The Rhadamanthys information stealer malware [1] [2] [3] [4] [5], developed by “King Crete,” has gained attention in the black market since September 2022. It is known for its rich features [3], polished design [3], and potential connection to other authored malware.


The latest major versions of Rhadamanthys have added improvements and enhancements, expanding its stealing capabilities and spying functions [2]. These updates include new stealing capabilities and enhanced evasion techniques [2]. Rhadamanthys is a C++ information stealer that targets email [2], FTP [2], and online banking service account credentials [2]. Researchers at Check Point have analyzed the latest versions of Rhadamanthys and found numerous changes and features that make the tool more formidable and appealing to cybercriminals. The malware’s modular approach allows cybercriminals to selectively load plugins tailored to specific distribution needs, adapting to different targets and evading security measures [4]. The continuous and active development of Rhadamanthys highlights its evolving capabilities and attractiveness to threat actors seeking a sophisticated and adaptable tool for their malicious campaigns [4]. As the malware continues to add features [4], including those that enhance its evasion techniques and target a broader range of applications [4], it poses an ongoing threat to cybersecurity [4], requiring vigilant measures and updated defenses to counter its potential impact [4].

Rhadamanthys is being actively developed, with new features being added to enhance its information-gathering capabilities [1] [5]. The malware now includes a plugin system [1], making it more customizable and allowing it to meet specific distributor needs [1]. It has been sold as a malware-as-a-service since September 2022 and is typically distributed through malicious websites [1]. It can harvest sensitive information from compromised hosts [1] [5], including web browsers [1] [5], crypto wallets [1] [5], email clients [1] [5], VPNs [1] [5], and instant messaging apps [1] [5]. The current working version of Rhadamanthys is 0.5.2 [1], and recent versions have introduced a plugin system that enables the deployment of additional tools tailored to specific targets [1]. The malware includes both active and passive components [1], with the ability to open processes [1], inject payloads [1], and search for and retrieve saved credentials [1]. It also utilizes a Lua script runner to extract information from various sources [1]. Version 0.5.1 of Rhadamanthys includes clipper functionality to alter clipboard data and divert cryptocurrency payments to an attacker-controlled wallet [1]. The malware also has the ability to recover Google Account cookies [1]. The author of Rhadamanthys continues to add new features [1], such as a keylogger and system information collection [1], making it a multipurpose bot and potentially a general-purpose spyware [1].


The continuous development of Rhadamanthys and its expanding capabilities pose an ongoing threat to cybersecurity. Its ability to adapt to different targets and evade security measures makes it an attractive tool for cybercriminals. As it adds features that enhance its evasion techniques and target a broader range of applications [4], the impact of Rhadamanthys is likely to increase. Vigilant measures and updated defenses are necessary to counter this evolving threat.