Rhadamanthys 0.9.2: A Stealer That Keeps Evolving

• Rhadamanthys 0.9.2 released: New version of the popular information stealer introduces changes that break existing tools and add fresh evasion techniques.
• Professionalization continues: Operators have rebranded as RHAD Security / Mythical Origin Labs and launched a polished website with multiple products on offer.
• Key technical shifts: New PNG-based payload delivery, updated encryption, smarter sandbox checks, configurable process injections, and added targeting of Ledger Live crypto wallets.
• Why it matters: Older detection methods may miss this variant, making it a persistent and growing threat to enterprises and individuals.
• Defender impact: CPR provides updated signatures, research insights, and open-source tools so defenders everywhere can analyze and block Rhadamanthys 0.9.x effectively.

Introduction

The newly released Rhadamanthysv 0.9.2 stealer has just landed, and it comes with updates that deliberately break existing tools and introduce new tricks to avoid detection. Defenders who rely on older methods may now find it harder to gain visibility and understand what the malware is doing. For cyber teams, the changes mean more stealth, broader reach, and new ways Rhadamanthys can impact real-world victims.

Check Point Research has been tracking Rhadamanthys since its earliest days. Our latest analysis details the malware’s newest changes, why they matter to defenders, and provides updated tools the community can use to stay ahead. In this blog, we summarize the research, outline practical steps for defenders, and show how Check Point customers are already protected.

Background: What is Rhadamanthys?

Rhadamanthys first appeared in underground forums in late 2022 and quickly became one of the most widely used stealers. It is sold as a subscription service, with monthly pricing tiers ranging from $299 to enterprise packages, making it accessible to a wide range of threat actors.

The malware is capable of stealing credentials, browser data, files, and cryptocurrency wallets. Over time, its operators have built an ecosystem around it, complete with branding (“RHAD Security”), a professional-looking website, and even support channels. In short, Rhadamanthys is not just malware—it’s a full-fledged criminal product.

Improved Branding

Rhadamanthys was initially promoted through underground forums, but its operators soon expanded with Telegram support channels, a Tor site, and direct contact options. Now, to promote its new release, the website was given a complete makeover and now appears polished and professional. The group brands itself as “RHAD Security” and “Mythical Origin Labs”, highlighting their ambition to operate like a legitimate software vendor rather than a shadowy criminal group. The new site not only promotes Rhadamanthys but also teases additional products, reinforcing the impression of a growing product portfolio.

What’s New in Version 0.9.2

The latest release brings a number of important changes:

• Breaking old tools: Updates to Rhadamanthys’ custom file formats and string encryption mean that many existing security and research tools no longer work.
• Smarter evasion: The malware is better at avoiding sandboxes and research environments, checking for signs like fake files or virtualized hardware.
• New delivery method: Instead of hiding its next stage inside audio or image files with steganography, Rhadamanthys now delivers it in a noisy-looking PNG file.
• More flexible injections: The malware can now choose from a configurable list of normal Windows processes to run inside, making its activity harder to pin down.
• Targeting new apps: It has added support for stealing data from the popular Ledger Live cryptocurrency wallet, expanding its focus on digital assets.
• Fingerprinting victims: A new browser module collects detailed information about victims’ systems and browser environments.

These updates don’t reinvent Rhadamanthys, but they show a steady march toward refinement, customization, and staying one step ahead of defenses.

Why It’s Important

Rhadamanthys is no longer a niche tool. It is one of the most popular and persistent info-stealers in circulation today, used in recent campaigns like ClickFix. The operators clearly see it as a long-term venture and are investing in professionalization.

For defenders, this means:

• Threat durability: Rhadamanthys is unlikely to disappear anytime soon.
• Detection gaps: Older tools and detection methods may fail against version 0.9.2.
• Expanded risk: With more plugins and better stealth, the range of victims and industries at risk continues to grow.

What Defenders Can Do

Defenders should:

• Update detection tools to handle the new file formats, obfuscation, and RC4-encrypted strings.
• Watch network traffic for unusual PNG downloads tied to malware delivery.
• Monitor processes for suspicious injections into common Windows binaries.
• Look for indicators like unique mutex patterns and machine IDs generated by the malware.

Check Point Research released open-source tools that help all defenders stay ahead of Rhadamanthys 0.9.x. These tools allow analysts to parse the new formats, decrypt strings, and unpack hidden modules.

How Check Point Protects You

Check Point protections already detect and block Rhadamanthys across multiple stages:

• Threat Emulation and Threat Extraction stop malicious files before they can run.
• Network protections identify and block Rhadamanthys’ command-and-control communication.
• Endpoint protections prevent process injection attempts and recognize the malware’s behavior.
• Updated signatures have been added to detect the new 0.9.x variants and ensure coverage as the malware evolves.

Conclusion

Rhadamanthys 0.9.2 is another reminder that modern cyber crime operates like a business, complete with marketing, pricing, and constant updates. But with updated protections and tools, the security community can keep pace and blunt the impact of this evolving threat.

Read the full technical breakdown and download the updated tools from Check Point Research: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/.