Rhadamanthys Infostealer Uses ClickFix Technique to Steal Login Credentials

The Rhadamanthys Stealer, a highly modular information-stealing virus that was first discovered in 2022, has made a comeback with a clever and dishonest delivery method called ClickFix Captcha. This is a terrifying development for cybersecurity experts.

This technique disguises malicious payloads behind seemingly legitimate CAPTCHA interfaces, tricking users into executing sophisticated malware.

Leverages CAPTCHA Disguise for Stealthy Delivery

The recent investigation into a suspicious phishing domain, hxxps://ypp-studio[.]com, has uncovered a complex fileless attack chain that ultimately deploys Rhadamanthys to harvest a vast array of sensitive data, from login credentials to cryptocurrency wallet details.

This campaign underscores the evolving tactics of cybercriminals who exploit trust and social engineering to bypass traditional security controls, posing a significant threat to individuals and organizations alike.

The attack begins with a malicious PowerShell script executed with parameters designed for stealth, including hidden window execution (-w hidden) and bypassing execution policies (-ep bypass).

The script downloads a secondary payload from hxxps://ypp-studio[.]com/update.txt, which contains obfuscated code with random character padding and a hex-encoded string.

Upon decoding, it reveals a URL, http://62.60.226.74/PTRFHDGS.msi, from which the malware disguised as an MSI installer is downloaded and saved to %AppData%PTRFHDGS.msi before being executed using msiexec.exe.

Technical Breakdown

A deceptive “Verification complete!” message further misleads victims into believing the process is benign.

Notably, accessing the URL directly in a browser triggers an automatic download of rh_0.9.0.exe, flagged as uncommon by browser warnings, aligning with prior observations of Rhadamanthys delivery through similar executable naming conventions.

Unlike earlier campaigns using http://77.239.96.51/rh_0.9.0.exe, this updated dropper mechanism reflects significant enhancements in the malware’s infrastructure.

Rhadamanthys employs advanced evasion techniques such as anti-VM, anti-debugging, and time-based side-channel attack detection to thwart analysis in virtual machines or sandboxes.

It also checks for blacklisted processes like OllyDbg.exe and Wireshark.exe, terminating if analysis tools are detected, while establishing command-and-control (C2) communication via raw IP addresses like 193.109.85.136 to evade DNS-based detection.

The malware’s data exfiltration scope is staggeringly broad, targeting system information, browser credentials, cryptocurrency wallets, and even screenshots, which are likely relayed to C2 servers for further exploitation.

Sold as Malware-as-a-Service (MaaS) on underground forums, Rhadamanthys continues to evolve with each version, integrating capabilities like process injection and AI-powered extraction of cryptocurrency seed phrases from images, as seen in updates from version 0.5.0 to 0.7.0.

Its ability to masquerade as legitimate software often through phishing domains, typosquatting, and malicious attachments amplifies its reach.

The abuse of ClickFix Captcha as a delivery vector highlights a dangerous trend of blending technical sophistication with social engineering, effectively bypassing basic security layers.

Defenders must enhance user awareness, tighten web filtering, and monitor for indicators of fileless execution and suspicious outbound traffic.

A tailored Sigma rule to detect Rhadamanthys activity, focusing on PowerShell anomalies and registry access patterns, offers a starting point for threat hunters.

As cybercriminals refine their tactics, proactive defense and continuous monitoring remain critical to safeguarding sensitive data against this stealthy infostealer.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.