{ "id": "ad7fb509-0bbc-45bc-a569-47df94f15168", "created_at": "2026-04-23T02:55:14.914671Z", "updated_at": "2026-04-25T02:19:27.571011Z", "deleted_at": null, "sha1_hash": "e9329bebe5ef9f858f6696badbf87a38ac15a526", "title": "CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 136055, "plain_text": "CopyRh(ight)adamantys Campaign: Rhadamantys Exploits\r\nIntellectual Property Infringement Baits\r\nBy samanthar@checkpoint.com\r\nPublished: 2024-11-06 · Archived: 2026-04-23 02:46:46 UTC\r\nKey findings\r\nCheck Point Research is tracking an ongoing, large scale and sophisticated phishing campaign deploying the\r\nnewest version of the Rhadamanthys stealer (0.7). We dubbed this campaign CopyRh(ight)adamantys.\r\nThis campaign utilizes a copyright infringement theme to target various regions, including the United States,\r\nEurope, East Asia, and South America.\r\nThe campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a\r\ndifferent Gmail account, adapting the impersonated company and the language per targeted entity. Almost\r\n70% of the impersonated companies are from Entertainment /Media and Technology/Software sectors.\r\nAnalysis of the lures and targets in this campaign suggests the threat actor uses automation for lures\r\ndistribution. Due to the scale of the campaign and the variety of the lures and sender emails, there is a\r\npossibility that the threat actor also utilized AI tools.\r\nOne of the main updates in the Rhadamanthys stealer version according to claims by the author, is AI-powered text recognition. However, we discovered that the component introduced by Rhadamanthys does not\r\nincorporate any of the modern AI engines, but instead uses much older classic machine learning, typical for\r\nOCR software.\r\nWhile we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco\r\nTalos. While it overlaps with our findings to some extent, our report provides additional extended information about\r\nthe activity.\r\nIntroduction\r\nSince July 2024, Check Point Research (CPR) has been tracking an extensive and ongoing phishing campaign that\r\nleads to the deployment of the Rhadamanthys stealer. This campaign masquerades as various companies and falsely\r\nclaims that victims have committed copyright infringement related on their Facebook pages.\r\nThe phishing emails, typically sent from Gmail accounts, prompt recipients to download an archive file, which\r\ntriggers the infection through DLL side-loading. The vulnerable binary then installs the latest version of the\r\nRhadamanthys stealer (version 0.7), which includes new capabilities such as an alleged AI-powered OCR (optical\r\ncharacter recognition) module.\r\nIn this report, we share our ongoing efforts to study the use of the Rhadamanthys stealer, which both cybercriminals\r\nand state-sponsored actors have adopted. We provide an in-depth examination of the phishing campaign, the tactics\r\nused by the attackers, and the updates introduced in this latest version of Rhadamanthys.\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 1 of 12\n\nBackground\r\nThroughout 2024, we have been monitoring threat actors’ activities leveraging the Rhadamanthys stealer, including\r\nits use by Void Manticore, an Iranian actor operating in Israel and Albania. In one campaign tied to Handala, a\r\npersona linked to Void Manticore, the Rhadamanthys stealer was distributed under the guise of a F5 update. This\r\nmarked their first use of the stealer, which they continued to deploy in subsequent campaigns impersonating Israeli\r\nand international companies.