In a concerning development, cybercriminals have initiated a large-scale phishing campaign that leverages fraudulent copyright infringement notices to distribute the Rhadamanthys Stealer malware. This sophisticated operation, dubbed CopyRh(ight)adamantys, targets individuals and organizations worldwide, falsely accusing them of violating copyright laws to deceive victims into downloading malicious software.
The Emergence of CopyRh(ight)adamantys
Since April 2025, threat actors have been impersonating legal representatives and law firms, sending emails that allege recipients have infringed upon copyrights on social media platforms. These emails are meticulously crafted, often written in the recipient’s native language, and reference specific social media accounts to enhance credibility. The messages typically demand immediate action within 48 hours, threatening severe legal consequences, including financial penalties, if the alleged violations are not addressed promptly.
Geographic Scope and Targeted Industries
The campaign has demonstrated a broad geographic reach, with confirmed incidents across sixteen European countries, including Germany, Italy, Spain, the United Kingdom, Poland, and several Eastern European nations. The attackers employ highly localized phishing emails to increase the likelihood of user engagement.
Particularly vulnerable are professionals in the photography, video production, and music industries. These individuals frequently handle copyrighted materials and often use multimedia tools that rely on specific Dynamic Link Libraries (DLLs) such as ffmpeg.dll. As many of these professionals work as external contractors or freelancers, they may lack enterprise-grade security protections like Endpoint Detection and Response (EDR) systems, making them prime targets for this campaign.
The Phishing Mechanism
The attack begins with carefully crafted phishing emails containing malicious download links. These links lead to archives hosted on services like MediaFire, accessed through newly registered domains acting as redirects. When victims click these links, they are directed through a complex redirection chain involving URL shortening services such as tr.ee, t2m.co, and goo.su, ultimately leading to the download of large ZIP archives containing the malicious payload.
The substantial file sizes, often reaching approximately 500 megabytes, serve as an additional evasion technique. Many security solutions skip detailed inspection of such large payloads due to performance considerations, allowing the malware to bypass traditional security measures.
Advanced DLL Side-Loading Technique
The core infection mechanism relies on a sophisticated DLL side-loading attack that exploits the behavior of a legitimate but outdated Haihaisoft PDF Reader application. The downloaded archive contains three critical components:
1. A legitimate PDF reader executable renamed to match the phishing lure (e.g., Proof_of_copyright_infringement.exe).
2. A malicious DLL named msimg32.dll.
3. A decoy document to maintain the illusion of legitimacy.
The attack leverages Windows’ default DLL search order behavior, where applications first attempt to load required libraries from their own directory before searching system locations. By placing the malicious msimg32.dll alongside the legitimate executable, the malware ensures it gets loaded instead of the genuine Windows system library.
This technique allows the malware to execute within the context of a trusted process, significantly reducing the likelihood of detection by security software. Once executed, the malicious DLL employs Thread Local Storage (TLS) callbacks to initialize malicious code before the main program entry point runs.
Evasion and Persistence Mechanisms
The malware incorporates advanced evasion techniques, including the Heaven’s Gate method for transitioning between 32-bit and 64-bit execution contexts. This enables it to bypass user-mode API hooking mechanisms commonly employed by security solutions.
For persistence, the malware creates a copy of itself in the user’s Documents folder with the filename VolkUpdater0987.dll and establishes an autorun registry entry using the command:
“`
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Volk Sensor /t REG_SZ /d rundll32.exe C:\Users\[username]\Documents\VolkUpdater0987.dll,EntryPoint /f
“`
The malware then proceeds to download and execute the final Rhadamanthys stealer payload from command and control servers. This initiates comprehensive data theft operations targeting stored credentials, browser data, cryptocurrency wallets, and other sensitive information stored on infected systems.
Implications and Recommendations
This campaign underscores the increasing sophistication of phishing attacks and the importance of cybersecurity awareness. By exploiting legitimate concerns over copyright infringement, threat actors can deceive even vigilant users into compromising their systems.
To mitigate the risks associated with such attacks, individuals and organizations should:
1. Verify the Authenticity of Communications: Be cautious of unsolicited emails claiming legal violations. Verify the sender’s identity through official channels before taking any action.
2. Avoid Clicking Suspicious Links: Do not click on links or download attachments from unknown or unverified sources.
3. Keep Software Updated: Regularly update all software applications to their latest versions to patch known vulnerabilities.
4. Implement Robust Security Measures: Utilize comprehensive security solutions, including antivirus software and firewalls, to detect and prevent malware infections.
5. Educate and Train Staff: Provide regular training on recognizing phishing attempts and other social engineering tactics to employees and stakeholders.
By adopting these practices, individuals and organizations can enhance their defenses against increasingly sophisticated cyber threats.
