Rhadamanthys Stealer Abuses Google Ads to Deliver Payload

Rhadamanthys, a malicious software designed to steal data such as passwords and email addresses, is now being advertised on Google ads. It is also targeting cryptocurrency wallet credentials and is being marketed as malware-as-a-service (MaaS).

Named after the demigod child of Zeus and Europa in Greek mythology, Rhadamanthys has been occupying Google ads for free video recording and streaming service OBS (Open Broadcasting Service). This platform is widely used by streamers, making it an attractive target for cybercriminals.

Since November last year, the popularity of Rhadamanthys has been growing rapidly. If a user searches for OBS they will be met with five dangerous ads at the top of their Google search before legitimate results appear below.

Clicking on these links leads to the download of both legitimate software and malware. The criminals use typosquatting techniques to make the URLs look similar to the official OBS site but with subtle spelling mistakes in order to delay victims’ response.

Evidence suggests that South America is receiving more corrupted ads than other countries such as Europe and the US.

How does Rhadamanthys function?

Rhadamanthys is distributed using both compromised Google Ads and spam email campaigns. Once deployed on the victim system, the malware first collects system data including OS type and version, hardware information and installed software listings, as well as the machine's IP address. The malware can execute PowerShell commands, which makes it particularly dangerous.

Rhadamanthys is sold using a tested model known as "malware-as-a-service" or MaaS. This means the budding hackers who purchase the malicious package will have access to established infrastructure and control panel interfaces that are hooked into the global controls for the malware, operated by its authors.

The malware can also target crypto wallets and collect data from them. A wide range of crypto wallets and platforms are targeted, including Binance, Bitcoin, Electron, Zap and Solar Wallet, among others.

Rhadamanthys can also steal data from browser extensions made to operate with crypto wallets, with an impressive list of extensions that can be scraped for information.

Stealer malware like Rhadamanthys is ever more popular

The rise of cybercrime has seen a surge in the use of infostealers and crypto stealers. These malicious programs are designed to steal sensitive information from unsuspecting victims, such as usernames, passwords, credit card numbers, and other personal data. The most notorious of these is Rhadamanthys Stealer, which is a type of malware that targets cryptocurrency wallets.

Rhadamanthys Stealer works by infecting computers with malicious code that can then be used to access user accounts and steal their funds. It can also be used to gain access to other sensitive information stored on the computer, such as emails or documents. Once the hacker has gained access to the victim's wallet, they can transfer funds out without the victim's knowledge or permission.

The risks associated with Rhadamanthys Stealer are significant. Not only does it put users' financial security at risk, but it also puts their personal information at risk as well. Furthermore, if a hacker gains access to a user's wallet they may be able to use it for money laundering or other illegal activities. As such, it is important for users to take steps to protect themselves from this type of attack by using strong passwords and two -factor authentication. Additionally, users should be sure to keep their computers and software up-to-date in order to reduce the risk of infection.