\r\nSimultaneously, Check Point Software Technologies began receiving reports of phishing lures mimicking Check\r\nPoint- branded emails leading to the deployment of Rhadamanthys. Given Handala’s previous interest in Check\r\nPoint and threats they published in their Telegram channel, our initial assumption was that they were also behind this\r\ncampaign. However, further analysis revealed this was merely a coincidence and the Check Point lures were part of\r\na larger, distinct cybercrime-oriented cluster, which we explore in detail.\r\nFigure 1 - Phishing email impersonating Check Point\r\nCopyRh(ight)adamantys Emails\r\nThe newly identified cluster is characterized by spear-phishing emails sent from Gmail accounts allegedly from\r\nwell-known companies claiming supposed copyright violations. These emails, which appear to come from the legal\r\nrepresentatives of the impersonated companies, accuse the recipient of misusing their brand on the target’s social\r\nmedia page and requesting the removal of specific images and videos.\r\nThe removal instructions are said to be in a password-protected file. However, the attached file is a download link\r\nto  appspot.com , linked to the Gmail account, which redirects the user to Dropbox or Discord to download a\r\npassword-protected archive (with the password provided in the email).\r\nFigure 2 – Malicious ZIP download link.\r\nFigure 2 – Malicious ZIP download link.\r\nWe observed hundreds of emails impersonating dozens of companies, each sent to a specific address from a different\r\nGmail account. Almost 70% of the impersonated companies are from Entertainment /Media and\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 2 of 12\n\nTechnology/Software sectors. This is possibly due to the fact that those sectors have a high online presence and are\r\nmore likely to send such requests than other sectors. These high profile sectors also have frequent copyright-related\r\ncommunications, making such phishing attempts appear more credible.\r\nThe attackers likely used an automated tool, possibly with AI integration, to generate both the emails and the\r\naccounts. While most emails are written in the recipient’s local language or English, occasional errors occur. For\r\nexample, one email intended for an Israeli target was written in Korean instead of Hebrew, with only the target’s\r\nname correctly localized.\r\nFigure 3 - Phishing email written in Korean mistakenly sent to a target in Israel.\r\nFigure 3 – Phishing email written in Korean mistakenly sent to a target in Israel.\r\nInfection Chain\r\nFigure 4 – Copyright campaign infection chain.\r\nAs we stated, the infection begins with a spear-phishing email containing a link to download a password-protected\r\narchive. This archive typically includes three files: a legitimate executable, a DLL (which contains the packed\r\nRhadamanthys), and a decoy Adobe ESPS or PDF file. When the executable is run, it utilizes DLL sideloading to\r\nload the malicious DLL, which subsequently unpacks and loads the Rhadamanthys components.\r\nThe legitimate executables and the names given to the DLL for sideloading:\r\nLegitimate Executable (Often renamed) Sideloaded DLL\r\nLauncher.exe msimg32.dll\r\nAcroLicApp.exe msimg32.dll\r\nAdobeARM.exe SensApi.dll\r\nOnce active, the stealer writes a significantly larger copy of the DLL into the  Documents  folder, masquerading as a\r\nFirefox-related component ( FirefoxData.dll ). It also creates a registry key for persistence:\r\nFigure 5 - Registry key added for persistence.\r\nFigure 5 – Registry key added for persistence.