Botconf Author Listing

In September 2022, Rhadamanthys first appeared in the eCrime landscape, with detailed forum posts that continue to capture the attention of both threat actors and security researchers. The malware itself is technically complex, utilizing a multi-stage infection chain, compression, encoding, steganography, and encryption to make analysis and detection more difficult.

This presentation provides a summary of Rhadamanthys’ components. The talk will also dive into how the Rhadamanthys developer positions themselves in the market, focusing on their early efforts to develop a customer base by focusing on ease of use and customer support. Using CrowdStrike telemetry, we will also look at statistics on the various distribution vectors for Rhadamanthys.

The audience will gain a better understanding of Rhadamanthys’ technical workings, and gain insights on how to hunt for the malware and reduce potential impact.

In the era of law enforcement crackdowns, cybercriminals continue to find ways to adapt, persist and confuse.

This is the case with WIZARD SPIDER—a Russian-based cybercrime group known for operating TrickBot and Conti—whose former members likely continue to run a private crypting service that has been in operation since before the Conti leaks in 2022. These crypters are critical tools that enable threat actors to obfuscate malware and evade detection. This talk unravels the crypters’ role within WIZARD SPIDER’s infrastructure revealing hidden webs connecting seemingly disparate cybercrime groups—including existing adversaries such as LUNAR SPIDER and WANDERING SPIDER, and relatively newer adversaries such as VICE SPIDER.

Through case studies and technical breakdowns, we will highlight how tracking crypters offer a new lens for identifying and mapping cybercriminal activity, especially in an era where shared infrastructure and tooling blur the lines between threat actors.