The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware. This includes the use of artificial intelligence (AI) for optical character recognition (OCR). It is part of what’s called “Seed Phrase Image Recognition.”
This enhancement allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images.
It makes it a potent threat for anyone dealing in cryptocurrencies. According to an analysis by Recorded Future’s Insikt Group, Rhadamanthys can recognize seed phrase images on the client side. It then sends them back to the command-and-control (C2) server for further exploitation.
Rhadamanthys was first discovered in the wild in September 2022. It has emerged as one of the most powerful information stealers available under the malware-as-a-service (MaaS) model. The developer of the malware, known as “kingcrete,” continues to market the new versions on platforms like Telegram, Jabber, and TOX.
This is despite bans from underground forums like Exploit and XSS for targeting entities within Russia and the former Soviet Union. The malware is sold on a subscription basis for $250 per month or $550 for 90 days. Rhadamanthys allows its users to harvest a wide range of sensitive information from compromised hosts.
This includes system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data stored in various applications.
New AI enhances Rhadamanthys features
The malware also employs evasion techniques to complicate analysis efforts within sandboxed environments.
Version 0.7.0 of Rhadamanthys, released in June 2024, significantly improves upon its predecessor 0.6.0, which was launched in February 2024. The latest version includes a complete rewrite of both client-side and server-side frameworks. This enhances the program’s execution stability.
Additionally, it features 30 wallet-cracking algorithms, AI-powered graphics, and PDF recognition for phrase extraction. The text extraction capability has also been enhanced to identify multiple saved phrases. The malware now includes a feature that allows threat actors to run and install Microsoft Software Installer (MSI) files.
This helps evade detection by security solutions installed on the host. It also has a setting to prevent re-execution within a configurable time frame. A noteworthy aspect of Rhadamanthys is its plugin system.
It can augment its capabilities with keylogger, cryptocurrency clipper, and reverse proxy functionalities. “Rhadamanthys is a popular choice for cybercriminals,” Recorded Future stated. “Coupled with its rapid development and innovative new features, it is a formidable threat all organizations should be aware of.”
