Introduction
First detected in December 2022, Rhadamanthys malware is a sophisticated C++ information stealer, primarily delivered via malicious Google Ads. This threat targets credentials stored in web browsers, VPNs, chat clients, and cryptocurrency wallets. While public awareness of Rhadamanthys grew in late 2022, its activity dates back to at least August that year.
This deep dive dissects the Rhadamanthys loader and main module, including:
- The use of a Quake III-based virtual machine for obfuscation.
- A custom embedded file system.
- A significant flaw in its encryption protocol.
If you’re interested in similar malware behavior, check out our coverage of CoffeeLoader malware or this guide on how to manually remove malware.
Key Takeaways
- Two main components: Rhadamanthys is divided into a loader and a main module. The loader initializes and decrypts payloads, while the main module handles data exfiltration.
- Anti-analysis techniques: It uses open-source tools like al-khaser to evade analysis.
- Credential theft capabilities: Targets applications such as KeePass, various VPN clients, and cryptocurrency wallets.
- Virtual Machine (VM) obfuscation: One loader variant uses Quake III VM to hide execution logic.
- Custom format reuse: Borrows a modified form of the Hidden Bee malware format as described by Malwarebytes.
- Embedded VFS: Includes internal modules to support memory injection and code execution.
- Decryptable communication: A flaw in key generation allows traffic decryption under certain conditions.
Technical Analysis
Loader Breakdown
The Rhadamanthys loader comprises three sequential stages:
- Initialization Phase
- Decompression Phase
- Loader Phase
Initialization Phase
In this stage, the loader:
- Decodes an embedded block and hands off execution.
- Extracts:
- An encrypted configuration block.
- A compressed blob containing injection and loader modules.
Notably, one loader variant uses a Quake III VM (Q3VM) for obfuscation. Blocks of VM-protected code are called by passing an integer to the interpreter. The following table illustrates what each code block does:
Table 1 – Rhadamanthys Virtualized Functions
| Parameter | Code Description |
|---|---|
| 0 | Base32 decoding with a custom charset (A-Z4-9=) |
| 1 | API resolution using ROR-13 hashing (GetProcAddress, VirtualProtect) |
| 2 | Calls VirtualProtect to prep shellcode |
| 3 | Scans process memory for strings like avast.exe, snxhk |
Additionally, one sample revealed a de-virtualized version of block 3, exposing its debug path:
d:\debugInfo\rhadamanthys\debug\sandbox.pdbCode language: CSS (css)Note: Threat actors altered the bytecode magic bytes to hide VM usage. Some samples use XTEA encryption to add another obfuscation layer.
Decompression Phase
This shellcode dynamically loads Windows API functions and decompresses the loader using the LZSS algorithm.
Loader Phase
Here, the loader:
- Decrypts its configuration using RC4.
- Downloads the main module using a URL stored in the configuration.
Configuration Structure (C++):
struct config {
unsigned int Magic;
unsigned int Flag; // Introduced in version 0.4.1
unsigned char Key_Salt[0x10]; // AES decryption salt
unsigned char C2[]; // C2 URL path for module download and exfiltration
};Code language: JavaScript (javascript)It also relies on a custom header structure for relocation handling:
struct Loader_Header {
unsigned __int16 Magic; // 0x5253
unsigned __int16 Characteristics;
unsigned __int16 Sections_Number;
unsigned __int16 Sizeof_Header;
unsigned int Entry_Point_Offset;
unsigned int Stager_Size;
unsigned int Imports_Offset;
unsigned int Imports_Size;
unsigned int Unknown1;
unsigned int Unknown2;
unsigned int Relocation_Table_Offset;
unsigned int Relocation_Table_Size;
section Stager_Sections[5];
};
struct section {
unsigned int Disk_Section_Offset;
unsigned int Rva_Section_Offset;
unsigned int Section_Size;
};
Code language: JavaScript (javascript)Embedded File System
When deployed on 64-bit systems, Rhadamanthys decompresses a virtual file system (VFS) using LZMA. This includes modules to aid the main module’s execution.
struct loader_embedded_vfs {
unsigned char hardcoded_value; // 0xB
unsigned char num_of_modules;
unsigned __int16 base_Address;
module_info modules[num_of_modules];
};
struct module_info {
unsigned int module_hash; // MurmurHash
unsigned char module_size_offset; // Shifted left by 0xC
};Code language: JavaScript (javascript)Table 2 – Embedded Modules
| Module Name | Description |
|---|---|
prepare.bin | Applies relocations, loads APIs |
dfdll.dll | Loader for executing downloaded payload |
unhook.bin | Detects API hooks in NTDLL |
phexec.bin | Injects using SYSENTER for stealth |
Note: 32-bit hosts skip VFS. Instead, the loader XORs the first byte of the main module with
0x21to decrypt its header.
