RadThief

RadThief is an infostealer malware family referenced as being delivered in multiple intrusion and malware distribution campaigns. The content states that Handala, also tracked as Void Manticore and Storm-842, is known to deploy RadThief stealer malware during its attacks; one source further notes it as 'Radthief (aka: Rhadamanthys)'. Handala is described as a pro-Palestinian, pro-Iran-aligned actor associated with destructive hack-and-leak operations, primarily targeting Israeli-linked organizations and also claiming activity against organizations in Israel, Jordan, Saudi Arabia, and a Western medical technology company. Handala commonly gains initial access through social engineering and phishing, including impersonation of legitimate organizations. Separately, Google Threat Intelligence Group reporting cited in the content says financially motivated group UNC5142 distributes RadThief alongside Vidar and Lummac.V2 via compromised WordPress sites. In those campaigns, UNC5142 injects JavaScript downloaders called ClearShort into vulnerable WordPress sites, uses BNB Smart Chain smart contracts as a control layer as part of the EtherHiding technique, hosts malicious pages on Cloudflare pages.dev, and uses fake Cloudflare verification and Chrome update prompts as lures. By mid-2025, about 14,000 websites reportedly showed traces of UNC5142's injected scripts. High-confidence behavioral detail in the provided content is limited to RadThief being an infostealer/stealer malware used in phishing, social-engineering, and web-based lure delivery chains; no specific standalone technical indicators or RadThief-specific capabilities beyond credential/data theft are directly provided.