Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Originally surfacing in late 2022, the Rhadamanthys infostealer quickly made headlines for its ability to steal login credentials, browser cookies, and most notably, cryptocurrency wallets. From the start, Rhadamanthys came packed with advanced evasion techniques and was built to be sold as part of a Malware-as-a-Service (MaaS) offering on dark web forums.

Now, in 2025, Twilight Cyber researchers are noting a resurgence in Rhadamanthys activity. Recent phishing campaigns show the malware has been updated with new features, including AI-powered tools for grabbing sensitive data from screenshots and documents.

Whether you’re a business leader or simply curious about cybersecurity, this post breaks down how Rhadamanthys operates, how it spreads, and why it poses a serious risk to your digital identity.

How Rhadamanthys Works

Rhadamanthys is designed for stealth and efficiency. It quietly harvests saved passwords, autofill data, email accounts, VPN credentials, cryptocurrency wallets, and any files containing sensitive financial or personal information.

Here’s how the infection typically plays out:

1. Delivery: You receive a phishing email pretending to be from a well-known brand (like Booking.com or YouTube). The email includes a fake invoice, copyright notice, or security alert.

A Rhadamanthys phishing email targeting German businesses

2. Execution: Clicking the link or opening the attachment downloads a malicious file, often a ZIP, MSC, or PDF with hidden scripts.
3. Infection: The malware installs itself and starts stealing data while staying hidden in your system.
4. Exfiltration: It quietly sends your stolen information to a remote command-and-control (C2) server.

What Makes Rhadamanthys Hard to Detect

Rhadamanthys isn’t just another infostealer. It hides in plain sight, powered by a surprisingly sophisticated infection engine.

Instead of relying on traditional loaders or scripts, Rhadamanthys uses a custom virtual machine (VM) based on the Quake III Arena game engine. This VM executes the malware’s real code in the form of bytecode, making it nearly invisible to static analysis tools. Strings like “VirtualProtect” or “Avast” are only decrypted and executed inside the VM, so disassemblers detect only an interpreter, not the actual malicious logic.

The loader also incorporates an embedded virtual file system, borrowed from the Hidden Bee cryptominer, to store its encrypted modules. All decryption, including algorithms like RC4, TEA, and ChaCha20, takes place entirely within the virtual machine, shielding critical operations from traditional antivirus scanners.

With the release of version 0.7.0, Rhadamanthys has leveled up its stealth game, introducing a robust suite of evasion techniques:

• MSI installer abuse: Payloads are delivered via trusted Microsoft Installer files, helping them bypass security filters.
• Tamper-proof persistence: Configuration values (such as re-execution delay) are hashed and encrypted in the registry, making them harder to disable or detect.
• Signed process injection: The malware injects itself into legitimate Windows processes like AppLaunch.exe, running under the guise of a trusted binary.
• Advanced sandbox evasion: Rhadamanthys employs anti-analysis tactics like CPUID timing checks and API unhooking to detect and evade execution in virtual environments and sandboxes.

These layered techniques make Rhadamanthys exceptionally difficult to analyze. Even experienced researchers face the daunting task of reversing an entire virtual machine and peeling back multiple layers of obfuscation just to reach its core logic.

Latest Campaigns and Delivery Methods

Over the past year, Rhadamanthys has reappeared in several novel phishing campaigns with multiple themes and vectors. Twilight has observed the following:

(C)opyright Scams (mid-2024 onward)

In this campaign variant, attackers impersonate legal firms or media companies, accusing the target of copyright infringement. The emails, often sent from Gmail accounts, carry an urgent tone and include a password-protected PDF or archive as supposed “evidence.”

These scams notably leverage Rhadamanthys v0.7, which introduces AI-driven optical character recognition (OCR). This allows the malware to extract text from images and screenshots, expanding the scope of what it can steal.

Once the victim opens the attachment, the stealer is quietly deployed in the background.

Example of a copyright infringement phish

Social Media and Business Lures (2024)

In Taiwan, a campaign targeted Facebook business account users by impersonating legal teams of well-known companies. The attackers used Google Appspot domains and Dropbox links to host malware payloads, bypassing email filters.

Phishing email impersonating a popular shopping store. (Source: Talos)

Booking.com Spoofing Campaign – December 2024 (Forcepoint X-Labs)

In December 2024, Forcepoint X-Labs reported a targeted Rhadamanthys campaign aimed at hotels, restaurants, and leisure businesses in Switzerland and the UK. Attackers spoofed Booking.com emails, attaching fake invoice PDFs embedded with malicious JavaScript.

