LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Threat Intel / Rhadamanthys
Active Threat Campaign: Rhadamanthys

Check your domain for
Rhadamanthys infections.

We monitor Rhadamanthys logs in real-time. Enter your domain on our scanner to identify exposed credentials associated with this malware family and act before attackers use them.

Scan your domain for Rhadamanthys
Infection Vector
Obfuscated scripts, drive-by downloads, and loader-as-a-service
Primary Target
Credentials, wallet extensions, and system telemetry
Primary Objective
High-value credential and session intelligence collection
Monitoring Signal
Stealer logs with rich host telemetry and session data

About this Malware

Rhadamanthys Stealer uses staged loaders, obfuscated JavaScript, and anti-VM checks to collect credentials, cookies, wallet extensions, and host telemetry. Its operators frequently rotate infrastructure and payload builders. Exfiltrated data is curated into high-value logs for initial access brokering, account takeover, and downstream ransomware intrusion preparation across enterprise and consumer victims.

Rhadamanthys campaigns are known for operational maturity and frequent builder updates. That agility helps operators evade static signatures while keeping theft workflows stable. Domain-level exposure monitoring gives teams early warning when leaked records appear, even when endpoint telemetry is incomplete or delayed in distributed work environments.

Family
Rhadamanthys
Use Case
Threat exposure triage and response prioritization

Common Indicators in Leaked Logs

  • Exposure records with both credentials and detailed system profile fields
  • Leaked session material associated with anti-analysis aware campaigns
  • Repeated organization matches from rotating source channels
  • Credential leaks preceding suspicious account access attempts

Recommended Actions

  • Prioritize compromised accounts with privileged or admin access
  • Expire active sessions and rotate secrets in connected services
  • Investigate likely loader entry points and blocked script controls
  • Track source recurrence to identify persistent campaign pressure

FAQ

What does Rhadamanthys typically steal?

Rhadamanthys campaigns commonly target credentials, browser session material, and identity artifacts that enable account takeover. Monitoring leaked records helps security teams detect exposed users early and reduce attacker dwell time.

How does LeakyCreds detect Rhadamanthys exposure?

LeakyCreds continuously monitors stealer log intelligence and related leak sources, then maps exposed records back to your domain. Teams can validate impact quickly and prioritize remediation by user and risk profile.

What should we do after a positive Rhadamanthys match?

Start with password resets, session revocation, and MFA enforcement for impacted identities. Then investigate endpoint compromise paths, block repeat infection vectors, and keep continuous monitoring active for delayed log publication.

Related Threat Intel

Lumma StealerRedLine StealerVidar