\r\nThe only difference between the dropped DLL and the one from the initial package is an appended empty overlay.\r\nThis is a simple trick intended to evade hash-based detection, as the random padding changes the original hash of the\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 3 of 12\n\nexecutable. Sometimes, the enlarged size of the file may also cross the acceptable file size threshold defined by a\r\nparticular antivirus engine, and as a result, the file is not scanned.\r\nAs the Rhadamanthys modules are loaded, they are injected into one of the following processes from the system32\r\ndirectory:\r\ncredwiz.exe\r\nOOBE-Maintenance.exe\r\nopenwith.exe\r\ndllhost.exe\r\nrundll32.exe\r\nThe process of loading Rhadamanthys modules and their general flow did not change much since the last version,\r\n0.5.0, that we described in detail in our previous report. The initial Rhadamanthys executable has a hardcoded\r\npackage from which Stage 2 is unpacked.\r\nThe role of Stage 2 is to run extensive evasion checks on the compromised machine, connect to the Command-and-Control server (C2), and download the next package which contains Stage 3. Stage 3, shipped steganographically in\r\na WAV file, is a rich set of stealer modules that attack various targets. We described most of these modules in\r\nour previous article.\r\nA complete list of Rhadamanthys Stages 2 and 3 is available in Appendix A.\r\nTargets\r\nThe campaign’s targets are distributed across a wide geographic area, including the US, Europe, the Middle East,\r\nEast Asia, and South America. However, it’s important to note that our target observations are limited by our\r\ncustomers’ that were targeted by this campaign. We believe this is part of a much larger campaign, with likely many\r\nmore countries affected than we’ve seen.\r\nFigure 6 - Map of targeted countries according to Check Point’s telemetry.\r\nFigure 6 – Map of targeted countries according to Check Point’s telemetry.\r\nAttribution\r\nAlthough Rhadamanthys was previously linked to nation-state threat actors like those from Russia or Iran, we assess\r\nthat this campaign is more likely the work of a cybercrime group rather than a state-sponsored operation for the\r\nfollowing reasons:\r\nUnlike nation-state actors, who typically target high-value assets such as government agencies or critical\r\ninfrastructure, this campaign displays no such selectivity. Instead, it targets a diverse range of organizations\r\nwith no clear strategic connections, reinforcing the conclusion that financial motives drive the attackers.\r\nThe infrastructure used, such as creating different Gmail accounts for each phishing attempt, indicates the\r\npossible use of automation tools possibly powered by AI. This level of operational efficiency, along with the\r\nindiscriminate targeting of multiple regions and sectors, points to a cybercrime group seeking to maximize\r\nfinancial returns by casting a wide net.\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 4 of 12\n\nRhadamanthys 0.7\r\nWhile working on this report, Recorded Future, a cyber security company,released a comprehensive analysis of\r\nRhadamantys 0.7.The Rhadamanthys version used in this campaign, identified as 0.7, is the latest release at the time\r\nof this writing. It was introduced by the developer of the malware a few months ago in the following announcement:\r\nFigure 7 – Source: https://x.com/g0njxa/status/1812902577530454023\r\nThe author stated that text recognition is implemented with AI. As AI is currently a hot topic, this may help promote\r\nthe product and show that it uses cutting-edge technology. However, as we found out, the component introduced by\r\nRhadamanthys does not incorporate any of the modern AI engines but instead uses much older classic machine\r\nlearning, typical for OCR software.