From 281a70415a75ddbbcc00bee7d8946776b4b4525c Mon Sep 17 00:00:00 2001
From: Yung Binary <93540406+YungBinary@users.noreply.github.com>
Date: Fri, 31 Oct 2025 12:45:06 -0600
Subject: [PATCH 1/2] Additional Rhadamanthys patterns

---
 data/yara/CAPE/Rhadamanthys.yar | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/yara/CAPE/Rhadamanthys.yar b/data/yara/CAPE/Rhadamanthys.yar
index c5ca2677238..6b6a1b16940 100644
--- a/data/yara/CAPE/Rhadamanthys.yar
+++ b/data/yara/CAPE/Rhadamanthys.yar
@@ -1,13 +1,15 @@
 rule Rhadamanthys
 {
     meta:
-        author = "kevoreilly"
+        author = "kevoreilly, YungBinary"
         description = "Rhadamanthys Loader"
         cape_type = "Rhadamanthys Loader"
     strings:
         $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
         $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
         $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
+        $beef = { 57 8D 44 33 FC 53 83 C6 FC 50 56 E8 ?? ?? ?? ?? 83 C4 10 66 81 3F EF BE 0F 85 E6 02 00 00 }
+        $config_2 = { 0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B C1 }
         $cape_string = "cape_options"
     condition:
         2 of them and not $cape_string

From 6ea9ccaca59bde6b182ae0aa85ff6bba9f364b3f Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Mon, 3 Nov 2025 13:16:31 +0000
Subject: [PATCH 2/2] Tweak Rhadamanthys patterns

- removed highly variable jump size in conditional jump (0x2e6 bytes code, size highly brittle)
- replaced eax register in nice characteristic pattern as it can only be eax, since pattern contains the xor eax, eax instruction by which the code zeroes)
---
 data/yara/CAPE/Rhadamanthys.yar | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/Rhadamanthys.yar b/data/yara/CAPE/Rhadamanthys.yar
index 6b6a1b16940..367d73f8b4c 100644
--- a/data/yara/CAPE/Rhadamanthys.yar
+++ b/data/yara/CAPE/Rhadamanthys.yar
@@ -8,8 +8,8 @@ rule Rhadamanthys
         $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
         $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
         $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
-        $beef = { 57 8D 44 33 FC 53 83 C6 FC 50 56 E8 ?? ?? ?? ?? 83 C4 10 66 81 3F EF BE 0F 85 E6 02 00 00 }
-        $config_2 = { 0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B C1 }
+        $beef = {57 8D 44 33 FC 53 83 C6 FC 50 56 E8 [4] 83 C4 10 66 81 3F EF BE 0F 85}
+        $config_2 = {0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 45 F8 89 45 FC 89 45 08 8B C1}
         $cape_string = "cape_options"
     condition:
         2 of them and not $cape_string