Rhadamanthys first emerged in August 2022. It is a sophisticated, multi-layered information stealer with origins possibly linked to the Hidden Bee coin miner. Its development is fast and ongoing, which, combined with its modular design, allows cybercriminals to add new functions for stealing data and espionage. Rhadamanthys is still sold on dark web markets through the malware-as-a-service (MaaS) model.
As a stealer, Rhadamanthys is designed to be unnoticeable for a long enough time to steal valuable data. Because of its stealth, you may identify next to no symptoms until it’s too late and your cryptocurrency wallet or bank account has been charged. However you can look out for the following:
Unauthorized access to email accounts, bank accounts, or FTP servers.
Suspicious activity in various apps that might store passwords and other sensitive data, like notes, or messengers.
Sources of infection
Common methods to spread the Rhadamanthys stealer include:
Phishing, or sending messages via email and social media that contain malicious files or attachments.
Malicious downloads like software updates, illegal cracks, and apps from malicious websites that impersonate authentic software platforms like AnyDesk, Zoom, or Notepad++. The user gets the actual app they wanted, but Rhadamanthys downloads alongside it, minimizing the chances that the user will notice something is wrong.
Spoofed websites, or copycat websites, that look like the real deal, designed to steal the credentials the user enters.
Malvertising, which is embedding malicious code in online advertisements.
Like with most malware, use proactive security measures and common sense to prevent Rhadamanthys from infecting your device:
Avoid opening attachments or links in irrelevant or suspicious emails, especially from unknown senders.
Use direct download links and official websites for software downloads.
Avoid third-party activation tools and illegal software cracks.
Install and regularly update reputable antivirus or anti-spyware software.
Enable two-factor authentication (2FA) on all your online services to reduce the risk of hackers using accounts, even if they have your login credentials.
Use NordVPN’s Threat Protection to block malicious downloads before they can land on your device.
Rhadamanthys malware removal
Due to the complex and evolving nature of this malware, specific removal steps can vary. If you suspect that your device has been infected with Rhadamanthys, the first course of action is to immediately disconnect it from the internet. Then, make sure to check your banking and cryptocurrency accounts and change all your passwords.
To remove the malware, update your antivirus software and run a deep scan. You may need to completely wipe and reset your system to remove it, so make sure your most valuable files are all safely backed up.