Rhadamanthys has emerged as one of the most dangerous stealer malware programs since its first appearance in 2022.
This advanced threat continues to challenge security teams with its ability to steal sensitive data from infected systems while avoiding detection by traditional security tools.
The malware has become particularly notorious for its use in targeted attacks against businesses and individuals worldwide, with threat actors leveraging it to harvest credentials, financial information, and other valuable data from compromised machines.
The loader component of Rhadamanthys stands out as a technical achievement in malware development. Unlike the stealer payload itself, the loader serves as the initial delivery mechanism that prepares the system for infection.
What makes this loader particularly challenging for security researchers is its implementation of multiple layers of protection designed to prevent analysis and detection.
These protections include custom obfuscation techniques that scramble the code structure, making it extremely difficult for both automated tools and human analysts to understand what the malware does.
Cyber.wtf security researchers recently identified several key techniques employed by the Rhadamanthys loader to evade detection and analysis.
The malware implements a unique anti-sandboxing system that monitors user behavior before executing its payload.
Additionally, the loader uses control flow flattening and jump target obfuscation, two advanced techniques that break the normal flow of code execution.
These methods essentially turn the program into a puzzle where each piece appears disconnected from others, preventing security tools from mapping out how the malware operates.
.webp "Researchers Disclosed Analysis of Rhadamanthys Loader's Anti-Sandboxing and Anti-AV Emulation Features 3")
The payload carried by the loader is encoded using a custom algorithm that the malware authors call Flutter. This encoding scheme converts binary data into text that looks like random characters, helping the malware hide its true purpose from security scanners.
The encoded payload is further protected by SM4 encryption, a Chinese block cipher that adds another layer of security. Together, these protections create a formidable barrier that has allowed Rhadamanthys to remain effective despite ongoing efforts by security researchers to combat it.
Detection Evasion Through User Behavior Analysis
The Rhadamanthys loader implements a time-based analysis system that monitors user activity for at least 45 seconds before executing the stealer payload.
This anti-sandboxing mechanism uses a timer callback that collects cursor positions, foreground window information, and timestamps every 30 milliseconds for 1,500 iterations.
The malware then analyzes this collected data to determine if it is running in a real user environment or an automated analysis system.
The loader performs specific checks on the gathered data to validate the environment. First, it verifies whether the cursor position has changed at least 30 times during the monitoring period.
Second, it checks for the presence of at least two different foreground windows, with at least one window that does not belong to the desktop process.
If these conditions are not met, the malware enters another 45-second monitoring cycle with advanced checks that calculate Euclidean distances between cursor positions to detect non-human movement patterns.
This behavior-based detection system effectively bypasses many automated analysis environments that do not simulate realistic user interaction.
However, advanced sandboxes like CAPE and VMRay have adapted to these techniques and can successfully trigger the payload execution.
The loader creates an invisible window and uses message-based architecture to queue and execute functions through timer callbacks, making the execution flow difficult to trace without proper deobfuscation of the underlying code structure.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
