Rhadamanthys Stealer Delivered Via a Spam Email

Cyble Research & Intelligence Labs (CRIL) discovered a brand-new malware variant called “Rhadamanthys Stealer.” This malware stealer variation is now in use and the threat actors who created it are offering it for sale via the Malware as a Service (MaaS) business model.

The Rhadamanthys stealer spreads by tricking users into visiting phishing websites that look like popular programmes like Zoom, AnyDesk, Notepad++, Bluestacks, etc. It can propagate through spam emails that include an attachment that contains the harmful payload. 


Further, fake Google Ads are used in this campaign that aimed at consumers trying to download popular software.

Rhadamanthys Stealer Delivered Via a Spam Email

Spam emails with the PDF attachment “Statement.pdf” are the origin of the Rhadamanthys stealer malware.

Spam Email with PDF Attachment

When opening the spam email’s attachment, a message identifies it as an “Adobe Acrobat DC Updater” and provides a “Download Update” download link.

PDF document with a download link

When a user clicks the “Download Update” link, it downloads malware executable from the specified URL. Upon execution, it runs the stealer and allows it to steal sensitive information from the victim’s machine.

Process tree of spam email downloads Stealer

Malware Distribution Using Google Ads

In order to deceive visitors into installing the stealer malware, which engages in criminal actions, the TAs behind this campaign also constructed a highly convincing phishing webpage impersonating trustworthy websites. Google advertisements are used to promote the link to these phishing websites.

Phishing Domains Created To Spread This Malware:

  • bluestacks-install[.]com
  • zoomus-install[.]com
  • install-zoom[.]com
  • install-anydesk[.]com
  • install-anydeslk[.]com
  • zoom-meetings-install[.]com
  • zoom-meetings-download[.]com
  • anydleslk-download[.]com
  • zoomvideo-install[.]com
  • zoom-video-install[.]com
  • istaller-zoom[.]com
  • noteepad.hasankahrimanoglu[.]com[.]tr

The phishing websites also download an installer file that seems to be a genuine installer for the corresponding software. The stealer malware is secretly installed along with the appropriate application without the user’s awareness.

Process tree of malicious AnyDesk installing Stealer

“We observed that a steganography image was downloaded from the remote server. We suspect the shellcode decrypts the steganography image to get the actual Rhadamanthys payload”, CRIL.

By running a series of Windows Management Instrumentation (WMI) queries, the Rhadamanthys stealer now begins gathering system data. The data gathered comprises the name of the computer, the user name, the OS version, the RAM and CPU information, the HWID, the time zone, the user and keyboard language, etc.

The malware searches for browser-related files including browsing histories, bookmarks, cookies, auto-fills, login credentials, etc. in the folders of the installed browsers on the victim’s computer.

 “It targets different browsers such as Brave, Edge, Chrome, Firefox, Opera Software, Sleipnir5, Pale Moon, CocCoc, etc”, CRIL

Researchers say the stealer malware is also made to target different crypto wallets and gather data from them. 

The stealer also targets various applications such as FTP clients (CoreFTP, WinSCP), email clients (Foxmail, Thunderbird, Outlook, TrulyMail, GmailNotifierPro), File managers (Total commanders), password managers (RoboForm, KeePass), VPN services (NordVPN, ProtonVPN, Windscribe VPN, OpenVPN), messaging applications (Tox, Discord, Telegram) and others.

“It is crucial for users to exercise caution when receiving spam emails or to visit phishing websites and to verify the source before downloading any applications”, concludes the researchers.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.