Keypoints
- Mass phishing campaign named CopyRh(ight)adamantys delivers Rhadamanthys stealer v0.7 to many targets.
- Emails impersonate dozens of real companies—mainly Entertainment/Media and Technology/Software—using copyright-infringement lures.
- Infection chain uses password-protected archives containing a legitimate executable and a sideloaded DLL that loads the stealer.
- Rhadamanthys 0.7 adds an ImgDat OCR module and a BIP39 wordlist to search images for wallet phrases, using classic ML OCR rather than modern AI engines.
- Campaign shows signs of automated lure and account generation at scale (many Gmail senders and localized messages).
- Operators use persistence, process injection, file padding, multiple C2 IPs, and stage downloads (including WAV steganography) to evade detection.
MITRE Techniques
- [T1566] Phishing – Uses spear-phishing emails to deliver malicious archives and lure victims into downloading files (‘spear-phishing emails to lure victims into downloading malicious files.’)
- [T1203] Exploitation for Client Execution – Executes the stealer by abusing DLL sideloading with a legitimate executable to load the packed Rhadamanthys DLL (‘utilizes DLL sideloading to deploy the Rhadamanthys stealer.’)
- [T1071] Application Layer Protocol – Stealer stages communicate with remote command-and-control servers to fetch payloads and exfiltrate data (‘connect to the Command-and-Control server (C2), and download the next package’)
- [T1041] Exfiltration Over C2 Channel – Rhadamanthys harvests credentials and wallet phrases and sends them to actor-controlled infrastructure (‘Steals sensitive information using the Rhadamanthys stealer.’)
Indicators of Compromise
- [C2 IPs] Command-and-control servers – 198.135.48.191, 139.99.17.158, and 4 other IPs
- [Archive hashes] Malicious password-protected archives used as lures – d285677cba6acf848aa4869df74af959f60ef1bc1271b4032000fcdd44f407f2, 2be6ad454fa9e87f78dea80d2855f1c14df81a881093a1a0d57f348377f477a8, and dozens more hashes
- [DLL hashes] Dropped/sideloaded DLL files containing Rhadamanthys – cf9d93951e558ed22815b34446cfa2bd2cf3d1582d8bd97912612f4d4128a64e, 48aaa2dec95537cdf9fc471dbcbb4ff726be4a0647dbdf6300fa61858c2b0099, and many additional DLL hashes
- [Filenames / Binaries] Legitimate executable and dropped filenames used for sideloading – Launcher.exe, AcroLicApp.exe, FirefoxData.dll (dropped copy)
- [Domains / Hosting] Delivery and hosting services cited in lures – appspot.com (redirect link), and redirects to Dropbox / Discord download links
————
Check Point Research discovered a widespread phishing operation named CopyRh(ight)adamantys that tricks recipients with copyright takedown notices. The attackers send localized spear-phishing emails from hundreds of Gmail accounts, encouraging victims to download password-protected archives that contain a decoy document, a legitimate executable, and a sideloaded DLL which unpacks and runs the Rhadamanthys v0.7 stealer.
Rhadamanthys 0.7 introduces an ImgDat OCR module plus a BIP39 wordlist to search images for wallet recovery phrases; notably, the OCR uses traditional machine-learning methods rather than modern large-model AI. After execution the malware establishes persistence (registry keys, larger DLL copies like FirefoxData.dll), injects into common system processes, performs evasion checks, and contacts multiple C2 servers to download further stages—some hidden steganographically inside WAV files.
The campaign’s scale, automation of lure/account creation, and indiscriminate targeting indicate financially motivated cybercriminals. Defenders should block or inspect password-protected archives, monitor for suspicious DLL sideloading and unusual process injection, and watch the listed IOCs and C2 addresses to detect and disrupt this threat.
Read more: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/