A sophisticated phishing campaign has been active since July 2024.

This campaign, tracked by Check Point under the name "CopyRh(ight)adamantys," leverages copyright infringement themes to deceive victims into downloading a new version of the Rhadamanthys information stealer.

Campaign targets include the United States, Europe, East Asia, and South America, and impersonates a wide range of companies - primarily from the entertainment, media, and technology sectors.

Each phishing email is tailored to the recipient, sent from a unique Gmail account, and written in the local language of the target.

The emails claim to be from legal representatives of well-known companies, accusing recipients of brand misuse on social media.

They instruct the recipient to remove the offending content via a password-protected file, which is actually a download link hosted on appspot.com. This link redirects to Dropbox or Discord, where a RAR archive can be downloaded.

The archive contains a legitimate executable vulnerable to DLL side-loading, a malicious DLL with the Rhadamanthys payload, and a decoy document. When the executable is run, it sideloads the DLL, initiating the malware deployment.

The Rhadamanthys version used in this campaign (v0.7) includes AI-powered optical character recognition (OCR) capabilities. The campaign's scale and sophistication suggest the use of AI tools and point to a financially motivated cybercrime group rather than a nation-state actor. The attackers' use of automated phishing tactics and diverse lures highlights their evolving strategies to increase success rates.

Source: https://thehackernews.com/2024/11/steelfox-and-rhadamanthys-malware-use.html

Commentary

In the above source, the phishing scam accuses the target of brand misuse.

Examples of the accusations include claims that the recipient has:

• Posted copyrighted images or videos without permission.
• Used a company's logo or branding in a misleading or unauthorized way.
• Shared content that infringes on the intellectual property of the impersonated company.

Users can identify phishing emails related to the Rhadamanthys malware campaign - like those in the "CopyRh(ight)adamantys" operation - by watching for several key red flags:

• The emails often claim the recipient has violated copyright or misused a brand on social media. The tone is urgent and legalistic, designed to provoke fear and quick action.
• The sender may pretend to represent a major company (e.g., a media or tech firm), using logos or names that look legitimate but are slightly off (e.g., misspelled domains or Gmail addresses instead of corporate ones).
• The email typically includes a link to a password-protected file hosted on platforms like Dropbox or Discord. The password is provided in the email to make it seem more secure or official.
• Victims are instructed to download a file that supposedly contains evidence of the alleged infringement. This file often includes a legitimate-looking executable that, when run, silently installs malware via DLL side-loading.
• These types of phishing emails are often written in the recipient's native language and may include their name or other personal details to increase credibility.
• Even though the email may appear to come from a known company, the actual sender address is often a generic Gmail account or a spoofed domain.

The final takeaway is that if you receive an email like this, do not download or open any attachments or click on links. Instead, verify the claim by contacting the company directly through other channels not in the email.