When opened, the PDF displayed a fake “Unsupported format” error. If the recipient clicked “Reload,” hidden JavaScript triggered a multi-stage payload delivery chain. The script fetched additional components from Bitbucket snippets and Microsoft cloud storage, eventually executing PowerShell commands to drop and activate Rhadamanthys on the victim’s machine.

Microsoft Management Console (MSC) Dropper (2024-2025)

In version 0.7.0, Rhadamanthys adopted the use of Microsoft Software Installer (MSI) packages to distribute its payload. MSI files are commonly trusted by security solutions, allowing the malware to bypass certain defenses.

A very recent tactic is the use of .msc (Microsoft Management Console) files as malware droppers. Double-clicking a deceptive .msc file launches the infostealer. 

This is notable because .msc files are legitimate Windows files often whitelisted by security products. Twilight has observed the ConsoleTaskpad method (no special vulnerability needed) in newly observed Rhadamanthys campaigns as of early 2025.

What Type of Data Does Rhadamanthys Steal?

Beyond its impressive evasion capabilities, Rhadamanthys operates much like every other infostealer. Once it establishes a foothold in the system, it immediately begins scanning the system for valuable data to steal.

It focuses on a wide range of targets, including:

• Web browser data: Saved passwords, autofill information, cookies, and stored credit card details from popular browsers like Chrome and Firefox
• Email and messaging apps: Login credentials and session tokens from tools like Outlook, Telegram, and Discord
• Cryptocurrency wallets: Wallets such as MetaMask, Exodus, and Electrum are high-priority targets due to their direct monetary value
• System files: Documents under 20MB (like PDFs, text files, and Word documents) are quietly sifted through for sensitive content

What sets newer versions apart is their use of AI-powered optical character recognition (OCR), which is quite rare among infostealers. This allows Rhadamanthys to extract text from images and screenshots, including recovery phrases, 2FA codes, and other credentials that aren’t stored as plain text.

Why Rhadamanthys Is a Serious Threat

The recent surge in Rhadamanthys activity and coverage poses a serious threat for organizations of all sizes. The malware is available as a subscription service (MaaS), so attackers don’t need to be skilled hackers. They just pay for access and receive regular updates, support, and a user-friendly interface.

Rhadamanthys for sale on the Dark Web

This accessibility means more attacks, more stolen credentials, and a bigger risk to organizations that rely on login-based access and digital identities (which is most organizations).

How Twilight Cyber Detects and Stops Rhadamanthys

Twilight Cyber’s mission is to help organizations stay one step ahead of threats like Rhadamanthys. Our Identity Threat Protection platform is built to detect malware-driven credential theft early before the damage is done.

If your credentials are out there, we will find them and alert you before attackers use them.

Here’s how we do it:

Real-time detection of compromised credentials

We continuously monitor dark web marketplaces, stealer logs, and infostealer malware data feeds. Our proprietary infostealer database is updated hourly, far faster than traditional threat intel platforms that rely on weekly or monthly updates.

Smart breach intelligence

Once a breach is detected, we don’t just tell you what happened. We show you which machines were compromised, what credentials were exposed, and how attackers might try to use them. This allows your team to lock down access points quickly and prevent lateral movement or fraud.

Account takeover prevention (ATO)

We protect login flows with automated, real-time checks. Every time a user logs in, our platform verifies whether their credentials have been compromised. If we detect a risk, the login is blocked and the user is prompted to reset their password.

Ready to start? Get your free scan now:

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong defenses, especially against infostealers, which are designed specifically to steal information.

The Breach: What Happened?

This month (January 2025), Telefonica confirmed unauthorized access to its internal Jira ticketing system. The breach, orchestrated by a group of attackers allegedly linked to the Hellcat ransomware group, resulted in the theft of approximately 2.3 GB of sensitive data. The stolen information included:

• 24,000 employee emails and names
• 500,000 Jira issues and summaries
• 5,000 internal documents
• 236,493 lines of customer data

The Attack Vector: Infostealer Malware

The breach was facilitated by infostealer malware, a type of malicious software designed to harvest sensitive information such as login credentials from infected devices. Numerous employees were reported to be compromised, providing attackers with critical credentials for initial access

• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.
• 469 employee credentials on Telefonica’s domain were compromised.

Leave your email and get critical updates and alerts from Twilight Cyber straight to your inbox