Threat actors use copyright infringement phishing lure to deploy infostealers

Description

An unknown threat actor is conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The campaign uses emails impersonating legal departments, claiming copyright infringement to lure victims into downloading malware. The attackers abuse Google's Appspot domains, short URLs, and Dropbox to deliver information stealers, employing various evasion techniques. The malware includes LummaC2 and Rhadamanthys stealers, which are embedded in legitimate binaries. The campaign specifically targets traditional Chinese speakers and uses well-known company names in Taiwan and Hong Kong to increase credibility. The infection chain involves encrypted archives, fake PDF executables, and sophisticated loaders that employ anti-analysis techniques and ensure persistence on infected systems.