Monday, February 17, 2025
HomeCyber AttackTA547 Hackers Launching AI-Powered Cyber Attacks Targeting Organizations

TA547 Hackers Launching AI-Powered Cyber Attacks Targeting Organizations

Published on

SIEM as a Service

Follow Us on Google News

TA547 has been targeting German organizations with an email campaign delivering the Rhadamanthys malware.

Proofpoint has observed TA547 using Rhadamanthys, an information stealer that is utilized by multiple cybercriminal threat actors.

The emails, which impersonated the German retail company Metro, were crafted to appear as if they related to invoices, with subjects like “Rechnung No:31518562” and contained a password-protected ZIP file.

The ZIP file included an LNK file that, when executed, triggered PowerShell to run a remote script.

Phishing Email

This script was responsible for decoding a Base64-encoded Rhadamanthys executable file, loading it into memory, and executing it without saving it to disk, a method known for evading traditional file-based detection mechanisms.

Document
Stop Advanced Phishing Attack With AI

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .

AI-Powered Cyber Attacks

The use of a PowerShell script in the attack chain suggests that TA547 may have employed an AI-powered tool, such as a large language model (LLM), to write or rewrite the script.

This is indicated by the typical output patterns of LLM-generated coding content observed in the script.

The shift from previously favored JavaScript attachments to compressed LNK files in early March 2024 demonstrates TA547’s evolving tactics.

TA547, identified as a financially motivated cybercriminal threat and considered to be an initial access broker (IAB), has historically targeted various geographic regions with different payloads.

Usage of LLM

In 2023, the group predominantly delivered NetSupport RAT but has also been known to distribute other payloads, including StealC and Lumma Stealer, which share similar functionalities with Rhadamanthys.

The recent campaign against German organizations is not an isolated incident.

TA547 has also targeted entities in Spain, Switzerland, Austria, and the U.S., highlighting the group’s broad geographic focus and the potential for widespread impact.

The adoption of AI-powered tools in cyber attacks is a growing concern.

These tools can analyze targets and find techniques most likely to compromise an organization, making attacks highly targeted and difficult to detect with traditional cybersecurity solutions.

The ability of AI-powered attacks to learn and adapt to new defenses poses a significant challenge, as they can bypass known patterns and signatures that cybersecurity solutions typically rely on.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Exploit Microsoft Teams Invites to Gain Unauthorized Access

The Microsoft Threat Intelligence Center (MSTIC) has uncovered an ongoing and sophisticated phishing campaign...

Meta’s Bug Bounty Initiative Pays $2.3 Million to Security Researchers in 2024

Meta's commitment to cybersecurity took center stage in 2024 as the tech giant awarded...

Google Chrome Introduces AI to Block Malicious Websites and Downloads

Google has taken a significant step in enhancing internet safety by integrating artificial intelligence...