The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0.
In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions.
A new plugin system makes the malware expandable for specific distributor needs.
The custom executable formats, used for modules, are unchanged since our last publication (XS1 and XS2 formats are still in distribution).
Check Point Research (CPR) provides a comprehensive review of the agent modules, presenting their capabilities and implementation, with a focus on how the stealer components are loaded and how they work.
