MalwareRansomwareUsed by 11 actorsExploits 1 CVE

Rhadamanthys

Also known asRhadamanthys Stealer

Rhadamanthys is a modular malware-as-a-service information stealer first observed in 2022 and sold on underground forums, with pricing reported around $300-$500 per month and higher-priced customized tiers. It is widely referred to as Rhadamanthys or Rhadamanthys Stealer and is used by multiple cybercriminal actors and some state-linked operators. Reported associated actors include TA571, TA866, TA2541, TA547, TA585, unattributed clusters such as Aggah, and Iran MOIS-linked Void Manticore/Handala Hack, which reportedly used Rhadamanthys in phishing campaigns against Israeli targets, sometimes alongside custom wipers and lures impersonating F5 updates or the Israeli National Cyber Directorate.

Its primary function is credential and information theft. High-confidence capabilities mentioned in the source material include theft of browser credentials, cookies, session tokens, financial information, cryptocurrency wallet data, seed phrases, and system information. By 2024 it had added AI-driven OCR to identify and extract cryptocurrency seed phrases from images. Updates also added browser and device fingerprint collection, MSI installer execution, stronger packing and network obfuscation, anti-analysis features, and PNG/IDAT steganography in some delivery chains. The malware has been reported as capable of abusing stolen Google authentication cookies, and operators claimed they could restore expired Google authentication cookies; Google later introduced Device Bound Session Credentials to mitigate such abuse.

Observed infection vectors are diverse and include phishing emails, compromised websites, malvertising, ClickFix-style social engineering, LNK shortcut phishing, trojanized installers, MSI packages, and loader-based delivery. Specific chains in the content include: malicious LNK files with embedded Base64 PowerShell; a four-stage JavaScript/PowerShell/.NET in-memory chain labeled Hotel-SEP; trojanized KMS activator MSI installers using GhostPulse IDAT steganography, HijackLoader DLL sideloading, and legitimate Zoner Photo Studio binaries; and delivery through loaders such as SystemBC, DarkGate, GuLoader, SmartLoader, Resident Backdoor, DoubleLoader, DOILoader/Hijack Loader, Latrodectus, CastleLoader, Amadey, Matanbuchus, HeartCrypt, and GoLoader. Campaign themes included logistics lures, fake Cloudflare/security update prompts, YouTube DMCA-themed lures, piracy/software crack themes, and fake software updates.

Behavior described in the content includes staged execution, reflective or in-memory loading, DLL sideloading, process injection, persistence via scheduled tasks and Registry Run keys, and exfiltration over HTTP POST. In the Hotel-SEP campaign, the final payload was loaded entirely in memory and injected into regsvcs.exe or another .NET Framework process. In ShadowLadder-related activity, Rhadamanthys was delivered through a WiX-built MSI that dropped files into %LocalAppData%\Eyalet, executed VoTransmitt.exe, sideloaded a trojanized sciter32.dll acting as HijackLoader, and extracted encrypted content from mfc110u.dll and Crock.elf before deploying the stealer.

Targeting in the provided material spans broad criminal victimology as well as corporate, media, entertainment, and Israeli targets. The malware has been seen in campaigns against users via phishing and malvertising, and in broader criminal ecosystems involving credential theft and follow-on fraud or intrusion activity.

Notable indicators and infrastructure explicitly mentioned in the content include: Hotel-SEP stage hashes 31030324a813c318daf7b73cbbb2797942249198baf0f08cd5f96ccd8f551e07, 55c48e39f46c9f800c1ee10d865d0877997e5d9959ce97c94c43257dc7d0efe1, 4deae7dfac227aa2d5c350bcb2cc45a920cf5ed3270c3ee83c1818f6761476ef, injector hash 6fbca49b2af016d5a6df14164fbcc4830b8acf8b5f85f0c1a8da47b21d54191d, and Rhadamanthys DLL hash c5f36ddfffe081a138fcf592b17238c28f977e531749d2d31d23c066e73f7b81; Blogspot infrastructure potalgonabunbunsed.blogspot.com and hotelsep.blogspot.com redirecting to Wix usrfiles.com; ShadowLadder-related domains including kms-download[.]freefugga[.]com, shim4[.]familygater[.]com, shim1[.]jovimix[.]com, rhada[.]babynamebanner[.]com, invitation-confirm[.]com, maut-swiss[.]com, and auric-cdn[.]pro; and infrastructure references such as 178.22.24.47 and 178.22.24.253 hosting Rhadamanthys, plus 45.154.98.0/24 containing Rhadamanthys-tagged infrastructure.

On 13 November 2025, international law enforcement disrupted Rhadamanthys infrastructure and affiliate infrastructure as part of Operation Endgame, also affecting related services such as Elysium Proxy Bot. The content states that 1,025 servers tied to the malware were seized. Despite that disruption, the malware was heavily active through 2025 and featured in numerous contemporary campaigns and loader ecosystems.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2025-55182React2Shell

Threat Details and IOCs Malware: ... Rhadamanthys ...

via f5 communitycommunity.f5.com

THREAT ACTORS

Groups observed using it

11 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Handala

It also recently added a commercial infostealer - Rhadamanthys - sold on cybercrime forums to its arsenal, according to Check Point.

via register securitytheregister.com

TA2541

Rhadamanthys is a prominent malware observed since 2022, used by multiple cybercriminal threat actors. It is a modular information stealer with multiple pricing plans, and the creators sell it alongside Elysium Proxy Bot and a Crypt Service.