TA547 Targets German Organizations With Rhadamanthys Stealer
Cyber threat actor TA547 was discovered targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time TA547 has been observed using Rhadamanthys an information stealer used by multiple cybercriminals. The emails impersonated the German retail company Metro and targeted various industries in Germany. The emails contained a password-protected ZIP file which when executed triggered a PowerShell script that decoded the Rhadamanthys executable file and executed the malicious code in memory Interestingly the PowerShell script used to load Rhadamanthys contained characteristics suggesting it was generated by a large language model (LLM) indicating that TA547 may have used an LLM-enabled tool to write the script or copied it from another source.