Summary:
Rhadamanthys, particularly in its version 0.5.0, represents a substantial evolution in the realm of malware sophistication. This iteration introduces a significantly expanded arsenal of data theft capabilities, complemented by an adaptable plugin system catering to specific distributor requirements. The initial loader, a 32-bit executable, has undergone substantial rewrites while preserving resemblances to its predecessor, incorporating sandbox evasion by scrutinizing executable names. This version embraces novel tactics, such as the introduction of a .textbss section to house runtime content, string deobfuscation via Thread Local Storage (TLS), and extensive use of raw syscalls for evasion. These techniques demonstrate an intricate and adaptive approach to evading detection, enhancing its modular design and execution flow based on system architecture.