An up-to-date version of an details-stealing malware called Rhadamanthys is being utilized in phishing strategies targeting the oil and gas sector.
“The phishing emails use a exclusive auto incident entice and, in later levels of the an infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a considerable fine for the incident,” Cofense researcher Dylan Duncan mentioned.
The email message will come with a destructive website link that leverages an open up redirect flaw to take the recipients to a backlink hosting a supposed PDF doc, but, in truth, is an image that, upon clicking, downloads a ZIP archive with the stealer payload.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Written in C++, Rhadamanthys is designed to set up connections with a command-and-handle (C2) server in purchase to harvest sensitive facts from the compromised hosts.
“This campaign appeared within just times of the legislation enforcement takedown of the LockBit ransomware group,” Duncan claimed. “Even though this could be a coincidence, Craze Micro disclosed in August 2023 a Rhadamanthys variant that came bundled with a leaked LockBit payload, along with a clipper malware and cryptocurrency miner.
“The menace actors included a blend of an data stealer and a LockBit ransomware variant in a single Rhadamanthys bundle, potentially indicating the continued evolution of the malware,” the corporation mentioned.
The improvement comes amid a continuous stream of new stealer malware family members like Sync-Scheduler and Mighty Stealer, even as present strains like StrelaStealer are evolving with improved obfuscation and anti-analysis procedures.
It also follows the emergence of a malspam marketing campaign concentrating on Indonesia that employs banking-linked lures to propagate the Agent Tesla malware to plunder sensitive details these as login qualifications, money knowledge, and personal files.
Agent Tesla phishing strategies observed in November 2023 have also established their sights on Australia and the U.S., in accordance to Verify Level, which attributed the operations to two African-origin menace actors tracked as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom functions as a web designer.
“The principal actor [Bignosa] appears to be a section of a team functioning malware and phishing campaigns, targeting corporations, which is testified by the US and Australian email company databases, as nicely as men and women,” the Israeli cybersecurity firm stated.
The Agent Tesla malware distributed by way of these attack chains have been observed to be secured by the Cassandra Protector, which allows guard computer software systems versus reverse-engineering or modification endeavours. The messages are sent by way of an open up-supply webmail instrument known as RoundCube.
“As found from the description of these danger actors’ steps, no rocket science diploma is required to conduct the cyber crime functions powering one particular of the most common malware households in the last numerous a long time,” Check Position reported.
“It really is an unfortunate program of gatherings brought on by the small-entry degree threshold so that everyone eager to provoke victims to launch the malware by means of spam strategies can do so.”
Observed this short article intriguing? Adhere to us on Twitter and LinkedIn to read additional unique articles we post.
Some areas of this report are sourced from:
thehackernews.com