VERY IMPORTANT

Proofpoint identified a financially motivated cybercriminal group known as TA547 targeting German organizations with emails delivering the Rhadamanthys information stealer malware. This was the first observation of TA547 using Rhadamanthys. The attack chain involved emails impersonating a German retail company containing LNK files that executed a PowerShell script to load and run the malware. The PowerShell script contained characteristics suggesting it may have been generated using a large language model tool. While the origin of malicious code does not impact detection, this provides insight into threat actors leveraging AI-generated content.