Rhadamanthys, a sophisticated multi-modular information stealer first advertised in underground forums in September 2022, has cemented its status as a fully commercialized malware-as-a-service offering.
Recent monitoring of the actor’s Tor storefront and Telegram support channel shows that Rhadamanthys is now openly marketed with tiered subscription packages priced between USD 299 and USD 499 per month.
This professionalization of their sales apparatus underscores both the maturity of the malware and its authors’ ambitions to sustain Rhadamanthys as a long-term venture.
Professionalization and Pricing Tiers
The revamped Tor site, operated under the banners RHAD Security and Mythical Origin Labs, features a polished interface that lists all product offerings, version histories, and support channels.
Rhadamanthys is offered in a self-hosted “Basic” package for $299 per month. At the same time, the “Pro” tier, priced at $499, includes a rented server, two-factor authentication for the management portal, priority updates, and custom hook configurations.
An “Enterprise” option is also available via individual negotiation. The site’s “Version History” section, though occasionally lagging behind actual releases, documents incremental updates such as redesigns of the database layer, expanded client-side injection options, and the removal of registry write operations to improve stealth.
Technical Enhancements in Version 0.9.x
The latest v0.9.2 release introduces several notable technical changes that require defenders to update their analysis tooling.
The custom module container formats XS1 and XS2 have been updated to XS1B and XS2B. XS1B introduces a version field in the header while streamlining import-table deobfuscation, reducing the import key to a single byte.
XS2B extends one of the custom import fields from WORD to DWORD, which may invalidate older parsers. String obfuscation in Stage 3 has been overhauled, replacing the previous XOR-based scheme with RC4 to hinder signature-based extraction.
Rhadamanthys’ initial loader now displays a Lumma-style message box at runtime, mimicking the message-checking behavior of other stealers but implemented via Win32 API calls rather than raw syscalls.
The Stage 2 “Strategy” evasion module loads multiple configuration fragments on demand, enabling dynamic environment checks such as MAC-address and HWID filtering via UUIDv1 and WQL queries, as well as detecting sandbox-specific wallpapers and dummy files.
The registry-based re-execution delay mechanism has been completely removed, and mutex generation now incorporates a 16-byte seed hashed with “XRHY” to prevent universal vaccination.
Communication with the command-and-control (C2) server retains WebSocket over TLS but now hides the Stage 3 payload as raw PNG pixels instead of wav or jpeg steganography.
The PNG header structure includes a 32-byte key, payload size, hash, and data array, which simplifies delivery at the cost of some subtlety.
Before beaconing, Rhadamanthys queries multiple NTP hosts (e.g., time.google.com, pool.ntp.org) to verify system time, and a pseudo-random string routine partially overwrites the C2 domain in memory. This apparent anti-analysis distraction does not impact connectivity.
Analysts should update configuration parsers to handle the new 0xBEEF marker, refresh XS-format conversion tools, and monitor the delivery of PNG-based payloads. With its growing customer base and ongoing obfuscation churn, Rhadamanthys remains a persistent threat in the infostealer ecosystem.
IOCs:
Analyzed samples:
- 8f54612f441c4a18564e6badf5709544370715e4529518d04b402dcd7f11b0fb (packed, Golang packer)
- b429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f
- b41fb6e936eae7bcd364c5b79dac7eb34ef1c301834681fbd841d334662dbd1d
- eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662 – packed
- 1f7213a32bce28cb3272ef40a7d63196b2e85f176bcfe7a2d2cd7f88f4ff93fd – unpacked payload
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
