Fake copyright infringement notices are sweeping across inboxes globally, hitting hundreds of companies with a new and devious malware campaign. Since July, cyber researchers at Check Point have been tracking “CopyR(ight)hadamantys,” an attack designed to look like legal copyright warnings but packing a hidden threat—Rhadamanthys, a powerful data-stealing malware.
How It Hooks Victims
The emails pretend to be legal warnings from big-name brands, accusing recipients of copyright violations and pressuring them to “review” details of the infraction in a password-protected file. But instead of legal documents, victims are met with a decoy and a hidden malware file. Industries like tech and media are prime targets, as scammers play on copyright anxiety, nudging recipients to wonder, “Did I actually misuse an image?”
Meet Rhadamanthys: The Malware with a $1,000 Price Tag
This isn’t your run-of-the-mill malware. Rhadamanthys packs advanced features, including optical character recognition (OCR) that can read text from images and PDFs, suggesting an interest in swiping credentials—especially cryptocurrency wallets. The malware’s sophistication has even caught the attention of threat actors tied to nation-states, like Iran-linked Void Manticore and pro-Palestinian groups, adding an extra layer of intrigue.
Stealth Mode Activated
To avoid detection, Rhadamanthys uses a clever trick: it clones itself as a much larger file in the victim’s Documents folder, disguised as a Firefox component. The oversized file’s unique “overlay” data changes its hash, allowing it to slip past antivirus systems that rely on hash-based scanning. Plus, some antivirus programs skip scanning large files to save resources, letting Rhadamanthys hide in plain sight.
How to Stay Safe
Security experts urge businesses to double down on phishing protection and to keep employees alert to suspicious emails. Keeping an eye out for unusually large file downloads from emails may also help, though sorting legitimate from malicious files can be tricky.