Threat Research

Rhadamanthys 0.9.x – walk through the updates

Checkpoint

Rhadamanthys v0.9.2 introduces significant format and behavior changes — new XS1_B/XS2_B custom executable formats, updated config decoding (0xBEEF marker, LZO), PNG-based stage delivery, new mutex and Bot ID generation, and unpacking/evasion improvements — which break older analysis tools and require updated scripts. Check Point Research released updated converters, a string deobfuscator (for RC4 in XS2_B), and an unpacker; observed IOCs include multiple SHA256 sample hashes and C2 URL hxxps://193.84.71.81/gateway/wcm6paht.htbq1. #Rhadamanthys #ClickFix

Keypoints

  • Rhadamanthys v0.9.2 introduced XS1_B and XS2_B custom executable format updates that break prior parsers and require updated conversion tools.
  • The configuration format now uses a 0xBEEF marker, ChaCha20 + custom Base64 charset + CBC XOR shuffle, then LZO decompression; configs support multiple C2 URLs and expanded fields (AES IV, mutex seed).
  • Stage delivery changed to PNG-based payloads (pixels contain encrypted package) instead of earlier JPG/WAV steganography; payload decoding requires shared secret from C2.
  • Evasion and environment checks expanded: Strategy module uses UUIDv1-derived MAC checks, HWID WQL queries, wallpaper/hash and sandbox file/user checks, and new dynamic module fetch-by-checksum behavior.
  • Mutex generation now uses a 16-byte seed from config and XRHY/BEEF-derived hashing to produce randomized names; Bot ID uses MachineGuid + Volume Serial Number hashed by SHA1.
  • String obfuscation in XS2_B switched from custom XOR to RC4 with multiple wrapper variants, forcing updates to deobfuscation scripts; CPR released updated decryptor scripts.
  • New modules and features include fingerprint.js for browser fingerprint collection, Ledger Live Lua extension, and extra Stage 3 modules (chrome_extension.dat, index.html, imgdat.bin).

MITRE Techniques

  • [T1036] Masquerading – Creates and launches legitimate-sounding Windows processes (e.g., dllhost.exe, spoolsv.exe) and injects modules into them to hide malicious execution (“selecting the process where the next stage will be injected…randomly picks a path”).
  • [T1055] Process Injection – Implements options for self-process and new-process injection in the build stub and passes mutex handles into injected processes (“added process injection switch, can choose self-process injection and new process injection”).
  • [T1560] Archive Collected Data (steganography variant) – Hides payload data inside PNG image pixels as an encrypted package for Stage 3 delivery (“data is stored right away as a pixels…typedef struct png_data … BYTE data[1]”).
  • [T1037] Boot or Logon Auto-start Execution (mutex for single execution control) – Uses mutex generation based on config seed and formatted names to suppress duplicate executions and share mutex handles across injected processes (“mutex name generation…split into chunks and formatted into the Mutex name”).
  • [T1082] System Information Discovery – Collects system identifiers including MachineGuid and Volume Serial Number to create Bot ID, and queries Win32_ComputerSystemProduct UUID and MAC addresses via UUIDv1 to detect environments (“Bot ID…MachineGuid…GetVolumeInformationW” and “UuidCreateSequential…node value…MAC address”).
  • [T1497] Virtualization/Sandbox Evasion – Performs multiple sandbox checks: wallpaper SHA1, presence/content of sandbox files, usernames, MAC address and HWID blocklists to abort execution in analysis environments (“gets the current wallpaper, calculates its SHA1…compares it…checks for ‘foobar.jpg’…checks current username”).
  • [T1105] Ingress Tool Transfer – Downloads Stage 3 modules from C2 using WebSocket communication and decodes/decrypts packages locally for further execution (“downloads its final stage using the Netclient module…fetched data is decrypted locally”).
  • [T1027] Obfuscated Files or Information – Uses custom XS formats, XOR obfuscation of packaged modules, RC4/ChaCha20 encryption, custom Base64 charset and compression to hinder analysis (“custom formats…modules are obfuscated by XOR with a random key” and “Stage 3 strings switched to RC4”).
  • [T1113] Screen Capture (fingerprinting variant) – Collects detailed browser and system fingerprint data via fingerprint.js to enumerate environment and browser features for profiling (“Browser Fingerprint Export Tool…collectAllFingerprints…collectBrowserInfo, collectWebGLInfo”).

Indicators of Compromise

  • [File Hash – SHA256] analyzed packed/unpacked samples – 8f54612f441c4a18564e6badf5709544370715e4529518d04b402dcd7f11b0fb, b429a3e21a3ee5ac7be86739985009647f570548b4f04d4256139bc280a6c68f (and many more listed in the report)
  • [File Hash – SHA256] Stage 3 modules and files – coredll.bin XS2_B 271452e1c5e79d159f79886a65d4180814a7329c092d617372f127b6311d60f1, fingerprint.js 4f88d5cb69d44144b02f7ffd3d45cd86aaee12c3410898ce83712287a6b27fe40
  • [Domain/URL] C2 infrastructure – hxxps://193.84.71.81/gateway/wcm6paht.htbq1 (observed C2 endpoint used to deliver Stage 3); additional C2 example: hxxps://193.233.126.43/gateway/iesm4j25.s4pj7
  • [File Name] package and module names – fingerprint.js (browser fingerprint collector), chrome_extension.dat (Stage 3 resource), index.html (carrier) — used in Stage 3 payloads
  • [Registry Key] used previously for re-execution delay (removed in 0.9.x) – HKCUSOFTWARESibCodesn (and sn2/sn3) noted historically as Rhadamanthys artifact

Read more: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint