One of the most common missions of malware is information theft. From a long time the playing field had seemed tired, saturated and predictable. The same established actors like Redline, Vidar & Racoon would sometimes add a feature or fix a bug. No one expected innovation in this field, or asked for it.
However, in September of 2022, a new challenger broke into the market for infostealer malware – Rhadamanthys. A malware as a service (MaaS) with multilayer design on par with unusually complicated staged loaders. This malware’s modular architecture allowed shipping a variety of targeted stealer components, attacking almost every application that a distributor could imagine – and some they probably couldn’t. As we found out later, this complex piece of malware didn’t come out of nowhere – it was based on the code of a different malware, developed for years, most likely by the same author: Hidden Bee coin miner, which has its own intriguing history.
In this talk we will take a deep dive into the history, design, implementation and many (many) features of Rhadamanthys stealer – including some of the more interesting tricks its prolific author came up with in their ambitious quest to create the most complex, comprehensive information stealer malware ever seen on the open market.
