Recently Updated Rhadamanthys Stealer Delivered in Federal Bureau of Transportation Campaign -
On February 21st, 2024, an advanced phishing campaign was detected targeting the Oil and Gas sector with the aim of delivering Rhadamanthys Stealer, a sophisticated information stealer malware available through Malware-as-a-Service (MaaS). This campaign utilized complex tactics, techniques, and procedures (TTPs) and employed a unique vehicle incident lure that spoofed the Federal Bureau of Transportation. The phishing emails were crafted with varying subjects and bodies, all themed around vehicle incidents to emotionally engage the recipients. The emails contained links that exploited open redirects on legitimate Google domains, leading to a URL shortener that further obscured the malicious destination. Victims were eventually directed to download a PDF file that spoofed the Federal Bureau of Transportation, warning of a significant fine for a supposed incident. This PDF contained a clickable image that, when interacted with, prompted the download of a ZIP archive file harboring the Rhadamanthys Stealer executable. Once executed, the malware initiated a connection with its command and control (C2) server to exfiltrate stolen credentials, cryptocurrency wallets, and other sensitive information. The campaign's emergence closely followed major updates to Rhadamanthys Stealer, enhancing its stealing capabilities and evasion tactics, as well as the law enforcement takedown of the LockBit ransomware group. This suggests a strategic shift by threat actors towards utilizing updated and sophisticated MaaS offerings in their operations. Malware: Rhadamanthys [View Article](https://cofense.com/blog/recently-updated-rhadamanthys-stealer-delivered-in-federal-bureau-of-transportation-campaign/)