Cybercriminal group TA547 targets various German organisations using AI-generated code

The gang used a large language model (LLM) such as ChatGPT or Gemini to generate the malicious script that loaded the Rhadamanthys infostealing malware.

Ai robot checking code on the computer screen

Security researchers at Proofpoint have uncovered a sophisticated email campaign orchestrated by the cybercriminal group TA547, targeting numerous German organisations. This is the first time TA547 was seen employing the Rhadamanthys malware, an information-stealing tool associated with multiple cybercrime factions.

The emails, purportedly from the German retail giant Metro, masqueraded as invoice-related communications. Sent to a variety of businesses across different sectors in Germany, these messages contained a password-protected ZIP file, with the password being ‘MAR26’. Inside the ZIP file was an LNK file. Upon execution, this file activated a PowerShell script, believed to have been generated by AI.

Remarkably, the PowerShell script used to load Rhadamanthys had peculiar traits that were not commonly found in code employed by either cyber threat actors or legitimate programmers. Notably, it featured grammatically correct and highly specific comments preceding each component of the script, a hallmark indicative of content generated by large language models (LLM). This suggests that TA547 may have used a tool empowered by such models to craft or adapt the script for their malicious purposes.

While confirming whether malicious content is generated via LLMs remains challenging, certain characteristics can hint at machine-generated rather than human-generated information. Nonetheless, regardless of its origin, defending against such threats needs consistent measures.

TA547, a financially driven cybercrime group identified as an initial access broker (IAB), has historically targeted various global regions. Although their preferred payload has been the NetSupport RAT, recent shifts have seen them deploying other malware like StealC and Lumma Stealer, which share functionalities with Rhadamanthys. The group previously favoured zipped JavaScript attachments for initial delivery but transitioned to compressed LNKs in March 2024. Besides Germany, recent campaigns have also targeted organisations in Spain, Switzerland, Austria, and the United States.

This campaign signifies a notable evolution in TA547’s tactics, showcasing their adaptation to compressed LNKs and introducing the Rhadamanthys stealer. It also underscores how threat actors are leveraging content likely generated by LLMs in their malware campaigns.