Ddos 
The Rhadamanthys stealer, a notorious information-stealing malware, has returned with a new wave of targeted phishing attacks sweeping across Central and Eastern Europe. According to a recent Threat Alert from Cybereason, the campaign leverages copyright infringement lures, DLL side-loading, and advanced evasion techniques to compromise systems and exfiltrate sensitive data.
The campaign begins with carefully crafted phishing emails impersonating legitimate law firms. The messages accuse victims—often freelancers or multimedia professionals—of copyright violations involving social media content, trademarks, and logos, and threaten serious legal consequences if they don’t respond within 48 hours.
“The phishing lures Cybereason tracks are specifically mentioning multimedia content being flagged… These individuals are often hired as external contractors or freelancers, and they may be granted access to company networks.”
These fear-based lures are highly targeted, using region-specific language and stolen social media details to make the accusations more believable. Victims are prompted to click a link labeled “Evidence of Infringement,” which redirects to a Mediafire archive download via a newly registered domain such as kiteaero[.]net.
Once the victim opens the downloaded archive, they find a file deceptively named Proof_of_copyright_infringement.exe—a renamed legitimate PDF reader—bundled with a malicious DLL (msimg32.dll). This is where the DLL side-loading begins.
“The threat actors exploit the DLL loading behavior of a legitimate PDF reader to hijack execution flow and achieve stealthy code execution within a trusted process.”
The malware abuses Windows’ default DLL search order to load the malicious DLL instead of a legitimate one, enabling stealthy execution of the Rhadamanthys stealer within the context of a legitimate application. Once loaded, it creates persistence via Windows Registry Autorun keys and downloads the final payload.
The Rhadamanthys loader incorporates multi-stage shellcode, TLS callbacks, and indirect syscalls to execute malicious code before any entry point is reached and bypass traditional security mechanisms.
“The shellcode incorporates advanced evasion techniques, such as dynamic resolution of API function pointers, the use of the Heaven’s Gate technique, and indirect system calls to bypass user-mode API hooking.”
Countries targeted so far include: Albania, Austria, Bulgaria, Germany, Greece, Hungary, Ireland, Israel, Italy, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and the UK.
Cybereason reports that multimedia professionals are especially at risk—photographers, video editors, musicians, and digital content creators. These users frequently use software like ffmpeg.dll, which the malware references, and often lack enterprise-grade defenses.
Related Posts:
- New Cyber Threat: RHADAMANTHYS Infostealer Targets Israel
- Rhadamanthys Stealer: MaaS Malware Hits Oil & Gas
- Rhadamanthys Evolves: AI-Powered Crypto Theft with Version 0.7.0
- Threat Actor Deploys LummaC2 and Rhadamanthys Stealers in Attacks on Taiwanese Facebook Accounts
- Hackers Target System Admins with Fake PuTTY Website, Deploy Rhadamanthys Stealer
Donate