\r\nIn this latest release, the author announced many improvements. Some of the existing components were polished and\r\nmodified. Only one new executable, the OCR component, was added.\r\nThe OCR module\r\nIn the package downloaded from the C2, we find the following:\r\nImgDat (full path in Rhadamanthys Filesystem:  /bin/amd64/imgdat.bin  ) – An executable in XS2 format.\r\nbip39.txt ( /etc/bip39.txt ) – A small dictionary.\r\nThe ImgDat is the OCR module that the author mentioned in the announcement: “Added AI graphics and PDF\r\nrecognition to extract phases”. The newly added text file  bip39.txt is its configuration and contains a dictionary\r\nof search phrases that will be checked against the extracted text.\r\nThe name Bip39 suggests that it is related to the Bitcoin Improvement Proposal 39, which states how to create\r\nphrases out of numbers to make wallet protection codes easier for humans to remember. According to the\r\nspecification, Bip39 contains a dictionary of 2048 words – just like the file we found. We compared it with the\r\nofficial Bip39 wordlist and confirmed that the content is the same: https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt (https://www.blockplate.com/pages/bip-39-wordlist).\r\nBased on this information, we can easily guess that the OCR module is applied to search for documents where such\r\nphrases may be stored, and the retrieved information will be further used in attacks on Bitcoin wallets. This set of\r\nphrases used for text recognition suggests that the campaign is motivated by financial gain rather than espionage\r\npurposes.\r\nHow ImgDat is deployed\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 5 of 12\n\nThe ImgDat executable is deployed by the main module of Stage 3 (coredll.bin), which is responsible for\r\ncoordinating the work of all the stage’s components. In the ImgDat module, calling the Entry Point retrieves a list of\r\nits exported functions that are used later.\r\nThe exported functions:\r\ninit  – Initializes the OCR component with a given configuration and returns the context structure.\r\ndelete  – Destroys the initialized structure.\r\nprocess  – Implements the main operations – image processing and text extraction.\r\nWorkflow:\r\n1. The function  init  is called and the content of “bip39.txt” is passed to it to initialize the component with the\r\ngiven list of searched phrases. They are stored in the dedicated linked list that is a part of the context\r\nstructure.\r\n2. The function  process  is fetched from ImgDat. The core module walks through the disks of the infected\r\nmachine and then calls this function on every retrieved path.\r\n3. The function “process” from ImgDat is called a callback from within a filtering function. It first checks if the\r\nretrieved path contains the extension from the hardcoded list. The supported formats from which the module\r\ncan retrieve the text:\r\nBMP\r\nJPEG\r\nPNG\r\nTIFF\r\nWMF\r\nIf the extension matches, the file content is read and passed to the  process  function from the ImgDat module.\r\nThe OCR implementation\r\nThe image is loaded via the GDI+ interface and then preprocessed to facilitate text recognition. First, all pixels from\r\nthe image are loaded into the dedicated buffer:\r\nFigure 8 - Fragment of a function denoted as “read_bitmap_from_image” within the “process” API.