Rhadamanthys Stealer 2025: Device Fingerprinting, Steganography, and the New Face of Data Theft
Executive Summary
In October 2025, cybersecurity researchers uncovered significant new capabilities in the Rhadamanthys Stealer malware, including advanced device fingerprinting and the use of PNG steganography to distribute malicious payloads. Initially spread via cybercrime forums, the malware author has expanded its ecosystem with additional tools like Elysium Proxy Bot and Crypt Service, targeting organizations worldwide. Threat actors leveraged these upgrades to collect detailed browser and system data while evading detection, resulting in an uptick of credential, financial, and sensitive data thefts across enterprise environments.
The evolution of Rhadamanthys Stealer highlights a broader trend of information stealer malware using novel evasion tactics and multi-tool ecosystems. Its modularity and innovative payload delivery have driven increased attention from security teams and regulators, as businesses seek to defend against ever-more-sophisticated data exfiltration methods.
Why This Matters Now
Rhadamanthys Stealer's new features—device fingerprinting and PNG steganography—demonstrate a rapid escalation in stealth and data gathering by cybercriminals. With attackers continuously adopting inventive approaches for exfiltration and lateral movement, organizations face more complex detection and compliance challenges, making timely defenses and visibility urgent.
Attack Path Analysis
Rhadamanthys Stealer likely entered via user-targeted phishing or malicious web downloads, leveraging device fingerprinting to evade simple detections. Upon initial access, it harvested credentials and attempted to escalate privileges to access more sensitive resources. The malware probed for lateral movement opportunities within cloud or hybrid workloads, possibly leveraging internal traffic to further its reach. It established persistent command & control communication using encrypted or stealthy channels, including PNG steganography to mask payload delivery and updates. Sensitive information—particularly credentials, device fingerprints, and browser data—was then exfiltrated via egress channels, aiming to bypass perimeter controls. The attack's primary impact was large-scale data theft and exposure of enterprise secrets, which could result in further compromise or data breach fallout.
Kill Chain Progression
Initial Compromise
Description
Threat actor gains access via phishing emails or malicious file downloads, leading to Rhadamanthys Stealer execution on SaaS or cloud-managed endpoints.
Related CVEs
CVE-2023-38831
CVSS 7.8A vulnerability in WinRAR before version 6.23 allows remote attackers to execute arbitrary code via crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.23
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Input Capture: Keylogging
Automated Collection
File and Directory Discovery
Password Policy Discovery
Archive Collected Data: Archive via Utility
Obfuscated Files or Information: Steganography
Screen Capture
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect stored cardholder data
Control ID: 3.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT risk management framework
Control ID: Art. 9
CISA ZTMM 2.0 – Continuous Monitoring and Visibility
Control ID: 3.2
NIS2 Directive – Cybersecurity risk management and reporting
Control ID: Art. 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Rhadamanthys stealer's device fingerprinting and browser data collection capabilities pose severe risks to financial credentials, customer data, and regulatory compliance requirements.
Health Care / Life Sciences
Information stealer threatens patient data security through browser fingerprinting attacks, potentially violating HIPAA compliance and compromising sensitive medical information systems.
Computer Software/Engineering
Software development environments face elevated risks from Rhadamanthys' evolved capabilities targeting development credentials, source code access, and intellectual property theft.
Government Administration
Enhanced stealer capabilities including PNG steganography payloads create significant national security risks through potential compromise of classified systems and citizen data.
Sources
- Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloadshttps://thehackernews.com/2025/10/rhadamanthys-stealer-evolves-adds.htmlVerified
- Rhadamanthys Stealer Evolves: Adds Device Fingerprinting, PNG Steganography Payloadshttps://www.sepe.gr/en/it-technology/cybersecurity/22635960/rhadamanthys-stealer-evolves-adds-device-fingerprinting-png-steganography-payloads/Verified
- Rhadamanthys Stealer Spreads via Spam Emails and Google Adshttps://social.cyware.com/news/rhadamanthys-stealer-spreads-via-spam-emails-and-google-ads-badb99e9Verified
- Rhadamanthys Stealer Evolves Againhttps://cybermaterial.com/rhadamanthys-stealer-evolves-againVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive Zero Trust controls including segmentation, egress policy enforcement, encrypted east-west traffic inspection, and real-time threat detection could have disrupted Rhadamanthys Stealer at multiple stages by reducing lateral movement, blocking C2 and exfiltration, and enhancing visibility across cloud workloads. CNSF capabilities would limit blast radius and ensure suspicious outbound activity—including steganographic data leaks—are promptly flagged or blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous user or endpoint behavior detected at initial execution.
Control: Zero Trust Segmentation
Mitigation: Identity-based least privilege restricts access even if credentials are abused.
Control: East-West Traffic Security
Mitigation: Suspicious internal traffic is segmented and inspected, limiting spread.
Control: Cloud Firewall (ACF)
Mitigation: Outbound C2 traffic is blocked or flagged by egress URL/IP filtering and inline IPS.
Control: Egress Security & Policy Enforcement
Mitigation: Stealthy exfiltration attempts are prevented with fine-grained egress control.
Rapid incident response and blast radius analysis prevent further damage.
Impact at a Glance
Affected Business Functions
- Data Management
- Financial Transactions
- Customer Relationship Management
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive customer data, including financial information and personal identifiers, leading to regulatory penalties and reputational damage.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation to strictly limit access between workloads and enforce least privilege across all users and endpoints.
- • Implement East-West Traffic Security to monitor and control internal cloud communications, reducing the effectiveness of lateral movement techniques.
- • Enforce Egress Policy with real-time inspection to detect and block abnormal outbound traffic patterns, including those using steganography for data exfiltration.
- • Enable Threat Detection & Anomaly Response to continuously baseline user and service behavior and quickly flag new suspicious patterns.
- • Centralize Multicloud Visibility & Control for rapid incident response, unified policy enforcement, and comprehensive cloud traffic governance.
