{ "id": "a3108cb9-1145-4ee3-8a87-f0b6a7172383", "created_at": "2026-04-06T00:06:46.091446Z", "updated_at": "2026-04-10T03:33:17.996073Z", "deleted_at": null, "sha1_hash": "5b46f570f8b82d3f9cb143cb6c639c0a07243144", "title": "TA547 Targets German Organizations: Rhadamanthys Stealer | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 396003, "plain_text": "TA547 Targets German Organizations: Rhadamanthys Stealer |\r\nProofpoint US\r\nBy Tommy Madjar, Selena Larson and the Proofpoint Threat Research Team\r\nPublished: 2024-04-03 · Archived: 2026-04-05 13:14:52 UTC\r\nApril 10, 2024\r\nWhat happened \r\nProofpoint identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys\r\nmalware. This is the first time researchers observed TA547 use Rhadamanthys, an information stealer that is used\r\nby multiple cybercriminal threat actors.  Additionally, the actor appeared to use a PowerShell script that\r\nresearchers suspect was generated by large language model (LLM) such as ChatGPT, Gemini, CoPilot, etc.  \r\nEmails sent from the threat actor impersonated the German retail company Metro purporting to relate to invoices.  \r\nFrom: Metro ! \u003crechnung.metro.de@metro-delivery[.]com\u003e \r\nSubject: Rechnung No:31518562 \r\nAttachment: in3 0gc-(94762)_6563.zip \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer\r\nPage 1 of 4\n\nExample TA547 email impersonating the German retail company Metro.  \r\nThe emails targeted dozens of organizations across various industries in Germany. Messages contained a\r\npassword-protected ZIP file (password: MAR26) containing an LNK file. When the LNK file was executed, it\r\ntriggered PowerShell to run a remote PowerShell script. This PowerShell script decoded the Base64-encoded\r\nRhadamanthys executable file stored in a variable and loaded it as an assembly into memory and then executed the\r\nentry point of the assembly. This essentially executed the malicious code in memory without writing it to disk. \r\nNotably, when deobfuscated, the second PowerShell script that was used to load Rhadamanthys contained\r\ninteresting characteristics not commonly observed in code used by threat actors (or legitimate programmers).\r\nSpecifically, the PowerShell script included a pound sign followed by grammatically correct and hyper specific\r\ncomments above each component of the script. This is a typical output of LLM-generated coding content, and\r\nsuggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script\r\nfrom another source that had used it.  \r\nExample of PowerShell suspected to be written by an LLM and used in a TA547 attack chain.  \r\nWhile it is difficult to confirm whether malicious content is created via LLMs – from malware scripts to social\r\nengineering lures – there are characteristics of such content that points to machine-generated rather than human-generated information. Regardless of whether it is human or machine-generated, the defense against such threats\r\nremains the same.  \r\nAttribution \r\nTA547 is a financially motivated cybercriminal threat considered to be an initial access broker (IAB) that targets\r\nvarious geographic regions. Since 2023, TA547 typically delivers NetSupport RAT but has occasionally delivered\r\nother payloads including StealC and Lumma Stealer (information stealers with similar functionality to\r\nRhadamanthys). They appeared to favor zipped JavaScript attachments as initial delivery payloads in 2023, but\r\nthe actor switched to compressed LNKs in early March 2024. In addition to campaigns in Germany, other recent\r\ngeographic targeting includes organizations in Spain, Switzerland, Austria, and the U.S.  \r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer\r\nPage 2 of 4\n\nWhy it matters \r\nThis campaign represents an example of some technique shifts from TA547 including the use of compressed\r\nLNKs and previously unobserved Rhadamanthys stealer. It also provides insight into how threat actors are\r\nleveraging likely LLM-generated content in malware campaigns.   \r\nLLMs can assist threat actors in understanding more sophisticated attack chains used by other threat actors,\r\nenabling them to repurpose these techniques once they understand the functionality.  Like LLM-generated social\r\nengineering lures, threat actors may incorporate these resources into an overall campaign. It is important to note,\r\nhowever, that while TA547 incorporated suspected LLM-generated content into the overall attack chain, it did not\r\nchange the functionality or the efficacy of the malware or change the way security tools defended against it. In this\r\ncase, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not\r\nobserved to alter the payload itself. Because many of Proofpoint's detection mechanisms are behavior-based, the\r\norigin of any given malicious software will not impact our ability to detect malicious actions taken on a host. In\r\nthe same way LLM-generated phishing emails to conduct business email compromise (BEC) use the same\r\ncharacteristics of human-generated content and are caught by automated detections, malware or scripts that\r\nincorporate machine-generated code will still run the same way in a sandbox (or on a host), triggering the same\r\nautomated defenses. \r\nExample Emerging Threats signatures \r\n2854802 ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert \r\n2853002 ETPRO MALWARE Rhadamanthys Stealer - Data Exfil \r\n2853001 ETPRO MALWARE Rhadamanthys Stealer - Payload Response \r\n2043202 ET MALWARE Rhadamanthys Stealer - Payload Download Request \r\nIndicators of compromise \r\nIndicator  Description  First Seen \r\nhxxps://bolibachan[.]com/g[.]txt  PowerShell Payload  26 March 2024 \r\nindscpm[.]xyz  Rhadamanthys C2  26 March 2024 \r\n94[.]131[.]104[.]223:443  Rhadamanthys C2  26 March 2024 \r\nSubscribe to the Proofpoint Blog\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer\r\nPage 3 of 4\n\nSource: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer\r\nhttps://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer" ], "report_names": [ "security-brief-ta547-targets-german-organizations-rhadamanthys-stealer" ], "threat_actors": [ { "id": "02e5c3b8-54b4-4170-b200-7f1fd361b5a9", "created_at": "2022-10-25T16:07:24.557505Z", "updated_at": "2026-04-10T02:00:05.032451Z", "deleted_at": null, "main_name": "Scully Spider", "aliases": [ "Scully Spider", "TA547" ], "source_name": "ETDA:Scully Spider", "tools": [ "DanaBot", "Lumma Stealer", "LummaC2", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "Rhadamanthys", "Rhadamanthys Stealer", "Stealc" ], "source_id": "ETDA", "reports": null }, { "id": "72bc3519-a265-4136-b85a-d5e331f085b1", "created_at": "2023-01-06T13:46:39.313045Z", "updated_at": "2026-04-10T02:00:03.28438Z", "deleted_at": null, "main_name": "TA547", "aliases": [], "source_name": "MISPGALAXY:TA547", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434006, "ts_updated_at": 1775791997, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b46f570f8b82d3f9cb143cb6c639c0a07243144.pdf", "text": "https://archive.orkl.eu/5b46f570f8b82d3f9cb143cb6c639c0a07243144.txt", "img": "https://archive.orkl.eu/5b46f570f8b82d3f9cb143cb6c639c0a07243144.jpg" } }