Introduction
The CopyR(ight)hadamantys phishing campaign [1] [2] [8], active since July 2024 [3] [5] [6] [9], employs advanced copyright infringement themes to deceive victims into downloading the Rhadamanthys information stealer [3] [5] [9]. This operation [1] [8], tracked by Check Point, targets multiple global regions, focusing on the technology and media sectors [2].
Description
An ongoing phishing campaign [3] [5] [6] [9], known as CopyR(ight)hadamantys [1] [2] [3] [4] [5] [6] [7] [9], has been identified as utilizing advanced copyright infringement themes to deceive victims into downloading an updated version of the sophisticated Rhadamanthys information stealer since July 2024. This large-scale operation [3] [5] [9], tracked by cybersecurity firm Check Point [5] [9], targets various regions worldwide [4], including the United States [3] [5] [9], Europe [2] [3] [5] [6] [9], Southeast Asia [2], and South America [3] [5] [6] [9], with a significant focus on the technology and media sectors, where approximately 70% of the impersonated companies reside [1] [3] [6].
The campaign employs sophisticated spear-phishing tactics, sending tailored emails from various falsified Gmail accounts that impersonate legal representatives of reputable companies. These emails falsely accuse recipients of unauthorized media usage on their social media accounts, demanding the removal of specific images and videos [1] [3] [5] [7]. The removal instructions are provided in a password-protected file [3] [5], which serves as a download link redirecting users to platforms like Dropbox or Discord to obtain the password for an archive. This archive contains a legitimate executable vulnerable to DLL side-loading [3] [5], a malicious dynamic link library (DLL) with the Rhadamanthys payload [2], and a decoy document [2] [3] [5].
Once executed, the malicious DLL sideloads itself, creating a larger version disguised as a Firefox component on the victim’s computer. This larger file [2], which contains unnecessary data to alter its hash value [2], may evade detection by antivirus programs that avoid scanning large files [2]. The Rhadamanthys malware collects sensitive information from victims’ systems [6], including credentials [6], browser history [6], and stored cookies [6], posing significant security threats [6]. The volume of impersonated emails is alarming [1], with hundreds of phishing attempts targeting various organizations [1], enhancing the credibility of the attacks due to the high-profile nature of the targeted sectors.
Check Point attributes this campaign to a likely cybercrime group motivated by financial gain rather than espionage or political influence. The broad scope of the operation and the use of malware sourced from underground forums suggest that the attackers are not state-sponsored [1], as they do not focus on high-value assets like government agencies or critical infrastructure [1]. The involvement of various threat actors, including an Iranian group known as Void Manticore and the hacktivist group Handala [8], indicates a diverse range of motivations behind the campaign.
The effective lure of copyright infringement themes, combined with the advanced capabilities of the Rhadamanthys stealer—including a machine-learning-based optical character recognition (OCR) component designed to extract data from documents and images—raises serious concerns about the evolving landscape of phishing threats and the tactics employed by cybercriminals to enhance their success rates. Security experts emphasize the need for improved defenses against such sophisticated threats [8], and organizations are advised to implement phishing protections and monitor for unusually large files downloaded from emails to mitigate the risks associated with this campaign [2]. Google has acknowledged awareness of this campaign and has implemented AI-based protections to combat these phishing attempts [8].
Conclusion
The CopyR(ight)hadamantys campaign highlights the increasing sophistication of phishing threats, posing significant risks to targeted sectors. Organizations must enhance their cybersecurity measures, focusing on phishing protections and monitoring for suspicious activities. The involvement of diverse threat actors underscores the need for vigilance and adaptation to evolving cyber threats. As cybercriminals continue to refine their tactics, the importance of robust defenses and proactive measures becomes paramount in safeguarding sensitive information and maintaining security.
References
[1] https://blog.checkpoint.com/security/uncovering-a-large-scale-campaign-using-the-latest-version-of-the-rhadamanthys-stealer-rhadamanthys-07/
[2] https://www.darkreading.com/cyberattacks-data-breaches/fake-copyright-infringement-emails-rhadamanthys
[3] https://owasp.or.id/2024/11/07/steelfox-and-rhadamanthys-malware-use-copyright-scams-driver-exploits-to-target-victims/
[4] https://blog.netmanageit.com/copyrh-ight-adamantys-campaign-rhadamantys-exploits-intellectual-property-infringement-baits/
[5] https://thehackernews.com/2024/11/steelfox-and-rhadamanthys-malware-use.html
[6] https://cybermaterial.com/steelfox-rhadamanthys-use-copyright-scams/
[7] https://www.ncnonline.net/copyrhightadamantys-uncovering-a-large-scale-campaign-using-the-latest-version-of-the-rhadamanthys-stealer-rhadamanthys-07-check-point/
[8] https://www.forbes.com/sites/daveywinder/2024/11/07/cyber-attack-warning-as-hackers-use-ai-and-gmail-in-new-campaign/
[9] https://news.backbox.org/2024/11/07/steelfox-and-rhadamanthys-malware-use-copyright-scams-driver-exploits-to-target-victims/
