A recent wave of phishing attacks, labeled CopyRh(ight)adamantys, has been employing copyright infringement scams to trick users into downloading Rhadamanthys malware, a sophisticated information stealer. Cybersecurity firm Check Point, which has been monitoring this campaign since July 2024, reports that attackers impersonate well-known companies from sectors such as entertainment, media, and technology. Each phishing email accuses the recipient of a copyright violation, often relating to unauthorized media usage, and includes a link to a password-protected archive containing malware. These emails are sent from Gmail accounts, adapted to the language and style of each targeted company, and feature AI-assisted optical character recognition (OCR) to customize the lures further, improving their effectiveness.
The campaign leverages spear-phishing tactics, directing victims to password-protected archives that claim to contain “removal instructions” for the alleged copyright violation. However, these archives actually house a vulnerable executable that sideloads a malicious DLL file, delivering the Rhadamanthys malware payload. Once activated, the stealer gathers sensitive information from the victim’s system, including credentials, browser history, and stored cookies, posing significant security risks for individuals and organizations alike. According to Check Point, this large-scale campaign has been observed across North and South America, Europe, and East Asia, with approximately 70% of the impersonated companies operating in media or tech industries.
In parallel, Kaspersky has uncovered a separate malware strain known as SteelFox, which has been targeting global victims by masquerading as cracked versions of popular software applications. Distributed on forums, torrent sites, and blog posts, SteelFox utilizes highly advanced techniques, including driver exploits to gain elevated privileges on infected machines. Specifically, the malware uses vulnerabilities in the WinRing0.sys driver (CVE-2020-14979 and CVE-2021-41285), enabling it to execute tasks with NT\SYSTEM privileges. Once inside a system, SteelFox installs XMRig, a cryptocurrency miner, and initiates contact with a remote command-and-control server, allowing the attacker to collect sensitive information and maintain persistence.
Both the CopyRh(ight)adamantys and SteelFox campaigns reflect an increasing trend in the use of AI, driver exploits, and sophisticated social engineering tactics to target users on a global scale. These attacks highlight how cybercriminals are continuously refining their methods, using modern C++ code and secure communication protocols, such as TLS 1.3, to protect their operations and enhance data exfiltration.
