Copyright Phishing Lures Leading to Rhadamanthys Stealer Now Targeting Europe

Cybereason observed a Europe-focused phishing campaign (since April 2025) using copyright-infringement lures and redirect links to host archives on Mediafire; these archives contain a legitimate PDF reader and a malicious msimg32.dll that is executed via DLL side-loading to deploy the Rhadamanthys infostealer. The report provides a technical analysis of the multi-stage loader (TLS callbacks, multi-stage shellcode, Heaven's Gate/indirect syscalls), persistence via autorun registry keys, indicators of compromise (IPs, domains, hashes, filenames), targeted sectors/countries, detection artifacts, and recommended mitigations.