Go to listing page

Rhadamanthys Stealer Spreads via Spam Emails and Google Ads

Rhadamanthys Stealer Spreads via Spam Emails and Google Ads
Cybercriminals are increasingly using phishing websites and spam emails to fool users into downloading stealers and RATs. Recently, the new Rhadamanthys Stealer has been making rounds in the wild by luring victims to phishing sites mimicking popular software via Google Ads.

About Rhadamanthys Stealer

Security firm Cyble has observed this new threat actively in the wild being offered under a MaaS model.
  • Rhadamanthys propagates through Google Ads that redirect targeted users to phishing websites that mimic well-known software such as AnyDesk, Zoom, Bluestacks, and Notepad++. 
  • The stealer spreads using spam emails, including an attachment to drop the malicious payload.

Targeted apps and services

The stealer targets several applications, including web browsers, crypto wallets, and messaging applications.
  • Target web browsers include Brave, Edge, Chrome, Firefox, Opera Software, Sleipnir5, Pale Moon, CocCoc, and others.
  • The stealer targets various crypto wallets, Binance, Armory, Bitcoin, Bytecoin, Electron, Solar wallet, WalletWasabi, Qtum-Electrum, Zap, Zcash, and Zecwallet Lite.
  • It also targets enterprise applications such as email clients (Foxmail, Thunderbird, Outlook, TrulyMail, GmailNotifierPro), FTP clients (CoreFTP, WinSCP), file managers (Total commanders), and password managers (RoboForm, KeePass).
  • Messaging applications (Tox, Discord, Telegram) and VPN services (NordVPN, ProtonVPN, Windscribe VPN, OpenVPN) are also in its attack list.

Increasing abuse of Google Ads

Not only Rhadamanthys Stealer, but many other incidents have also been observed lately, in which cybercriminals abused Google Ads.
  • A few weeks ago, the Vermux malware was observed abusing the reputation and propagation power of Google Ads. The malware is mostly built based on the Vidar trojan and Monero mining software.
  • Last month, some major changes were spotted in the distribution techniques of the IcedID. The attackers abused Google pay-per-click ads to spread IcedID botnet via malvertising attacks.


Information stealers are already a serious problem and the availability of capable threats such as Rhadamanthys Stealer is expected to worsen the situation further. Ample protection from spam emails and phishing websites has become a core necessity not for just enterprises but individuals as well. Moreover, experts suggest not blindly trusting all the adverts and exercising caution when downloading any software from the internet.
Cyware Publisher