Rhadamanthys operators rebrand as RHAD security with tiered MaaS pricing
Threat Actor Meta
Summary
Hide ▲
Show ▼
Rhadamanthys operators have rebranded their malware service as RHAD security and Mythical Origin Labs, signaling a shift toward a more durable underground business. The move matters because the service is now packaged with tiered pricing and support, which can widen buyer reach and strengthen the malware-as-a-service ecosystem. The branding and sales model suggest the operators are positioning the stealer as a long-term commercial operation rather than a short-lived tool.
Related Happenings
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor Meta
First: 31.03.2026 15:15
Last: 31.03.2026 15:15
Sources 1
About this happening:
TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
TeamPCP and Vect partner to turn supply-chain compromises into ransomware follow-on campaigns
Threat Actor MetaAbout this happening: TeamPCP and **Vect ransomware group** are linking **supply-chain compromises** to **follow-on ransomware campaigns**, broadening extortion risk for affected organizations. The shi...
Sicarii launches as ransomware-as-a-service on underground forums
Threat Actor Meta
First: 28.01.2026 00:15
Last: 28.01.2026 00:15
Sources 1
About this happening:
**Sicarii** has emerged as a **ransomware-as-a-service** offering advertised on **underground cybercrime forums**, signaling a criminal service launch that can broaden access to t...
Sicarii launches as ransomware-as-a-service on underground forums
Threat Actor MetaAbout this happening: **Sicarii** has emerged as a **ransomware-as-a-service** offering advertised on **underground cybercrime forums**, signaling a criminal service launch that can broaden access to t...
Rhadamanthys version 0.9.2 stealer update
Malware Activity
First: 03.10.2025 18:58
Last: 03.10.2025 18:58
Sources 1
How related:
The stealer module, for its part, is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting.
About this happening:
The **Rhadamanthys** information stealer has evolved in **version 0.9.2** with **device and web browser fingerprinting**, **steganographic payload delivery** in **WAV/JPEG/PNG** f...
Rhadamanthys version 0.9.2 stealer update
Malware ActivityHow related: The stealer module, for its part, is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting.
About this happening: The **Rhadamanthys** information stealer has evolved in **version 0.9.2** with **device and web browser fingerprinting**, **steganographic payload delivery** in **WAV/JPEG/PNG** f...
ZipLine Contact Us form phishing campaign
Campaign
First: 27.08.2025 23:35
Last: 27.08.2025 23:35
Sources 1
About this happening:
The **ZipLine** phishing campaign is actively targeting **dozens of organizations** by abusing **company Contact Us forms** to make victims start the conversation, which helps the...
ZipLine Contact Us form phishing campaign
CampaignAbout this happening: The **ZipLine** phishing campaign is actively targeting **dozens of organizations** by abusing **company Contact Us forms** to make victims start the conversation, which helps the...
ZipLine campaign expands across multiple victims
Campaign
First: 26.08.2025 16:30
Last: 26.08.2025 16:30
Sources 1
About this happening:
The **ZipLine** campaign is targeting **supply chain-critical manufacturing companies** through **public Contact Us forms**, using weeks-long social engineering before sending **w...
ZipLine campaign expands across multiple victims
CampaignAbout this happening: The **ZipLine** campaign is targeting **supply chain-critical manufacturing companies** through **public Contact Us forms**, using weeks-long social engineering before sending **w...
Timeline
-
03.10.2025 18:58 2 articles · 7mo ago
Rhadamanthys operators rebrand and expand MaaS offering
Initial DisclosureCheck Point disclosed that the operators behind Rhadamanthys rebranded their service as RHAD security and Mythical Origin Labs, marketed Elysium Proxy Bot and Crypt Service alongside the stealer, and priced Rhadamanthys v0.9.2 as a tiered malware-as-a-service offering with a $299 self-hosted plan, a $499 plan with priority technical support, server and advanced API access, and an Enterprise option by direct contact; the same update added device and web browser fingerprinting, steganographic PNG/WAV/JPEG payload delivery, and stronger sandbox-evasion checks.
Show sources
- Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads — thehackernews.com — 03.10.2025 18:58
- Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads — thehackernews.com — 03.10.2025 18:58