Continuing the article on Rhadamanthys malware:
Main Module
The main module contains its own set of embedded components that support credential theft, execution flow, and inter-process communication.
Table 3 – Main Module Embedded Components
| Module Name | Description |
|---|---|
KeePassHax | C# module that targets and exfiltrates credentials from KeePass. |
Stubmod | Enables communication between modules and Coredll via a named PIPE. |
Stub | Loads and executes the main payload from disk. |
Coredll | Core orchestrator for Rhadamanthys. |
Preload | Executes Coredll. |
Runtime | C# component capable of running PowerShell scripts. |
Stubexec | Injects into regsvr32 to execute malicious payloads. |
/etc/license.key | Unknown usage; may relate to licensing. |
/etc/puk.key | Contains a NIST P-256 elliptic curve public key. |
/extension/%08x.lua | LUA scripts used for credential extraction. |
Instead of relying on hardcoded offsets, the malware uses the MPQ hashing algorithm to locate and extract these components dynamically. It hashes the component name and scans memory for matching hashes.
Network Communication
Both the loader and main module use encrypted channels for command-and-control (C2) communication. Here’s how the process works:
- A public/private ECC key pair (NIST P-256) is generated at runtime.
- The public key is:
- Appended to the
CookieandCSRF-TOKENheaders (loader). - Sent after a WebSocket upgrade (main module).
- Appended to the
- The loader impersonates a Microsoft domain using:
Host: catalog.s.download.windowsupdate.com
Once the loader requests the main module, the server returns a JPEG image containing the encrypted payload.
JPEG Payload Structure:
struct Downloaded_Payload {
unsigned char JFIF_Header[0x14];
unsigned int Encrypted_Payload_Size;
unsigned char Expected_SHA1[0x14]; // For payload verification
unsigned char Key_Salt[0x20]; // RC4 key derivation salt
unsigned char public_key[0x40];
unsigned __int16 Marker; // 0xFFDB
};
Code language: JavaScript (javascript)This payload includes two layers of encryption:
- RC4 Layer: Decryption key derived from the ECC shared secret + salt.
- Hidden Bee Layer:
struct payload_layer_1 {
unsigned int magic; // "!Rex"
unsigned int module_size;
unsigned int module_data_offset;
unsigned char module_loader_shellcode[];
unsigned char module[module_size];
};
Code language: JavaScript (javascript)The shellcode decrypts the final payload using AES with the ECC key and configuration salt, then decompresses it via LZSS.
Note: The decrypted output starts with the string
!HADES.
ECC Key Flaw
Despite using strong cryptography, Rhadamanthys suffers from a fatal flaw:
- It calls
time()to get the current epoch time. - Seeds
srand()with this value. - Calls
rand()to generate the ECC secret.
Because of this, key pairs can be brute-forced if the public key and approximate time of infection are captured.
Zscaler Sandbox Detection
Image alt attribute: Rhadamanthys malware sandbox detection visualization
Zscaler detects Rhadamanthys via its cloud-based multilayered defenses and sandbox analysis.
Detected threat signature:
Indicators of Compromise (IOCs)
Host-Based IOCs
| SHA256 Hash | Description |
|---|---|
3300206b9867c6d9515ad09191e7bf793ad1b42d688b2dbd73ce8d900477392e | Loader sample |
aebb1578371dbf62e37c8202d0a3b1e0ecbce8dd8ca3065ab26946e8449d60ae | Loader sample |
9917b5f66784e134129291999ae0d33dcd80930a0a70a4fbada1a3b70a53ba91 | Loader sample |
Network-Based IOCs
| IOC | Description |
|---|---|
hxxp://45[.]66.151.81/blob/xxx.png | C2 server |
hxxp://141[.]98.82.254/blob/is4mlw.suqp | C2 server |
hxxp://85[.]208.136.26/blob/vpuu9i.7b4x | C2 server |
Conclusion
Rhadamanthys malware represents an advanced threat in the infostealer space, combining VM obfuscation, a custom virtual file system, and multi-layered encryption. Its cryptographic missteps, however, expose opportunities for defenders to decrypt traffic and detect infections early.
To understand how Rhadamanthys compares to other malware loaders and stealers, see our posts on:
