Rhadamanthys Stealer

A threatening software known as Rhadamanthys is taking advantage of Google advertisements to trick victims into unknowingly infecting their computers. Theas Rhadamanthys Stealer is capable of collecting sensitive information, including passwords, email addresses and cryptocurrency wallet credentials. Information stealers have become increasingly popular among cybercriminals due to their ability to be used in several different attack operations. Rhadamanthys is offered for sale to other cybercriminals or hacker groups through a MaaS (Malware-as-a-Service) scheme.

The Threatening Capabilities of the Rhadamanthys Stealer

Once Rhadamanthys is executed on the victim's device, it will start its operation by gathering numerous system details - device name, model, operating system, OS architecture, hardware details, installed software, IP addresses and user credentials. The threat also is capable of executing specific PowerShell commands. The attackers also could utilize Rhadamanthys to obtain targeted document files containing potentially sensitive information. The Rhadamanthys Stealer also is capable of extracting passwords for cryptocurrency wallets. If wallet credentials are successfully compromised, the threat actors could siphon out any funds found in them to their own crypto-wallets. In short, the consequences of a Rhadamanthys Stealer infection could be devastating, ranging from serious privacy issues to financial losses and even identity theft.

The Rhadamanthys Stealer Exploits Google Advertisements for Legitimate Products

The threat has been confirmed to be spread via threatening websites that mimic the official pages of popular software applications - AnyDesk, Zoom, OBS, Notepad++, and others. The unsafe pages are further promoted via advertisements for the associated product that may appear even higher in the Google results than the advertisements and links of the legitimate applications.

Cybersecurity researchers managed to observe several advertisements for the Rhadamanthys Stealer-related websites on top of the delivered Google results before the result for the popular streaming service OBS (Open Broadcasting Service) appeared. It is speculated that the cybercriminals may have purchased the advertising spots. To keep the ruse up for as long as possible, corrupted websites deliver the advertised product alongside the Rhadamanthys threat.

It is strongly recommended that users carefully check the URL of the sites they open to avoid unsafe or harmful copycats. It is essential to remember that cybercriminals often use names that are extremely similar to the official ones, the only difference being a slight spelling mistake. This particular technique is known as typosquatting. It also may be useful to point out that the prevalence and the corrupted advertisements spreading Rhadamanthys vary based on the victim's geolocation.