HuntRthys is a specific, modern and fast command and control detection tool written to detect Command and Control (C2) servers used by the Rhadamanthys Stealer Malware. HuntRthys provides the most reliable and fastest detection among 6 different methods determined as a result of studies on the characteristics and detectability of Rhadamanthys C2 servers.
Rhadamanthys Stealer Malware was first identified in September 2022 by a team of researchers at ThreatMon Threat Intelligence, including myself, on a Russian hacker forum. Since its announcement, this malware has continued to evolve. Every day, many new command and control servers are being purchased to serve the Rhadamanthys Stealer malware. Rhadamanthys has been distributed as Stealer Malware since its discovery and its characteristics have not changed. It has its own C2 Command and Control Management Panel. Don't forget to check my blog for more information about the Rhadamanthys malware and the residential control server.
HuntRthys offers you the following features.
- Specific and fast scanner,
- Single IP address scanner,
- Multi IP address scanner,
- Extended IP info,
- Extended URL info,
- Extended Web Page info,
- Modern tabular format,
- Wide range of results,
- Multithreading support.
- Clone the project repository or download the zip file:
git clone https://github.com/eyupergin/huntrthys.git- Install the required Python packages by running the following command:
pip3 install -r requirements.txtHuntRthys is used via a command-line interface. Below are examples of basic usage.
- List arguments:
python3 main.py -h- To scan a single IP address:
python3 main.py -t <IP_ADDRESS>- To scan IP addresses from a file:
python3 main.py -f <FILE_NAME.txt>- To perform scanning with multi-threading:
python3 huntrthys.py -f <FILE_NAME.txt> -mT <THREAD_COUNT>Note: The "-mT" parameter allows up to 5 threads.
- To save the scanner results to a JSON file:
python huntrthys.py -t <IP_ADDRESS> -oJ <OUTPUT_FILE.json>HuntRthys C2 Scanner tool visualizes the scanning results in a tabular format and prints them to the console. Additionally, you can choose to save the results to a JSON file.
Here is an example output of the results:
______ __ ________________________
___ / / ____ __________ /___ __ __ /___ /______ _________ | Version: v1.3
__ /_/ /_ / / __ __ _ ____ /_/ _ ____ __ __ / / __ ___/ | Developed by Eyup Sukru ERGIN
_ __ / / /_/ /_ / / / /_ _ _, _// /_ _ / / _ /_/ /_(__ ) | --------------------------------------
/_/ /_/ \__,_/ /_/ /_/\__/ /_/ |_| \__/ /_/ /_/_\__, / /____/ | https://ergin.dev
/____/ | https://github.com/eyupergin/huntrthys
Specific Rhadamanthys Command and Control Server Detection Tool
[INFO] Total Scanned IP Addresses: 3 | Detected C2: 3
STATUS IP ADDRESS CN ASN PAGE TITLE FULL URL
-- ------------- -------------- ---- ------- ------------------ --------------------------------------------------
1 [C2 DETECTED] 192.138.111.11 CH AS51852 Rhadamanthys Admin http://192.138.111.11:443/admin/console/index.html
2 [C2 DETECTED] 192.138.111.11 CH AS51852 Rhadamanthys Admin http://192.138.111.11:443/admin/console/index.html
3 [C2 DETECTED] 192.138.111.11 CH AS51852 Rhadamanthys Admin http://192.138.111.11:443/admin/console/index.html
This project is licensed under the MIT License. See the LICENSE file for more details.
Repo Update Date: 10-11-2023
If you would like to contribute to this project, please open an issue or submit a pull request. Any contributions and suggestions are welcome!
If you have any questions or suggestions, please feel free to contact me.
E-mail: ergindev@gmail.com
Website: www.ergin.dev
LinkedIn: www.linkedin.com/in/eyupergin