FacebookTwitterLinkedIn

Rhadamanthys Threat Actors Using Fake Copyright Infringement Emails

In a recently published blog article by Check Point's research team, an attack campaign was discovered spreading the Rhadamanthys info stealer. The infection chain starts with victims receiving fake copyright infringement emails to act as the lure.

Rhadamanthys Threat Actors Using Fake Copyright Infringement Emails

The campaign began in July 2024, with threat actors masquerading as various companies and falsely claiming that victims have committed copyright infringement related to their Facebook pages. As for targeting victims, threat actors seem to adopt a shotgun approach, spraying and praying, with a wide geographic area, including the US, Europe, the Middle East, East Asia, and South America, in their sites.

Researchers quickly discovered that the fake copyright infringement phishing emails were sent from Gmail accounts and prompted recipients to download an archive file. The file triggers the infection through DLL side-loading. The vulnerable binary will then install the latest version of Rhadamanthys, currently version 0.7, which now features an alleged AI-powered optical character recognition (OCR) module.

Returning to the spam emails that appear to come from the impersonated companies' legal representatives, they accuse the recipient of misusing their brand on the target's social media page and requesting the removal of specific images and videos.

The email instructs the receivers that removal instructions are said to be in a password-protected file. The attached file is a download link that redirects the user to Dropbox or Discord to download a password-protected archive. The password of which is provided in the spam email.

Importantly, researchers noted,

We observed hundreds of emails impersonating dozens of companies, each sent to a specific address from a different Gmail account. Almost 70% of the impersonated companies are from Entertainment /Media and Technology/Software sectors. This is possibly due to the fact that those sectors have a high online presence and are more likely to send such requests than other sectors. These high profile sectors also have frequent copyright-related communications, making such phishing attempts appear more credible…The attackers likely used an automated tool, possibly with AI integration, to generate both the emails and the accounts. While most emails are written in the recipient’s local language or English, occasional errors occur. For example, one email intended for an Israeli target was written in Korean instead of Hebrew, with only the target’s name correctly localized.

Regarding the infection chain, infecting the machine begins in earnest once the victim accesses the archive. The archive consists of three files: a legitimate executable, a DLL, which contains the packed Rhadamanthys, and a decoy Adobe ESPS or PDF file to help maintain the charade.

As the Rhadamanthys modules are loaded, they are injected into processes in the system32 directory. Researchers have split the malware's process loading into three stages, with the second and third stages particularly interesting.

They stated,

The role of Stage 2 is to run extensive evasion checks on the compromised machine, connect to the Command-and-Control server (C2), and download the next package which contains Stage 3. Stage 3, shipped steganographically in a WAV file, is a rich set of stealer modules that attack various targets.

Rhadamanthys 0.7

As mentioned above, the campaign's primary goal is to deliver and deploy the latest version of Rhadamanthys to a victim's machine.

The info-stealing malware is offered as malware-as-a-service and, despite being banned from several underground hacker forums due to its use within Russia and the old Soviet block, is still incredibly popular due to its feature set. This popularity can be attributed partly to an advanced feature set continually being developed and improved.

The malware's main task is to steal credentials and data. To that extent, it targets a broad range of sensitive information, including credentials from browsers, system information, cookies, cryptocurrency wallets, and application data. It is highly adaptable, supporting a variety of extensions for additional malicious activity on compromised systems.

As alluded to above, the latest version includes an AI-powered OCR module. If it operates as advertised, it automatically enables the malware to extract cryptocurrency wallet seed phrases from images. The malware detects images containing seed phrases on the infected machine and exfiltrates them to the attacker's command-and-control server for further processing.

However, as Check Point researchers discovered, the component introduced by Rhadamanthys does not incorporate any of the modern AI engines. Instead, it uses much older classic machine learning, which is typical of current OCR software available to the public.

While the OCR module's AI capabilities may be overhyped, the feature should not be discounted. Researchers discovered that the module has a library of passphrase words, some 2048, in accordance with the Bitcoin Improvement Proposal 39, that can be scanned and read by the OCR module.

Another update to Rhadamanthys, uncovered by Recorded Future, includes improved evasion and detection measures. The malware masquerades as legitimate software that uses MSI installers to install. This allows attackers to bypass many conventional detection systems that do not flag MSI files as malicious.

Checkpoint researchers, given the upgrades to the info stealer and the novel phishing lures, concluded,

The campaign’s widespread and indiscriminate targeting of organizations across multiple regions suggests it was orchestrated by a financially motivated cybercrime group rather than a nation-state actor. Its global reach, automated phishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates.


▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal