In the ever-evolving landscape of cyber threats, the Rhadamanthys infostealer has emerged as a formidable adversary, employing sophisticated social engineering tactics to compromise user credentials. Initially identified in 2022, Rhadamanthys operates under a Malware-as-a-Service (MaaS) model, allowing cybercriminals to lease its capabilities for malicious purposes. Recent campaigns have showcased its adaptability, particularly through the utilization of the ClickFix technique—a deceptive method designed to manipulate users into executing harmful commands on their systems.
Understanding the ClickFix Technique
ClickFix is a social engineering strategy that deceives users into running malicious code by presenting them with fake error messages or verification prompts. Typically, victims encounter a counterfeit CAPTCHA page or an error notification that instructs them to resolve a non-existent issue by copying and pasting a provided command into their system’s command prompt or Run dialog box. This command often initiates a PowerShell script that downloads and executes malware, effectively bypassing traditional security measures.
Mechanism of the Rhadamanthys ClickFix Campaign
The latest Rhadamanthys campaign leverages the ClickFix technique in a multi-stage attack:
1. Initial Deception: Users are directed to a fraudulent CAPTCHA page, often hosted on domains that mimic legitimate services like YouTube Partner Studio. These domains are typically newly registered and designed to appear trustworthy.
2. User Manipulation: The fake CAPTCHA prompts users to verify their session by pressing the Windows key + R, pasting a provided PowerShell command, and executing it. This command is obfuscated with hash symbols to evade detection.
3. Payload Delivery: Upon execution, the command downloads a secondary script from a remote server (`hxxps://ypp-studio[.]com/update.txt`), which then retrieves and installs the final payload—a malicious MSI installer (`PTRFHDGS.msi`) that deploys the Rhadamanthys executable (`rh_0.9.0.exe`).
4. Execution and Data Exfiltration: The executable performs anti-analysis checks, injects itself into legitimate Windows processes like `WerFault.exe` to maintain persistence, and begins exfiltrating sensitive data, including browser credentials, cryptocurrency wallets, and KeePass vaults, to a command-and-control server (`193.109.85.136`).
Implications and Observations
This campaign underscores the increasing sophistication of social engineering attacks and the importance of user vigilance. By masquerading as legitimate verification processes, such as CAPTCHA checks, attackers exploit users’ trust and familiarity with common online interactions. The use of fileless techniques and living-off-the-land binaries (LOLBins) like PowerShell allows the malware to evade traditional detection methods effectively.
Notably, the infrastructure supporting these attacks is dynamic. Analysts have observed a shift from earlier hosting services to new IP addresses (`62.60.226.74`), indicating efforts to circumvent security measures that rely on static indicators of compromise (IoCs). This adaptability highlights the challenges in defending against such threats.
Broader Context: The Rise of ClickFix Attacks
The ClickFix technique has seen a significant surge in adoption among various threat actors. Reports indicate a 517% increase in ClickFix attacks in the first half of 2025, making it the second most common attack vector after phishing. This method has been employed to distribute a range of malware, including infostealers like Lumma Stealer, ransomware, remote access trojans (RATs), and cryptominers.
State-sponsored groups have also incorporated ClickFix into their arsenals. Notably, North Korean, Iranian, and Russian APT groups have utilized this technique in espionage campaigns, demonstrating its effectiveness and versatility.
Mitigation Strategies
To defend against threats like Rhadamanthys and the ClickFix technique, organizations and individuals should consider the following measures:
1. User Education: Train users to recognize and avoid suspicious prompts that instruct them to execute commands or download files from unverified sources.
2. Technical Controls: Implement security solutions that monitor and restrict the execution of scripts and commands from untrusted sources.
3. Regular Updates: Keep all software and systems updated to patch vulnerabilities that could be exploited by malware.
4. Network Monitoring: Monitor network traffic for unusual patterns, such as unexpected connections to known malicious IP addresses.
5. Incident Response Planning: Develop and regularly update incident response plans to quickly address and mitigate infections when they occur.
Conclusion
The Rhadamanthys infostealer’s use of the ClickFix technique exemplifies the evolving nature of cyber threats and the need for comprehensive security strategies. By combining technical defenses with user awareness and proactive monitoring, organizations can better protect themselves against such sophisticated attacks.
