Full Report
Phishing email campaign targets Taiwan Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. The initial vector of the campaign is a phishing email containing a malware download link. […] The post Threat actors use copyright infringement phishing lure to deploy infostealers appeared first on InfoStealers.
Analysis Summary
# Threat Actor: Unknown (Infostealer Phishing Campaign)
## Attribution & Identity
The threat actor is currently **unknown**. While an EPS file's metadata suggested a possible link to a Vietnamese-language website, this is not considered strong evidence for attribution. The campaign demonstrates thorough research into Taiwanese and Hong Kong technology/media companies.
## Activity Summary
Cisco Talos observed an ongoing phishing campaign targeting users of **Facebook business and advertising accounts** in **Taiwan** since at least **July 2024**. The primary goal is the deployment of information stealers. The lure relies on convincing victims that they are facing **copyright infringement** claims regarding images/videos used in their advertising content, demanding immediate removal to avoid legal action.
## Tactics, Techniques & Procedures
- **Social Engineering:** Impersonating a company's legal department using Traditional Chinese templates.
- **Lure Content:** Fake PDF filenames related to copyright infringement, often incorporating the names of well-known Taiwanese/Hong Kong technology and media companies.
- **Delivery Chain Abuse:** Utilizing legitimate, trusted services to distribute malware: Google Appspot[.]com, a short URL service, and Dropbox.
- **Evasion Techniques:** Employing code obfuscation, shellcode encryption, and hiding malicious code within resource data to significantly bloat file size (over 700 MB) to evade antivirus and sandbox analysis.
- **Malware Embedding:** Embedding known stealers (LummaC2 or Rhadamanthys) into legitimate binaries.
## Targeting
- **Sectors:** Businesses or individuals utilizing Facebook for advertising/business purposes.
- **Geography:** Primarily **Taiwan**.
- **Victims:** Users or administrators of Facebook business/advertising accounts. Targets are likely **Traditional Chinese speakers**.
## Tools & Infrastructure
- **Malware families used:** LummaC2 information stealer, Rhadamanthys information stealer.
- **Infrastructure (C2, domains, IPs):**
- Abuse of Google’s Appspot[.]com domains for initial redirection.
- Use of a third-party short URL service.
- Delivery via malicious archives hosted on Dropbox.
- Use of multiple, unlisted C2 domains for command and control communication.
## Implications
This actor demonstrates sophisticated evasive techniques well beyond basic phishing, using multi-stage delivery mechanisms and file obfuscation to defeat modern security tooling. The highly localized and researched social engineering—impersonating legal departments concerning copyright—suggests a high probability of success against the targeted demographic of Facebook advertisers in Taiwan. The deployment of known, established information stealers confirms an objective focused on credential and sensitive data harvesting.
## Mitigations
- **User Training:** Educate users, especially those managing business/ad accounts, on identifying sophisticated copyright infringement lures, particularly those demanding urgent action via email attachments/links.
- **Network Security:** Implement robust egress filtering and content inspection to monitor unusual traffic patterns originating from brief redirects (short URLs) leading to cloud services like Dropbox for executable downloads.
- **Endpoint Detection:** Employ advanced endpoint protection capable of behavioral analysis, as this actor focuses on file-level obfuscation and anti-sandbox techniques.
- **Application Whitelisting:** Restrict the execution of binaries derived from unusual network sources or embedded within large resource sections.