Keypoints
- Campaign targets Facebook business/advertising account users in Taiwan using Traditional Chinese decoy emails that impersonate legal departments.
- Malicious download chain abuses Google Appspot domains, a short URL service, and Dropbox to redirect victims and fetch encrypted RAR archives.
- Payloads are fake PDF-named executables that deploy LummaC2 or Rhadamanthys information stealers, sometimes embedding stealers into legitimate binaries.
- Threat actor uses multiple evasion techniques: code obfuscation, shellcode encryption, resource padding (files >700 MB), and sandbox/AV evasion.
- Rhadamanthys loader abuses the .rsrc section, copies itself to a lumuiUpdater folder, writes a Run registry key (“sausageLoop”) for persistence, and injects into dialer.exe.
- LummaC2 loader maps and executes decrypted shellcode in memory and communicates with multiple C2 domains (observed via DNS request graphs).
MITRE Techniques
- [T1566] Phishing – Uses tailored phishing emails in Traditional Chinese to deliver malware download links: ‘Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan.’
- [T1071] Command and Control – Maintains communication with compromised hosts via multiple C2 domains and HTTP POSTs: ‘We also discovered that the actor is using multiple command and control (C2) domains in the campaign.’
- [T1027] Obfuscated Files or Information – Employs code obfuscation and shellcode encryption to hinder analysis and detection: ‘Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption…’
- [T1022] Data Encrypted – Conceals malicious payloads inside encrypted archives and encrypted program blocks: ‘The malicious RAR file… requires a specific password to extract it, revealing a fake PDF executable malware and an image printing file.’ ‘
- [T1003] Credential Dumping – Stealers collect user credentials and other sensitive data and send them back to C2: ‘it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server.’
- [T1547] Persistence – Adds a Run key to the Windows registry to execute at startup: ‘It writes an entry to “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” and key name value “sausageLoop”…’
Indicators of Compromise
- [Domains] delivery and redirect infrastructure – appspot.com (Google App Engine redirector), dropbox.com (final host for malicious archives)
- [File names] decoy/executable names used as social-engineering lures – IMAGE COPYRIGHTED.exe, [Redacted] Online – declare infringement.exe
- [File path] persisted loader location – C:Users[user]DocumentslumuiUpdaterffUpdaar.exe
- [Registry] startup persistence – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunsausageLoop
- [Mutexes] single-instance coordination used by Rhadamanthys – GlobalMSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}, Session1MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620}, and 7 more mutex names
- [Build IDs / Alert artifacts] LummaC2 identifiers – sTDsFx–Socks, iAlMAC–ghost
- [Snort SIDs / IOCs repo] detection and IOCs – Snort SIDs 64167-64169; full IOC list available on Talos GitHub (and 1 more source)
Cisco Talos began tracking this campaign at least as early as July 2024 and found the threat actor specifically focused on Facebook accounts used for business or advertising in Taiwan. Attackers crafted phishing emails in Traditional Chinese and used legal-sounding claims of copyright infringement to pressure page administrators into clicking download links. The message templates and fake PDF filenames impersonated company legal departments and even referenced well-known Taiwanese technology and media firms, indicating prior research to increase the lure’s credibility. Two observed phishing examples pretended to be notices from an industrial motor manufacturer and a large online shopping store, demanding removal of alleged infringing content within 24 hours and threatening legal action for non-compliance.
The delivery chain intentionally chains cloud services to evade defenders: the victim first hits an appspot.com URL, which redirects through a third-party shortener and ultimately to a Dropbox-hosted encrypted RAR archive. Those RARs require a specific password to unpack; once extracted they typically include a fake PDF-named executable and an EPS image file. Talos pivoted on EPS metadata and found the same image hosted on a Vietnamese-language site, though there was no strong evidence the actor originated from that region. Some RARs also contained an additional DLL, but many archives remained encrypted and unanalyzable without the correct password.
When executed, the fake PDF executables deploy one of two information stealers: LummaC2 or Rhadamanthys. LummaC2 is a C-based stealer sold on underground forums that targets system information, browsers, wallets and extensions; its loader alters execution flow to call an unknown library, writes the payload into a mapped memory block via CreateFileMappingA, decrypts shellcode in memory, allocates VirtualAlloc memory, writes the stealer into that block and executes it, then communicates with C2 using HTTP POSTs (for example, POSTs with act=life to /api were observed). Talos also captured LummaC2 alert UI artifacts and build IDs used by the loader.
Rhadamanthys, observed in this campaign as a loader-and-stealer pair, shows a different set of evasions. The Rhadamanthys loader contains many PE sections but hides malicious code in the .rsrc resource section, heavily obfuscated to complicate analysis. It copies itself to a lumuiUpdater folder (for example, C:Users[user]DocumentslumuiUpdaterffUpdaar.exe), inflates the file size—sometimes to well over 700 MB—to frustrate sandboxing and signature checks, and adds a Run key in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun named “sausageLoop” to maintain persistence. The loader then executes the legitimate system process %SystemRoot%system32dialer.exe and injects the Rhadamanthys payload into that process, and uses mutex names to enforce single-instance execution (Talos observed GlobalMSCTF.Asm… and multiple SessionNMSCTF.Asm… mutexes).
Across both families and delivery methods, the actor uses layered AV and analysis evasion: code obfuscation, shellcode encryption, hiding malicious code inside resources to increase file size, embedding stealers into otherwise legitimate binaries (examples included iMazing Converter, foobar2000, Punto Switcher and others), and communication via multiple C2 domains to maintain resilience. The campaigns’ DNS activity and C2 domain queries show ongoing activity during Talos’ observation window.
Cisco Talos published Snort rule identifiers and collected IOCs on GitHub to support detection and response. In addition to the technical indicators, Talos highlights defensive controls and products that can block these attack patterns, including endpoint protection, web and email scanning, and secure DNS/Gateway services that can interrupt the multi-stage redirect and Dropbox-hosted downloads used by the actor.
Organizations that operate Facebook pages or manage advertising accounts—especially Traditional Chinese-speaking administrators in Taiwan—should treat any unsolicited legal notices and copyright claims with caution, avoid running executables masquerading as PDFs, and block or inspect Appspot/Dropbox links if they were not expected. Investigations of suspected compromise should look for the listed registry Run key, the lumuiUpdater file path, the LummaC2 build IDs and the Rhadamanthys mutex strings as triage artifacts.