A new variant of the Rhadamanthys information stealer malware has been identified, which now poses a further threat to cryptocurrency users by adding AI to seed phrase recognition. The bad guys behind the malware were not enough in themselves, but when added into this malware came another functionality that includes optical character recognition or OCR scans for images and seed phrase recognition-the total key information needed to access cryptocurrency wallets.
According to Recorded Future's Insikt Group, Rhadamanthys malware now can scan for seed phrase images stored inside of infected devices in order to extract this information and yet further exploitation.
So, basically this means their wallets may now get hacked through this malware because their seed phrases are stored as images and not as text.
Evolution of Rhadamanthys
First discovered in 2022, Rhadamanthys has proven to be one of the most dangerous information-stealing malware available today that works under the MaaS model. It is a type of service allowing cyber criminals to rent their malware to other cyber criminals for a subscription fee of around $250 per month. The malware lets the attackers steal really sensitive information, including system details, credentials, browser passwords, and cryptocurrency wallet data.
The malware author, known as "kingcrete," continues to publish new versions through Telegram and Jabber despite the ban on underground forums like Exploit and XSS, in which mainly users from Russia and the former Soviet Union were targeted.
The last one, Rhadamanthys 0.7.0, which was published in June 2024, is a big improvement from the structural point of view. The malware is now equipped with AI-powered recognition of cryptocurrency wallet seed phrases by image. This has made the malware look like a very effective tool in the hands of hackers. Client and server-side frameworks were fully rewritten, making them fast and stable. Additionally, the malware now has the strength of 30 wallet-cracking algorithms and enhanced capabilities of extracting information from PDF and saved phrases.
Rhadamanthys also has a plugin system allowing it to further enhance its operations through keylogging ability, cryptocurrency clipping ability- wallet address alteration, and reverse proxy setups. The foregoing tools make it flexible for hackers to snoop for secrets in a stealthy manner.
Higher Risks for Crypto Users in Term of Security
Rhadamanthys is a crucial threat for anyone involved with cryptocurrencies, as the attackers are targeting wallet information stored in browsers, PDFs, and images. The worrying attack with AI at extracting seed phrases from images indicates attackers are always inventing ways to conquer security measures.
This evolution demands better security practices at the individual and organization level, particularly with regards to cryptocurrencies. Even for simple practices, like never storing sensitive data within an image or some other file without proper security, would have prevented this malware from happening.
Broader Implications and Related Threats
Rhdimanthys' evolving development is part of a larger evolutionary progress in malware evolution. Some other related kinds of stealer malware, such as Lumma and WhiteSnake, have also released updates recently that would further provide additional functionalities in extracting sensitive information. For instance, the Lumma stealer bypasses new security features implemented in newly designed browsers, whereas WhiteSnake stealer has been updated to obtain credit card information stored within web browsers.
These persistent updates on stealer malware are a reflection of the fact that cyber threats are becoming more mature. Also, other attacks, such as the ClickFix campaign, are deceiving users into running malicious code masqueraded as CAPTCHA verification systems.
With cybercrime operatives becoming more sophisticated and their tools being perfected day by day, there has never been such a challenge for online security. The user needs to be on the alert while getting to know what threats have risen in cyberspace to prevent misuse of personal and financial data.
