An unidentified threat actor has launched a phishing campaign targeting Facebook businesses and advertising account users in Taiwan. The campaign involves sending decoy emails with fake PDF filenames to lure victims into downloading and executing malware.
The phishing emails impersonate a company’s legal team and contain falsified details to trick recipients into falling for the scam. Additionally, the threat actors have also used well-known industrial motor manufacturer and online store names in Taiwan to claim copyright infringement by the targeted businesses.
The emails threaten legal action and compensation claims if the infringing content is not removed within 24 hours. Cisco Talos researchers, who have been monitoring the scams, highlighted the use of various techniques by the threat actors to evade antivirus detection and sandbox analysis.
Among the tools used by the threat actors are LummaC2 and Rhadamanthys information stealers embedded into legitimate binaries. Lumma Stealer is designed to extract information from compromised systems, while Rhadamanthys gathers system details, credentials, cryptocurrency wallets, passwords, cookies, and data from other applications.
The phishing campaign, which has been ongoing since at least July, targets Chinese speakers with malware download links in phishing emails using traditional Chinese decoys. This sophisticated operation underscores the importance of staying vigilant against cyber threats.