Fake Copyright Infringement Emails Spread Rhadamanthys

Attackers are triggering victims deep-seated fear of getting in trouble in order to spread the sophisticated stealer across continents.

Hundreds of companies worldwide have been targeted with spear-phishing emails claiming copyright infringement that actually deliver an infostealer.
Starting in July, Check Point Research began to track the emails as they spread across the Americas, Europe, and Southeast Asia, coming from a new domain each time. Hundreds of its customers have been targeted, indicating that the real reach of the campaign may be far greater still.
The goal of the emails is to bait guilt-riddled victims into downloading
Rhadamanthys
, a sophisticated infostealer equally capable of pilfering nation-state intelligence or, in this case, cryptocurrency wallet passphrases.
No two emails in the campaign that researchers have dubbed
CopyR(ight)hadamantys
come from the same address, indicating that there must be some kind of automation behind their distribution. This automation proves awkward in some circumstances — like when an Israeli target receives an email almost entirely in Korean — and limits the emails ability to realistically impersonate known brands.
Each one is made to seem as if it came from legal representatives of specific, known companies. Nearly 70% of those companies come from either technology — like Check Point itself — or from media and entertainment industries.
The profile of impersonated brands weaves in neatly with the story the attackers peddle: that recipients have posted some sort of content on social media that violated a copyright. I assume everyone has done it to some degree in his life, says Sergey Shykevich, threat intelligence group manager at Check Point. It just makes people hesitate and think, Oh, did I use some wrong image? Did I copy some text [by accident]? Even if you didnt.
Recipients are asked to remove specific images and videos, the details of which are contained in a password-protected file. The file is actually a link that redirects the user to download an archive from Dropbox or Discord. The archive contains a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) containing the Rhadamanthys stealer.
Rhadamanthys is a popular and accomplished information stealer. As Shykevich explains, Its without any doubt the most sophisticated of those infostealers which are sold as commodity malware in the Dark Web. Its more expensive than other infostealers: Mostly youll rent other infostealers from between $100 to $200. Rhadamanthys is more, around $1,000. Its much more modular, more obfuscated, and more complicated in how its built: The way it loads itself, hides itself, all this makes detection much more complicated.
Among other features, the newest Rhadamanthys version 0.7 sports a slightly archaic machine-learning-based optical character recognition (OCR) component. Its hardly advanced artificial intelligence (AI) — it struggles with text in mixed colors, cant read handwriting, and only interprets the most popular fonts. Nonetheless, it helps the malware read data from static documents (like PDFs) and images.
In CopyR(ight)hadamantys, the OCR module comes loaded with a dictionary of 2,048 words associated with Bitcoin wallet protection codes. This might suggest that the attackers are after cryptocurrencies, which, if true, would also align with the campaigns broad targeting, characteristic of financially motivated campaigns. In recent months, Rhadamanthys has also been associated with nation-state threat actors like Irans
Void Manticore
, and the pro-Palestine group Handala.
Organizations looking to defend against CopyR(ight)hadamantys should start with phishing protections, but theres another quirk of the campaign worth noting as well.
After making landfall, the malicious DLL writes a significantly larger version of itself to the victim computers Documents folder, which masquerades as a component of Firefox. This version of the file is functionally equivalent to the first. What makes it so much heavier is an overlay — useless data that serves two meta-functions. First, it changes the files hash value, a common means by which antivirus programs identify malware.
Some antivirus programs also avoid scanning extra large files. For example, they dont want to run files associated with games, with a huge number of gigabytes, because it makes for an intense load, Shykevich explains. By this logic, an otherwise uselessly larger Rhadamanthys file might improve its chances of avoiding detection. Though, he adds, Its not extremely common because its also not convenient for the attackers to deal with huge files. With some email solutions, you cant attach files more than 20MB, so you need to send the victim to some external resource. So its a tactic, but its not some crazy tactic that always works.
Organizations might want to sniff out at any particularly large files that employees may be downloading from emails. Its not easy, because there are many reasons why some legitimate files will be big, he says. But I think its possible to implement some [effective] rules for what you can download.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Fake Copyright Infringement Emails Spread Rhadamanthys