CheckPoint security experts recently warned about fake copyright claims spreading Rhadamanthys stealer malware.
Stealer malware is designed to infiltrate computers and steal sensitive data. Once installed, it connects to a command-and-control server, allowing attackers to steal saved passwords and browser cookies.
Rhadamanthys Stealer
A phishing campaign called “CopyRh(ight)adamantys” is using spam and the Rhadamanthys Stealer malware to steal sensitive data.
Threat actors have shifted tactics, impersonating legitimate companies and accusing targets of copyright infringement on social media platforms like Facebook. They create fake Gmail accounts posing as company lawyers, sending tailored emails demanding the removal of specific images and videos.
These emails include files with instructions to install a new version of Rhino software, which actually installs the Rhadamanthys stealer malware on the system.
Although advertised as AI-powered, the malware mainly relies on standard machine learning techniques typically found in OCR software, not true AI engines.
The attackers might be using AI tools to automate the creation of Gmail accounts and to craft targeted phishing emails. This automation allows them to reach both local and English-speaking victims with emails that appear personalized.
However, some mistakes reveal limitations—for instance, an email intended for an Israeli target was mistakenly written in Korean instead of Hebrew, with only the recipient’s name correctly localized. This suggests a degree of automation but with occasional missteps in language targeting.
Check Point Research aims to raise awareness and help organizations defend against this advanced phishing campaign.
This campaign targets a wide range of industries, with a particular focus on entertainment, media, technology, and software sectors. The Rhadamanthys malware has shown a broad reach, affecting organizations in the United States, Europe, the Middle East, East Asia, and South America.
Researchers believe this campaign is likely led by a financially motivated threat group rather than a nation-state, given its broad scope and use of off-the-shelf malware.
Copyright-related companies were often impersonated in these phishing schemes, making them easy targets for attackers.
While current findings mainly involve CheckPoint’s clients, the high volume of fake emails suggests this campaign could be part of a larger operation with potentially serious consequences. Businesses are advised to adopt comprehensive security measures to defend against these evolving phishing tactics.
Leave A Comment