View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 16, 2023

Rhadamanthys malware hidden in Google Ads

The malware has been hijacking adverts for legitimate software to spread to unwitting users.

By Claudia Glover

Info-stealing malware Rhadamanthys is hijacking Google ads to lure victims into downloading malicious software. The malware lifts data like passwords and email addresses as well as targeting cryptocurrency wallet credentials. Marketed to criminals as malware-as-a-service (MaaS), the popularity of Rhadamanthys is rising as infostealers become a popular way to attack targets. 

Rhadamanthys is the son of Zeus, and also a problematic malware. (Photo by IMG Stock Studio/Shutterstock)

Rhadamanthys is named after the demigod child of Zeus and Europa in Greek mythology, and has been occupying Google ads for free video recording and streaming service OBS (Open Broadcasting Service), a platform widely used by streamers, according to threat researcher Germán Fernández.

Malware Rhadamanthys hijacks Google ads

Rhadamanthys has been growing in popularity since November last year. It has now advanced to a point where, if a user searches for OBS they will be met with five dangerous ads at the top of their Google search before legitimate results appear below, the cybercriminals having apparently purchased advertising spots on Google.

Tech Monitor has reached out for comment from Google but has had no response at the time of writing.

Clicking on the advertised links leads the user to download the legitimate software alongside the malware. in order to delay the victim’s response. Avoid the malware by checking the URL. Some of the links are very similar to the official OBS site, but with a subtle spelling mistake, a technique known as typosquatting

Not all countries are receiving the same corrupted ads. Fernández has found a wealth of evidence for the MaaS being advertised in South America, but the adverts appear to be less prevalent in Europe and the US.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

How does Rhadamanthys work?

Rhadamanthys is available for sale on the dark web and, alongside Google ads, is shared via spam email, according to a report by security company Cyble.

Following successful infiltration, Rhadamanthys will begin by gathering relevant device data, often including device name, model, operating system, OS architecture, hardware details, installed software, IP addresses and user credentials. 

“The Rhadamanthys program is capable of executing certain PowerShell commands,” says a blog post by cybersecurity portal PCrisk. “It also targets document files, the theft of which (depending on the sensitivity of their data) can cause severe issues for victims.”

The MaaS targets cryptocurrency wallet credentials as well. It attempts to extract the passwords of cryptowallets in order to take possession of them and their funds. Future iterations of Rhadamanthys will probably become more effective meaning more credentials will be at risk. 

“In summary,” the PCrisk post says, “the presence of stealer-type malware like Rhadamanthys on devices can result in serious privacy issues, significant financial losses, and even identity theft.”

The rise of the malware marketplace

According to Accenture’s cyber threat intelligence team, info-stealing malware has become one of the most discussed malware types among cybercriminals. This is due to its ability to harvest cookie data, usernames and passwords. It is often made available as MaaS, allowing cybercriminals with low resources or skill to deploy the malware and access other networks on the cheap by simply buying the software they need to gain access.

The growing availability of MaaS is, in turn, increasing the use of credential marketplaces, as more hackers seek to sell their stolen data. Examples of this include Russian Market, where the dark web marketplace allows visitors to search for inventory by malware used, victim operating system and victim location. 

Russian Market was one of the most popular sites in 2022 based on volume of logs available for sale, continues the Accenture report, “with victim data sold for an average price of $10 per log”. The total number of logs for sale in this market rose by nearly 40% from approximately 3.3 million to 4.5 million between July and October 2022, demonstrating the size of this growing problem.

Read more: ChatGPT-built infostealer and other hacking tools found in the wild

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.