A widespread spear-phishing email campaign has been targeting hundreds of companies globally, exploiting fears of copyright infringement to deliver a dangerous infostealer. Check Point Research has been diligently tracking these malicious emails since July as they spread across the Americas, Europe, and Southeast Asia, with each email originating from a unique domain. While hundreds of customers have already been affected, the true scope of this campaign could be much larger.
The main objective of these deceptive emails is to lure recipients into downloading Rhadamanthys, a sophisticated infostealer capable of stealing sensitive information ranging from nation-state intelligence to cryptocurrency wallet passphrases. The emails, which researchers have dubbed “CopyR(ight)hadamantys,” are cleverly designed to appear as if they are legitimate communications from legal representatives of well-known companies. Nearly 70% of the impersonated brands belong to the technology or media and entertainment industries, aligning with the narrative that recipients have allegedly violated copyright laws on social media.
Recipients of these emails are instructed to remove specific content that supposedly infringes copyright, with detailed instructions provided in a password-protected file. However, this file actually contains a link that redirects users to download an archive from platforms like Dropbox or Discord. Within this archive lies a decoy document, a legitimate executable, and a malicious dynamic link library (DLL) housing the Rhadamanthys infostealer.
Rhadamanthys is a highly sophisticated and costly information stealer that stands out in the realm of commodity malware. Priced at around $1,000 on the Dark Web, it offers modular functionality, advanced obfuscation techniques, and intricate self-hiding mechanisms that make it challenging to detect. The latest version of Rhadamanthys includes an optical character recognition (OCR) component, albeit with limitations, to extract data from static documents and images.
The presence of a Bitcoin wallet protection code dictionary within the OCR module suggests that the attackers may be targeting cryptocurrencies, aligning with the financially motivated nature of the campaign. Moreover, Rhadamanthys has previously been associated with nation-state threat actors like Iran’s Void Manticore and pro-Palestine group “Handala.”
A unique stealth feature of the campaign involves the malicious DLL creating a larger duplicate of itself in the victim’s Documents folder, disguised as a Firefox component. This oversized file includes “overlay” data to alter the file’s hash value and potentially evade antivirus detection. While this tactic may help evade certain security measures, it is not foolproof and comes with logistical challenges for the attackers.
Organizations facing threats from CopyR(ight)hadamantys are advised to bolster their phishing defenses and monitor for unusually large files downloaded by employees. Implementing rules for file downloads based on size could help mitigate the risk of falling victim to such malicious campaigns. Stay vigilant and stay informed to protect your assets from the ever-evolving landscape of cyber threats.
Croatian 
English 
Albanian 
Serbian 