TA547 has been targeting German organizations with an email campaign delivering the Rhadamanthys malware.
Proofpoint has observed TA547 using Rhadamanthys, an information stealer that is utilized by multiple cybercriminal threat actors.
The emails, which impersonated the German retail company Metro, were crafted to appear as if they related to invoices, with subjects like “Rechnung No:31518562” and contained a password-protected ZIP file.
The ZIP file included an LNK file that, when executed, triggered PowerShell to run a remote script.
This script was responsible for decoding a Base64-encoded Rhadamanthys executable file, loading it into memory, and executing it without saving it to disk, a method known for evading traditional file-based detection mechanisms.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Stopping 99% of phishing attacks missed by other email security solutions. .
The use of a PowerShell script in the attack chain suggests that TA547 may have employed an AI-powered tool, such as a large language model (LLM), to write or rewrite the script.
This is indicated by the typical output patterns of LLM-generated coding content observed in the script.
The shift from previously favored JavaScript attachments to compressed LNK files in early March 2024 demonstrates TA547’s evolving tactics.
TA547, identified as a financially motivated cybercriminal threat and considered to be an initial access broker (IAB), has historically targeted various geographic regions with different payloads.
In 2023, the group predominantly delivered NetSupport RAT but has also been known to distribute other payloads, including StealC and Lumma Stealer, which share similar functionalities with Rhadamanthys.
The recent campaign against German organizations is not an isolated incident.
TA547 has also targeted entities in Spain, Switzerland, Austria, and the U.S., highlighting the group’s broad geographic focus and the potential for widespread impact.
The adoption of AI-powered tools in cyber attacks is a growing concern.
These tools can analyze targets and find techniques most likely to compromise an organization, making attacks highly targeted and difficult to detect with traditional cybersecurity solutions.
The ability of AI-powered attacks to learn and adapt to new defenses poses a significant challenge, as they can bypass known patterns and signatures that cybersecurity solutions typically rely on.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…
A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…
A surge in phishing text messages claiming unpaid tolls has been linked to a massive…
The State Bar of Texas has confirmed a data breach following the detection of unauthorized…