Large-Scale Phishing Campaign Exposed Using New Version of Rhadamanthys Malware

Check Point Research has uncovered a sophisticated phishing campaign that uses a newly updated version of the Rhadamanthys Stealer, a notorious malware that steals sensitive data from infected systems.

The campaign, identified as “Rhadamanthys.07,” deceives victims through emails that appear to come from well-known companies, alleging copyright infringement on social media.

New Phishing Tactics and AI-Enhanced Techniques

In this campaign, attackers pose as legal representatives from respected brands, sending emails through fake Gmail accounts that accuse recipients of brand misuse on social platforms. These emails, personalized to each target, urge the recipient to download a file to remove the offending content, which, in reality, installs the latest version of the Rhadamanthys malware.

While the malware’s creators claim to use artificial intelligence, Check Point Research found that the malware relies on basic machine learning algorithms common in optical character recognition (OCR) rather than advanced AI.

However, it is suspected that AI or automated tools are used to create convincing phishing content and manage the numerous Gmail accounts required for the campaign. Most emails are customized in the recipient’s language, although occasional errors indicate machine translation—one email intended for an Israeli user was mistakenly written in Korean.

Global Impact and Targeted Sectors

The phishing campaign has impacted individuals and entities across the US, Europe, the Middle East, East Asia, and South America. Check Point’s findings reveal that the attackers have impersonated hundreds of companies, primarily in sectors like entertainment, media, technology, and software. These industries, with their high online presence and frequent copyright-related communications, make such phishing attempts appear credible.

As Check Point gathered evidence, the company itself was targeted by a phishing email that impersonated a Check Point-branded message, indicating the widespread reach of this campaign.

Who’s Behind CopyRh(ight)adamantys?

While Rhadamanthys has previously been linked to nation-state actors, Check Point Research suggests that this campaign, dubbed “CopyRh(ight)adamantys,” is more likely driven by a financially motivated cybercrime group. The broad scope, high volume, and commercial malware used suggest that this operation aims at financial gain rather than political or espionage goals.

Sergey Shykevich, threat intelligence group manager at Check Point Software, said, “This discovery of the CopyRh(ight)adamantys campaign reveals not only the evolving sophistication of cyber threats but also highlights how cybercriminals are leveraging AI for marketing purposes and use automation to enhance their reach and operational scale. For security leaders, it’s a wake-up call to prioritize automation and AI in defense strategies to counteract these globally scaled, financially motivated phishing campaigns.”

An ounce of prevention

To help protect against phishing attacks, consider these general security practices:

• Be Cautious with Unsolicited Emails: Avoid clicking on links or downloading attachments from unknown or unexpected sources, especially emails claiming urgent action is required.
• Verify the Sender’s Identity: Check the sender’s email address carefully for slight misspellings or inconsistencies, and contact the company directly if an email seems suspicious.
• Use Multi-Factor Authentication (MFA): Adding an extra layer of security, like MFA, can protect accounts even if credentials are compromised.
• Educate and Train Employees: Conduct regular security awareness training to help employees recognize phishing attempts and respond appropriately.
• Enable Anti-Phishing and Anti-Malware Tools: Use email filters, endpoint security, and network monitoring to detect and block phishing threats before they reach users.
• Keep Software and Systems Updated: Regularly update all software, including security patches, to close any vulnerabilities that attackers could exploit.
• Review URLs Carefully: Always hover over links to preview URLs, and ensure they point to legitimate websites before clicking.