What happened Proofpoint identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys,...
The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0.
In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions.
A new plugin system makes the malware expandable for specific distributor needs.
The custom executable formats, used for modules, are unchanged since our last publication (XS1 and XS2 formats are still in distribution).
Check Point Research (CPR) provides a comprehensive review of the agent modules, presenting their capabilities and implementation, with a focus on how the stealer components are loaded and how they work.