\r\nFigure 8 – Fragment of a function denoted as “read_bitmap_from_image” within the “process” API.\r\nThe RGB components of the picture are compressed into a single byte.\r\nThe OCR functionality is implemented within the function denoted as  extract_text  that is a part of\r\nthe  process  API. When we look inside, we can find a reference to thresholding, a well known technique\r\ncommonly applied in OCR software. Its role is to enhance the contrast to be able to distinguish the text from the\r\nbackground of the image.\r\nFigure 9 – Rhadamanthys OCR code.\r\nFigure 9 – Rhadamanthys OCR code.\r\nPlain text\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 6 of 12\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n[thresholding] image = %p , (%d , %d) (%d , %d)\\n\r\n[thresholding] image = %p , (%d , %d) (%d , %d)\\n\r\n[thresholding] image = %p , (%d , %d) (%d , %d)\\n\r\nThe image is then processed using a trained local machine learning model. Extracted sentences are stored in the\r\ndedicated structure.\r\nFigure 10 - Example of an input image (PNG) and the phrases extracted with the help of ImgDat.\r\nFigure 10 – Example of an input image (PNG) and the phrases extracted with the help of ImgDat.\r\nFinally, the extracted phrases are separated into words, which are then compared with the previously initialized\r\ntoken list. If there are enough matches (at least 9 strings from the list and at least 12 strings processed),\r\nthe  process  function returns  true .\r\nThe model has limited precision. For example, it handles only the most popular fonts and cannot recognize\r\nhandwritten text. In addition, it doesn’t do well with text in mixed colors (especially if one line of the text is darker\r\nthan the background and another is lighter).\r\nConclusion\r\nIn this article, we analyzed a large-scale phishing campaign discovered in July 2024. This campaign used a\r\ncopyright infringement theme to spread the Rhadamanthys info stealer. This campaign employed tactics including\r\nDLL sideloading and anti-detection techniques, making the latest version of Rhadamanthys (0.7) more potent and\r\nmore challenging to detect. We also examined Rhadamanthys’ new OCR features.\r\nThe campaign’s widespread and indiscriminate targeting of organizations across multiple regions suggests it was\r\norchestrated by a financially motivated cybercrime group rather than a nation-state actor. Its global reach, automated\r\nphishing tactics, and diverse lures demonstrate how attackers continuously evolve to improve their success rates.\r\nCheck Point Customers Remain Protected Against the Threats Described in this Report.\r\nCheck Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating\r\nsystems:\r\nInfoStealer.Wins.Rhadamanthys.ta.V\r\nInfoStealer.Wins.Rhadamanthys.*\r\nHarmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid\r\nsecurity breaches and data compromise :\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 7 of 12\n\nInfoStealer.Wins.Rhadamanthys.*\r\nHarmony Email and Collaboration provides comprehensive inline protection at the highest security level.