for a rented server with additional benefits.

The professionalization of their branding and product portfolio suggests that the development team is treating Rhadamanthys as a long-term business venture. This shift underlines the malware’s potential longevity and the importance of monitoring both its technical and operational developments.

Key Updates in Version 0.9.x

The release of version 0.9.1 was announced in February 2025, followed by version 0.9.2, which is gaining traction despite not being listed on the official site yet. The changelog for version 0.9.1 includes numerous updates, such as redesigned database operations and optimized file packaging.

Among the notable changes are the introduction of a global mutex to suppress duplicate executions, enhanced process injection options, and updates to the custom executable formats known as XS1 and XS2. These modifications indicate a deliberate effort to evolve the malware and complicate analysis for researchers.

The latest iteration also features a distinctive message box that appears upon executing the malware, reminiscent of techniques employed by the Lumma stealer. This functionality acts as a deterrent against static detection, requiring user consent to proceed.

Changes in Core Functionality

Rhadamanthys has historically relied on custom executable formats that necessitate proprietary loaders. As of version 0.9.x, both the XS1 and XS2 formats have received updates, which likely aim to invalidate previously established analysis tools.

The malware’s configuration management has evolved significantly, now allowing multiple command-and-control (C2) addresses within a single sample. This flexibility enhances the malware’s adaptability and resilience against detection efforts.

Moreover, the new versions employ a refined method for identifying and evading controlled environments, such as sandboxes. The malware conducts extensive checks on the victim’s system, evaluating user environments and installed applications to ensure its successful operation.

The bot identification process has also been streamlined. The bot ID, which uniquely identifies the compromised system, is generated using a combination of the machine’s GUID and volume serial number, hashed together for security.

Conclusion

Rhadamanthys has matured significantly since its inception, reflecting the developers’ commitment to rapid feature growth and adaptation to the cybersecurity landscape. The recent updates illustrate a shift toward more sophisticated evasion tactics and enhanced modular functionality.

As the malware continues to evolve, it remains critical for cybersecurity professionals to update their detection and response strategies. Monitoring the ongoing developments in Rhadamanthys will be essential in addressing the increasing complexity of threats posed by such advanced malware.

For organizations, leveraging comprehensive security solutions like Check Point’s Threat Emulation and Harmony Endpoint can provide robust protection against the tactics described in this report.