Keypoints
- Phishing emails used personalized vehicle-incident lures and spoofed a Federal Bureau of Transportation PDF to induce clicks.
- Attackers abused open redirects hosted on legitimate Google domains (Maps/Images) and URL shorteners to chain multiple redirects and evade SEGs.
- Victims reaching the final landing page encountered a clickable PDF on docptypefinder[.]info that triggered a ZIP download containing an executable.
- The executable unpacks and runs Rhadamanthys Stealer, a C++ information stealer offered as Malware-as-a-Service (MaaS).
- Rhadamanthys immediately connects to a command-and-control (C2) server (URL path including ‘.gir3n’) to exfiltrate stolen credentials and cryptocurrency wallet data.
- Recent major updates to Rhadamanthys (v5.0) added plugins, expanded stealing capabilities, and improved evasion tactics, likely motivating this campaign.
MITRE Techniques
- [T1566.002] Spearphishing Link – The campaign used tailored emails with links that abused open redirects on legitimate Google domains to lure victims. (‘The phishing emails use a unique vehicle incident lure’ and links were ‘primarily hosted on legitimate Google domains, specifically Google Maps and Google Images’)
- [T1204.002] Malicious File – A clickable PDF led to a ZIP archive download which contained an executable that the user was prompted to run. (‘Clicking on the image downloads or prompts for the download of a ZIP Archive file’)
- [T1105] Ingress Tool Transfer – The ZIP file delivered an executable that unpacks and installs Rhadamanthys Stealer on the victim host. (‘This file contains an executable that, when ran, unpacks and initiates Rhadamanthys Stealer’)
- [T1071.001] Application Layer Protocol – The malware establishes outbound web-based C2 communications to exfiltrate data. (‘The malware immediately starts a connection with a command and control (C2) location’)
- [T1555.003] Credentials from Web Browsers – Rhadamanthys specifically targets and harvests credentials stored in browsers and other applications. (‘collects any stolen credentials, cryptocurrency wallets, or other sensitive information’)
- [T1027] Obfuscated Files or Information – The campaign chains multiple redirects and uses URL shorteners and legitimate domains to obscure the final malicious destination from SEGs. (‘URL shortener acts as an additional layer of evasiveness… more redirects in the infection chain’)
Indicators of Compromise
- [Domain] Malicious landing page hosting PDF – docptypefinder[.]info (registered the day campaign began) used to host the clickable PDF and deliver the ZIP.
- [Domain/Redirect] Legitimate domains abused for open redirects – Google Maps/Images URLs used as initial redirect hosts before shortener and landing page.
- [C2 URL] Command-and-control path fragment – C2 communications noted to a URL ending with ‘[.]gir3n’ (unique path segment identifying actor infrastructure).
- [File] Delivery artifact – ZIP archive containing an executable that unpacks and runs Rhadamanthys Stealer (generic ZIP/exe; specific filenames/hashes not provided in the article).
Attack flow (technical procedure): Phishing emails with individualized vehicle-incident themes contained embedded links that leveraged open redirects on Google Maps/Images, which then forwarded victims through a URL shortener and additional redirects to mask malicious intent. The final landing hosted a clickable PDF on docptypefinder[.]info spoofing the Federal Bureau of Transportation; interacting with the PDF triggered a ZIP archive download that contained a bundled executable. When executed by the user, the executable unpacks and launches Rhadamanthys Stealer (a C++ MaaS), which immediately establishes web-based C2 communications—noted to include a unique path ending in ‘.gir3n’—and exfiltrates browser-stored credentials, cryptocurrency wallet data, and other sensitive information.
The campaign’s evasive TTPs combined trusted domains, multiple redirects, and a clickable image to increase delivery success through secure email gateways (SEGs). Rhadamanthys’ recent updates (v5.0) expanded plugin support and stealing/evasion capabilities, making it a more attractive MaaS for actors seeking credential theft and wallet harvesting; the stealer’s architecture and C2 behavior align with rapid ingress (T1105), user-executed payloads (T1204.002), and application-layer exfiltration (T1071.001).
Defensive notes: monitor for suspicious open-redirect usage on legitimate domains, block or sandbox ZIP/executable downloads from newly registered domains like docptypefinder[.]info, inspect outbound connections for anomalous paths or domains resembling ‘.gir3n’, and prioritize detection of credential-exfiltration patterns from browser storage.