Rhadamanthys Stealer Analysis for Detection Opportunities

Binary Defense ARC Labs analyzes a Rhadamanthys Stealer campaign that uses phishing and SEO-poisoned downloads to deliver an obfuscated payload (Almost.cmd → internet.pif → InnoWave.pif), performs discovery with tasklist/findstr, merges files to evade detection, and injects into legitimate processes (OpenWith.exe) to steal browser credentials and screenshots; observed C2 communication to 144.76.133.166:8034 and use of processes like wmpnscfg.exe and dllhost.exe for exfiltration.