Executive Summary:
- Check Point Research has identified a large-scale phishing operation utilizing a new version of Rhadamanthys Stealer. Dubbed CopyRh(ight)adamantys, the operation targets individuals and organizations under the false premise of copyright infringement violations.
- Attackers create dedicated Gmail accounts and distribute emails impersonating legitimate companies, claiming that victims have violated copyright on their personal social media accounts.
- The campaign targets multiple continents and industries, while around 70% of the impersonated companies are in the entertainment and media and technology and software sectors.
- The analysis indicates that the CopyRh(ight)adamantys campaign is likely conducted by a cybercrime group focused on making money rather than being backed by a state. This conclusion is supported by their tactics and their wide range of attacks.
Check Point Research recently identified a large-scale phishing campaign using a new version of the infamous Rhadamanthys Stealer, a sophisticated malware designed to extract data from infected machines. The attackers masquerade as various legitimate companies, alleging that victims have committed copyright infringements on their personal Facebook pages. Using falsified Gmail accounts sending emails from these well-known companies, the email addresses and language are customized per each target to inform the victim of their supposed copywriting violation.
In this blog, we explore the phishing campaign, the tactics employed by the attackers, and the updates introduced in the latest version of Rhadamanthys.
Check Point Research Tracks the Use of Rhadamanthys
Throughout 2024, Check Point Research has been monitoring the activities of various threat actors utilizing the Rhadamanthys stealer. Notably, the stealer was used by threat actors Void Manticore, an Iranian group operating in regions like Israel and Albania. In one instance tied to Handala, a hacktivist group linked to Void Manticore, the stealer was distributed under the guise of a software update.
In July 2024, Check Point Research identified a new cluster of activity using an updated version of Rhadamanthys—Rhadamanthys 0.7.
The Malware Attack
The newly identified cluster is characterized by spear-phishing emails from Gmail accounts, allegedly from well-known companies claiming supposed copyright violations. These emails, which appear to come from the legal representatives of the impersonated companies, accuse the recipient of misusing their brand on the target’s social media page and request the removal of specific images and videos. The removal instructions direct recipients to download a file, which triggers the infection and installs the latest version of the Rhadamanthys stealer.
Copyright campaign infection chain
The Use of AI
According to the stealer’s author, the new version includes sophisticated features, including AI engines. However, upon investigation, Check Point Research determined that the malware does not use modern AI engines but much older classic machine learning, typical for OCR (optical character recognition) software.
Interestingly, the attackers likely use automated tools, possibly with AI enhancements, to generate the phishing content and the numerous Gmail accounts required. While most communications are in the recipient’s local language or English, inaccuracies occur—one email directed at an Israeli target was mistakenly written in Korean instead of Hebrew, with only the victim’s name accurately localized.
Phishing email written in Korean mistakenly sent to a target in Israel.
A Global Reach
At the same time that Check Point Research discovered the phishing campaign, Check Point themselves received reports of phishing lures mimicking Check Point-branded emails, indicating further deployment of Rhadamanthys.
The phishing email purports to be from Check Point.
The campaign demonstrates a vast geographic reach, affecting targets across the U.S., Europe, the Middle East, East Asia, and South America. Our observations, however, are limited to our customers who were targeted by the campaign, leading us to believe that this may be part of a much larger operation with potentially far-reaching consequences.
Map of targeted countries according to Check Point’s telemetry.
An alarming aspect of this campaign is the sheer volume of impersonated emails. Our research identified hundreds of phishing attempts targeting various organizations, each email sent from a different address to a different contact. Nearly 70% of impersonated companies were within the entertainment, media, technology, and software sectors. This is possibly due to the fact that as those sectors have high online presence and are more likely to send such requests than other sectors. These high-profile sectors also have frequent copyright-related communications, making such phishing attempts appear more credible.
The Attacker Behind CopyRh(ight)adamantys Campaign
Although Rhadamanthys was previously linked to nation-state threat actors, our analysis indicates that it is likely a cybercrime group drives this CopyRh(ight)adamantys campaign. Several factors support this conclusion: the campaign’s broad scope and the use of malware from underground forums point to financial gain as the primary motive rather than espionage or political influence.. Also, this campaign lacks the selectivity usually seen in state-sponsored actions, which typically target high-value assets such as government agencies or critical infrastructure.
Conclusion
As we continue to analyze this large-scale phishing campaign, it’s clear that the theme of copyright infringement serves as an effective lure for spreading the Rhadamanthys info stealer due to its credibility of topic. The methods employed in this campaign raise serious concerns about the evolving landscape of phishing threats.
Integrating Check Point’s Threat Emulation, Harmony Endpoint, and Harmony Email and Collaboration offers robust protection against cyber threats. These solutions effectively safeguard organizations from potential breaches and data compromise by delivering thorough coverage of attack tactics and file types and ensuring high-level endpoint security. With comprehensive inline protection against malicious emails, businesses can operate with greater confidence, knowing that their security measures are well-equipped to handle emerging threats.
Check Point customers remain protected from Rhadamanthys stealer with the following protections:
- Wins.Rhadamanthys.ta.V
- Wins.Rhadamanthys.*
- Wins.Rhadamanthys.*
For a step-by-step technical review of the phishing campaign, read Check Point Research’s comprehensive report.