New phishing campaign uses fake copyright notices to spread malware, researchers warn

Cybersecurity researchers at Check Point Research (CPR) have uncovered a widespread phishing campaign that uses fake copyright infringement notices to trick victims into downloading malware. The campaign, active since July 2024, impersonates well-known companies and falsely accuses recipients of misusing copyrighted content on their social media accounts, specifically targeting users on Facebook.

Disguised as copyright enforcement emails, these phishing messages claim to come from major entertainment, media, and tech companies. They warn recipients of alleged copyright violations and request the removal of certain images or videos. Instead of providing legitimate instructions, however, the emails contain a download link for a password-protected archive, which, once opened, infects the user’s computer with malware.

This particular malware, called "Rhadamanthys Stealer," is designed to steal personal and financial information from victims. Using a method known as DLL sideloading, the malware hides within a legitimate file, bypassing many standard antivirus detections. The latest version of Rhadamanthys, deployed in this phishing campaign, includes advanced techniques for avoiding detection and a new feature that uses optical character recognition (OCR) to scan images and documents for specific text strings, likely to exploit cryptocurrency-related data.

The campaign primarily targets sectors with a high online presence, such as entertainment and tech, but Check Point’s research suggests that its reach is global, affecting users across the U.S., Europe, the Middle East, East Asia, and South America.

“Almost 70% of the impersonated companies are from the Entertainment /Media and Technology/Software sectors. This is possibly because those sectors have a high online presence and are more likely to send such requests than other sectors. These high-profile sectors also have frequent copyright-related communications, making such phishing attempts appear more credible,” the report reads.

Researchers believe the phishing operation is likely the work of financially motivated cybercriminals, rather than state-sponsored actors, based on its indiscriminate targeting of various organizations and its focus on data theft for financial gain. This campaign underscores how phishing tactics continue to evolve, with attackers leveraging sophisticated techniques to bypass security measures and increase their chances of success.