Copyright Scams Fuel Spread of Advanced Malware, Exploiting AI

A sophisticated phishing campaign has been leveraging copyright infringement claims to trick users into downloading an updated version of the Rhadamanthys information stealer since July 2024.

This operation, dubbed CopyRh(ight)adamantys by researchers, has primarily targeted victims in the U.S., Europe, East Asia, and South America. Emails in this campaign impersonate various companies, often tailored to match the targeted entity’s language and region. Approximately 70% of these spoofed companies belong to the entertainment, media, technology, or software sectors.

The emails allege copyright violations on social media platforms, demanding recipients remove the disputed content. A password-protected file, purportedly containing removal instructions, actually links to malware hosted on platforms like Dropbox or Discord.

Once downloaded, the malware is delivered via a RAR archive containing a legitimate executable vulnerable to DLL side-loading, a malicious DLL file with the Rhadamanthys payload, and a decoy document.

When executed, the malware extracts sensitive information, utilizing AI-based tools like optical character recognition (OCR) to enhance its capabilities.

Researchers suggest that the scale and complexity of this campaign indicate the involvement of a financially motivated cybercrime group rather than a nation-state. The attacks’ global scope and use of advanced phishing techniques highlight the continuous evolution of cybercriminal strategies.

Additionally, a related campaign distributing the SteelFox malware has been active since February 2023. Disseminated through cracked software downloads, torrent sites, and blogs, it has victimized users worldwide, particularly in Brazil, China, Russia, and several other nations.

SteelFox uses a multi-stage execution chain, starting with a dropper app disguised as legitimate software. This app exploits Windows vulnerabilities to gain administrative privileges and deploy malware components, including cryptocurrency mining software and data-stealing tools.

The malware employs advanced techniques, such as abusing outdated drivers to achieve system-level privileges, and incorporates secure communication protocols like TLS 1.3 to exfiltrate sensitive user data. Its targets include credit card information, browser data, and system metadata.

To guard against such malware campaigns, organizations and individuals must adopt robust cybersecurity practices. These include scrutinizing unsolicited emails, verifying file authenticity before downloading, and regularly updating software to patch vulnerabilities.

Companies should also implement advanced threat detection systems and educate employees about phishing risks. Cybersecurity awareness remains the first line of defense in combating increasingly sophisticated attacks.