Rhadamanthys Stealer: Introduces an AI feature to extract seed phrases from images

Redazione RHC:26 September 2025 17:16

Rhadamanthys is an advanced information stealer that first emerged in 2022. Featuring a rapid development cycle—with at least ten different releases since its inception—the malware is promoted and marketed on underground forums.

Despite a ban on its use against Russian and/or former Soviet republics, the product is still available on the black market; prices start at $250 for 30 days of access, a price that favors its spread among cybercriminals.

Evasion features and techniques

Rhadamanthys is designed to collect a wide range of data: system information, credentials, cryptocurrency wallets, passwords stored in browsers, cookies, and data from numerous applications. It integrates numerous anti-analysis countermeasures that complicate code observation and hinder its execution in sandbox environments.

Recorded Future’s Insikt Group acquired and analyzed the latest release, 0.7.0, highlighting several new features. The most significant innovation involves the use of artificial intelligence: using optical character recognition (OCR) , Rhadamanthys is now able to automatically identify and extract cryptocurrency wallet seed phrases from images. The function is divided into client and server components: the client identifies potential images containing seed phrases, and once they are exfiltrated to the command and control server, the backend performs the complete extraction.

Among other additions, version 0.7.0 allows threat actors to execute and install Microsoft Installer (MSI) packages, a vector that can bypass traditional security controls because MSI files are often associated with legitimate installations. Additionally, the developer has made the feature that prevents malware from re-executing within a configurable timeframe more robust and tamper-proof , updating it with encryption and hashing mechanisms.

Distribution, author and sales channels

The malware is popular among the criminal community; its rapid evolution and emerging features make it a significant threat to organizations. The main developer, known under the pseudonym “kingcrete2022,” has been banned from both XSS and Exploit Forums due to allegations of targeting Russian and/or former USSR republics. Despite the bans, the author continues to advertise new versions through private messaging on TOX, Telegram, and Jabber.

The Insikt Group report outlines mitigation strategies organizations should adopt. It also provides detections for Rhadamanthys, and as a preventative measure, it describes a “killswitch” based on setting known mutexes on uninfected systems to block its execution and protect at-risk machines.

Operational risks

Infostealers pose a significant threat to corporate security: the widespread practice of password reuse facilitates escalation from personal to professional settings. Credentials stolen from private accounts—for example, from a social network—can allow unauthorized access to work accounts, especially when professional email addresses are easily found on networking platforms. Furthermore, the mixed use of devices for personal and professional activities increases the risk of infection: opening malicious links or browsing compromised sites by employees or family members can expose corporate credentials.

For these reasons, the report emphasizes the importance of strong password policies, ongoing staff training on safe browsing practices, and rigorous access controls to reduce the impact of infostealers.

This article is based on information, in whole or in part, from the intelligence platform of Recorded Future , a strategic partner of Red Hot Cyber and a global leader in cyber threat intelligence. The platform provides advanced analytics to detect and counter malicious activity in cyberspace.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli

azaeo.com – datalake

File fishes formats available in:

Texto JSON JSON-LD XML HTML HTML Source PDF Markdown

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology: “LLMs” is the correct English acronym for Large Language Models.