Threat ActorRhadamanthys
Description
Rhadamanthys is a commodity infostealer that steals a variety of data from cryptowallets, email/FTP clients, VPN(s), messenger apps, and various other software from compromised machines. It operates as a MaaS (Malware-as-a-Service) model where threat actors can rent Rhadamanthys for a fee from "kingcrete2022," the promoter behind it on underground forums. This provides cybercriminals who are not proficient in coding a quick and easy solution, all without the costs of significant investments in development and time.
Rhadamanthys is in constant development. The latest version is 0.7.0 and it was released in June of 2024. This version incorporates the use of AI for extracting cryptocurrency seed phrases from images. Furthermore, version 0.8.0 is currently being developed.
It was first observed being advertised on the darkweb in September 2022. According to the developer, the infostealer is designed not to run in the Commonwealth of Independent States.
As of 2026, Rhadamanthys remains active. No major new versions has been observed since 2025, but activity has continued through expanded distribution methods and ongoing infrastructure disruptions linked to Operation Endgame by Europol. The threat continues to evolve primarily in delivery techniques rather than core malware functionality.
Targeted Industries
- Dependent on Affiliate
Objectives
Data theft
Known Infection Vectors
- Fake software
- dotRunpeX
- Fake email
References
End of the game for cybercrime infrastructure: 1025 servers taken down