\r\nAppendix A\r\nStage 2 – Unpacked from the hardcoded package:\r\nName Format SHA256\r\ndt.x86 XS1 bea558e8129fcb647e6f42c8beda4464e109dd3cd546342c0337dbd50616f991\r\nearly.x86 XS1 4fd469d08c051d6997f0471d91ccf96c173d27c8cff5bd70c3f2c5008faa786f\r\nearly.x64 XS1 633b0fe4f3d2bfb18d4ad648ff223fe6763397daa033e9c5d79f2cae89a6c3b2\r\nnetclient.x86 XS1 b97dd0279e112e0591b38064f59077102ab188b07a069cb104e66e4756e2570a\r\nphexec.bin XS1 13872271ee511aa83f3f27d5db248516652b10a079ad01f78ed734cd2a87ec77\r\nprepare.bin shellcode d96ec4b08c08b81ba9075423d5e83bf330de09866066b4bdb459bcbac389a350\r\nproto.x86 shellcode a905226a2486ccc158d44cf4c1728e103472825fb189e05c17d998b9f5534d63\r\nstage.x86 shellcode 44f3936ee158d2846664bf5cd795fd90a99441186b20b90ff241ba1b38a6a3e9\r\nstrategy.x86 XS1 219a6387d91c4b2c8e91c8613192af950bd9c790114a238eb0e1e7c878f6e728\r\nunhook.bin XS1 37438095a5e7be0ce12997dc23d1ff117912989d2f24beab95284f9380f65834\r\nua.txt plain text aeba4ece8c4bf51d9761e49fad983967e76c705a06999c556c099f39853f737c\r\nprocesses.x plain text 3ca87045da78292a6bba017138ff9ee42b4e626b64d0fee6d86a16cc3258c8c3\r\nStage 3 – Downloaded from the C2:\r\nName Format SHA256\r\ncoredll.bin (32) XS2 3737501bbd4abd0844da016c0263399e3c670ae52952b30ca46c6c96cf4e318d\r\ncoredll.bin (64) XS2 6012386eab453f4fb1cfb88fb5b05ba9ec71a838029ea51bcff4c0b5a2fbfad2\r\ntaskcore.bin\r\n(32)\r\nXS2 c0b319bb19092fe3c193e5139fcdf599502b669143b06c676e81f46ab50fb4ed\r\ntaskcore.bin\r\n(64)\r\nXS2 18273fa35c54332d8763cb17a5ae92de5636f3a05c507ce18d9d6a77c3139deb\r\nstubmod.bin\r\n(32)\r\nXS2 d97aa65123c26509e3fc1a9963962b7f707a50ddca44a9a12fd03e654ab5aa66\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 8 of 12\n\nName Format SHA256\r\nstubmod.bin\r\n(64)\r\nXS2 fd9fbfa809450415e8d0d79199ec8686cb7071d6e13a5b76f0ce1b03a2a61302\r\nruntime.dll\r\nPE,\r\n.NET\r\na87032195e38892b351641e08c81b92a1ea888c3c74a0c7464160e86613c4476\r\nloader.dll\r\nPE,\r\n.NET\r\n3d010e3fce1b2c9ab5b8cc125be812e63b661ddcbde40509a49118c2330ef9d0\r\nKeePassHax.dll\r\nPE,\r\n.NET\r\nfcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760e\r\nimgdat.bin (32) XS2 2625d99af56c79de32f9fba2332f63eb9c88707e9ea83985bce5df9022ced99a\r\nimgdat.bin (64) XS2 ffb264a19af7c8a8dd5357b62c45fcd3063ca946aa2710740c4e8b21f8e697d9\r\nbip39.txt\r\nplain\r\ntext\r\n24ce42c2fd4a95c1b86bbee9bce1e1cf255bd0022e19bab6bd591afd68b7efdb\r\nLua extensions\r\nLUA\r\ncode\r\n–\r\nIOCs\r\nC2:\r\n198.135.48.191\r\n139.99.17.158\r\n103.68.109.208\r\n95.169.204.214\r\n15.235.138.155\r\n15.235.176.166\r\nArchives:\r\nd285677cba6acf848aa4869df74af959f60ef1bc1271b4032000fcdd44f407f2\r\n2be6ad454fa9e87f78dea80d2855f1c14df81a881093a1a0d57f348377f477a8\r\n9ef9c88cef51ee0fb77ea9a78dbe60651603ef807ddb6c44d5bda95cc9026527\r\ne8aa9a061c6ea803faaf4c8d7a80c6886b4ee73d9a89a9dc6e87e3fecf7a6851\r\nb1ac4ad92045e935c132214015188d27ec4382f930d0152dfb303695b708b38d\r\n00086cf4f35b6fb7f897cfa2f0d5ad9876aa9819cdc87416c798005ce901d3a1\r\n05e02f0f9b8625fe3959ae1219f31b0167d787fefc0a9d152edf6524d6859590\r\n0a3dfe260dd7b038ddb8911689c899541391c188aff966261e7bd9d0280d153d\r\n0b9bd95d815af9ea4a59840ef6fcdc7ccfd0e239c40974334cb4cfb41df530db\r\n0de8d2d3217cebd37a2fe488713d1c288ae5a63d3d3b2a3495e2e636ba6a1f89\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 9 of 12\n\n10eafd75429ffadee2384acd37b0d4e7ca26b83666e6786f2acaf1b1c29c3f17\r\n12b7390835f30c1bcdeddd258e49684c98133cee4a6a2ccab869785567deae4f\r\n2a276ca5b2e095cdac7b24e58b3f7a67cee7db2fb5c1568e4775909265c7e914\r\n2aa58fa8d71bd2b4fd1ffac16a6461191bbf6f4b2c97455ae52800cce929a0f2\r\n2e0c99758432a3759b5af6f190ec5cb72a5a84c977d8883dcf041c4de003f3d3\r\n324dfc7bb75f27e6fba8d67dea67a63525efbe947bf8e29ef39980c6efc1c3f6\r\n3448005600ccb0ae52443a4c227a657de9cd767b389e9a1ed75ef074709981bd\r\n3de252c9023bc8920d77570acdfe21813532727af3f91d59af35fa8abcd3700f\r\n3ecf2838b2e07e6d329d45cde7d0162ba47fea4b94bacb24838358314daed756\r\n415ee9b12002f17ca4f36bef794fdb19884e22980e21bf8a15043258624c439b\r\n416f3fa48b75ab168e3373dae77cab7f4702de5158835d23a02629e8c1d20156\r\n41a3edb3a8e8d5cf093cbd02791911f6ee26df39a377fceb6b101d66a7b7aff2\r\n4b33219c5cadb4d741044874f6f0184d45f43891d28ad5b489716d4da21310fd\r\n4bbe0f6b5488a51295b15d8144d0a1c9b41bb86384299b88ea48e88c76704f52\r\n4cbcfa2a8d56976eff1e8ac0ef4d7703d0b802f227975a0cc36f3dcd3a90e73e\r\n5cec33e8f47855da3c4ce1f3953d750275864714b16e08a94605bc3889867caf\r\n6044e08402d1abd52991f5c6a4749ba6aa29a0587ff196edf60b38862392e855\r\n623bb3f1f476c37afc309d6c0ab89e216aaedc03b8a7ec1aaec5fb5085d78a97\r\n741dfdae8948f3e430a5b7b66c8fb4b8a750695b67a84a12abc0b6089e8fba31\r\n7990765022c4400a45f996046971b9e6b69cca5b06f8d2adb61bc267fd362197\r\n7d7a3e254b7968400a301d83fcd44a69f655386b9b95998a36113cfb2e542720\r\n7dc07b8aa268485e40ab78bfbb03a367d80ebd7b2c6c74961dc6842cae7086e1\r\n7e270a80cd0f04f245309e8c75cfc2cb46dc075ba01a00b30f66cb8b5deaaf3f\r\n865a4f2583679f7a40357b61301d75567cf516a5b8295dc8155e6d4aa2ce244a\r\n878917b6a8d241031fc330eff771f416a9fffaecab42c39d57e58ac2d8f38f11\r\n970e199e40511e90d6dd5d6f3c9f3701215fd881b1273fe2617bd44444b0bee9\r\n9a249dfdc2c16700bc5add2455f2ed00e47a2610b7779cc33e40aac576a2a74d\r\n9abf9fb94e2529d8819a3873f2025bdd90d14e75fe4af81e489f6d0560809f9c\r\n9d10835f7717c89d17886b7e59cc2dfc9133bfaa044bad5f070e1c8e1212e257\r\na03d2956ff8d0ae4d96c9e6cced79b335b70eef10feb0f7202609cb8652179f6\r\na064bbc4b58642ab4d7118abc55fb81db6584cbc633800ad14048e8370a95ef2\r\na15d0aedc8b4e54a170b6ecc3d9a06835cc499f07b05c6ca261081ace505debf\r\na72083974e886856b7d985bdc79888234c8cd9012ed39b2566851fb0d86cca50\r\na8729621ca4310e8e1a7ad3e1426708f1e1954a16af420cd3ce46c501e9692ab\r\na9896a8f96407a5eedda08a63dd40967f0fe0b3926e7002b6e1abc11f6ab81cc\r\naa04c9307a9087455d21dfac02d7f322ab337cd5978f9161285a9c79379efecc\r\nb36205464ead176a473ab43ea7b5e0c2b8749b3eb9549d65609be2337dce25db\r\nb529c6df6164ff8badf30f942220a3126f99e3fc2c2ea1494aa3e305b3b53c1f\r\nb9c4c8343ba75081954b2db54940585c6c0c9bb47e053ac1b9229b4fa8fc9293\r\nbe9c3feed5f6e81ccd375902c8c92616f77694b6cd14f69896d44dd4b1ea4990\r\nc5bb808a88f9e729484c05a1bc3097157bbfbd28469e502f2ebc4c6e6135df42\r\nc622c0f67eb5d9a90008e5e120065cd5a1a6e25c6e758e8205d377596059b8fe\r\nccb539bf17d479d9707ee717d0afb03cd57e9b6f023becf1abf9cdbd88e1b06c\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 10 of 12\n\ncd3040c88a6fd71ed1ce8c2a5d0b13ed8e25e49835932a39891c514ef946dd29\r\nce2f00f1d0e71287e746d5a3507547f355297a3e45a7c2cc0322015916a0137c\r\nd00d3adf81bf95ff4994dcbd2ae1305a6ee6b0edfad6eb55b87217f85645651a\r\nd0e3f547e3efcc9d9794774a765b9c3950955e7ad752f3e630ebd5ab9425bcdc\r\nd452461f3527d674de3e9b680026ceb2b02c56d6d3f7c94da3aab65c05f52c03\r\nd57f45096e646837dec51129222fcbe79981c595721164009aec68be09bf5dcf\r\ndbb4f7e6354621c316fbba7e7a15f59cf229684e16ab6d21027f310beecaf49b\r\ndbdeede6f39936305c4c5bd8e4f7bfccb0b823c025130e7f8fa285e80383be0f\r\ndc3d72f72247141efeba3c2ffd498025f68e0c4b34c9a4dc2686ffec09b6d401\r\nde933f7b47707f4bf8d5a4aaef8b31f5059d3b8f465bcaae3e22438466e8390b\r\ne6315b24e0311758da1c25daa5f2724da4f534ed7ed644cbf43f3cc64c4676a7\r\ne9a18755312011e30081e7ce0fcc1db3e3aec3b9f3ed3a776dd38498830a2738\r\neb4e39d44ad016b8d6d1dc8dc25a9ea3d3e18df87516922fdbd995de15b68f54\r\nebd167ca477af620065548a9e55567682b0750625b3e078fc4498dd5adeabdc6\r\nf2536e520d37512d868a418797974a5c11e67742824a5477100b7e3f5b2efbc3\r\nf4fcba1c9d7f4ae8e3868f901035ea1e0e9e1122a362a83afd3d111c17a97d7a\r\nf7eef906c7dc1ce2ffe586d4b7f316a5f5c6761b5cdbf22d892fbc87a5ee2f6f\r\nfe55c1d263e0ea356d86afd8b2b1cedff570568e45b8a3810e05ea482b8a9329\r\nfefba5ce20c71a71cfe35dd8ff06c514bf6ffde60356babf4f4bba66dd904b78\r\nDLL:\r\ncf9d93951e558ed22815b34446cfa2bd2cf3d1582d8bd97912612f4d4128a64e\r\n48aaa2dec95537