Rhadamanthys version 0.9.2 stealer update
Malware Activity
Summary
Hide ▲
Show ▼
The Rhadamanthys information stealer has evolved in version 0.9.2 with device and web browser fingerprinting, steganographic payload delivery in WAV/JPEG/PNG files, and stronger sandbox-evasion checks. The changes expand the malware's collection reach and make early detection more difficult. The stealer also remains part of a malware-as-a-service (MaaS) ecosystem, underscoring its continued operational maturity.
Related Happenings
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Rhadamanthys operators rebrand as RHAD security with tiered MaaS pricing
Threat Actor Meta
First: 03.10.2025 18:58
Last: 03.10.2025 18:58
Sources 1
How related:
The latest findings from Check Point show that the threat actors rebranded themselves as "RHAD security" and "Mythical Origin Labs," marketing their offerings as "intelligent solutions for innovation and efficiency."
About this happening:
**Rhadamanthys** operators have rebranded their malware service as **RHAD security** and **Mythical Origin Labs**, signaling a shift toward a more durable underground business. Th...
Rhadamanthys operators rebrand as RHAD security with tiered MaaS pricing
Threat Actor MetaHow related: The latest findings from Check Point show that the threat actors rebranded themselves as "RHAD security" and "Mythical Origin Labs," marketing their offerings as "intelligent solutions for innovation and efficiency."
About this happening: **Rhadamanthys** operators have rebranded their malware service as **RHAD security** and **Mythical Origin Labs**, signaling a shift toward a more durable underground business. Th...
Timeline
-
03.10.2025 18:58 2 articles · 7mo ago
Rhadamanthys version 0.9.2 expands fingerprinting and anti-analysis
Technical Analysis UpdateRhadamanthys operators rebranded their ecosystem as "RHAD security" and "Mythical Origin Labs" while marketing the stealer alongside Elysium Proxy Bot and Crypt Service, and the malware itself advanced to version 0.9.2 with device and web browser fingerprinting, steganographic delivery in WAV, JPEG, or PNG files, and stronger sandbox-evasion checks that inspect processes, wallpaper, usernames, and HWID values before contacting a C2 server.
Show sources
- Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads — thehackernews.com — 03.10.2025 18:58
- Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloads — thehackernews.com — 03.10.2025 18:58