cdf9fc471dbcbb4ff726be4a0647dbdf6300fa61858c2b0099\r\n00fc4b8a4c65c06766608f3ef3f92385c8e147f5991dabe290e33dd14b39ad44\r\n0ad65fd0897a6547f6febf398708ab2d423a8f8834b53136219cb490ec3ebd13\r\n11ba24d023b544e28c37b6cb8afe27d06638175d7f56c2e4d4ff97bf7bd813b6\r\n1a2399ecc38f3288206c75b55762d125d3d75254062a2c0d85c86e7f896736ac\r\n258ffcc13dbe110bcce21b91f7f075995719791fdd3c9f55ea5934984fa4373d\r\n2cbc1e8a4cb5d18a867666adbd3417bc88d48a74ae6500593959aec1a1c92d2d\r\n342a5c7df2bdd040570f4b83c74366d4c96a90d6418149d432cb5e8577f2f6b1\r\n3648e89e7449ea433a8b3ef0e5b605b5dc4157048c03b20dedc5e3b920fa8552\r\n5418e42706bca4712ff2a3db67853eb42a2310660c51cff2f9020586cffedeb3\r\n69573694d16b7ccadfa208ff976bfe1b3e36837aba3e5dc4dfc80e66341ef61e\r\n6de4f65b1d738d84f8e825613092bbd360194195fe8a1c986e12a9bb704217c1\r\n751f149665f87dd20cc8dff743f28e5da1ff2a5f04874d4b8569b9afceeedfec\r\n78200cd816acbd39b6664c6582e06500f6d46085b62b49d2f914bea5a004197a\r\n783c7f4bf23072343f6247ee14e54e4af0b147553ad1ef42b4e7fb44386d667c\r\n7f99e506c17676b98dcc08e6a19f100ef933cde3e0423c6d4072f6802a9196bb\r\n8d0b1174cbda6b102bb98c91ba123e9f404b9fad23b49a4e29f3cfd8d20a577a\r\n90c7688e0dc23ba4530bac1d567bad920c4ef1c06cbf4b2d867eeb363271eefe\r\n9102e564c3262b2c291e8ca3d67f8a55c06650aa86f617c919916f6053c03c9b\r\n9327aa03760431b6d86eeb2f1a3efc36aa443b842b5116fbbe0f2a7794c4e70e\r\n97286b6f3a6535ff1172ef65172e6967e3670c6b14a3313c3bf0d6c171b1fc85\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 11 of 12\n\n98e28d3423f5d414effe3c0ed6fd0f1c8154942e5e127ecee5f051e1196ffc75\r\n99c0bebdc8cb7b0948000a601f510fc70487f9da532be199b8641512a2db9839\r\n9bdf49b27fd4d80ef087f63e0bfa0a0822686814863eca09ac506404ad76dfda\r\nb2588061ba5ee9948bbccd320b40c6d7b8d6a693d181f3bce61e5e267f53aa7e\r\nb936853a0c50a0cd0bc8b33103b55bd88e19c6c28768d990b954c11d714286ca\r\nf2429f4bd09897653d0ffa41206a14cafa55356d5edc04dc0915c116867f8c27\r\nSource: https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nhttps://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-latest-rhadamanthys-version/" ], "report_names": [ "massive-phishing-campaign-deploys-latest-rhadamanthys-version" ], "threat_actors": [ { "id": "13e58cc3-9acc-4564-8f84-b8cc0082ee4a", "created_at": "2024-05-23T02:00:03.982213Z", "updated_at": "2026-04-25T02:00:03.543971Z", "deleted_at": null, "main_name": "Void Manticore", "aliases": [], "source_name": "MISPGALAXY:Void Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4134675e-5b72-4b50-8d70-1a8f18aafbb4", "created_at": "2024-10-04T02:00:04.766263Z", "updated_at": "2026-04-25T02:00:03.600957Z", "deleted_at": null, "main_name": "Handala", "aliases": [], "source_name": "MISPGALAXY:Handala", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-25T02:00:04.572705Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "b3ebf51d-8f64-48a9-bbfb-674db872cccb", "created_at": "2025-08-07T02:03:24.769383Z", "updated_at": "2026-04-25T02:00:03.531399Z", "deleted_at": null, "main_name": "COBALT MYSTIQUE", "aliases": [ "Banished Kitten ", "DEV-0842 ", "Druidfly ", "Handala Hack Team", "Homeland Justice", "Karmabelow80", "Red Sandstorm ", "Storm-0842 ", "Void Manticore " ], "source_name": "Secureworks:COBALT MYSTIQUE", "tools": [ "AllinOneNeo", "Bibi", "GramPy", "GramPyLoader" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1776912914, "ts_updated_at": 1777083567, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e9329bebe5ef9f858f6696badbf87a38ac15a526.pdf", "text": "https://archive.orkl.eu/e9329bebe5ef9f858f6696badbf87a38ac15a526.txt", "img": "https://archive.orkl.eu/e9329bebe5ef9f858f6696badbf87a38ac15a526.jpg" } }